Simple Log Service provides the AI Log Insight application. You can assign the AliyunServiceRoleForSLSAILens service-linked role to AI Log Insight. Then, AI Log Insight has the permissions to access the resources of other cloud services. This topic describes the scenarios and policy of the AliyunServiceRoleForSLSAILens role.
Scenarios
When you use AI Log Insight to collect logs from AI cloud services, Simple Log Service calls the API operations of the cloud services to obtain the information about the cloud services within your account. During this process, Simple Log Service uses the AliyunServiceRoleForSLSAILens role to obtain the required permissions to read the resources of the AI cloud services and modify the log collection configurations. For more information, see Service-linked roles.
Policy
Role name: AliyunServiceRoleForSLSAILens
Policy name: AliyunServiceRolePolicyForSLSAILens
Policy document:
{ "Version": "1", "Statement": [ { "Action": [ "pai:GetWorkspace", "pai:ListWorkspaces" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:CreateProject", "log:GetProject", "log:ListProject", "log:ListLogStores", "log:GetLogStore", "log:CreateIndex", "log:UpdateIndex", "log:GetIndex", "log:CreateDashboard", "log:UpdateDashboard", "log:ListDashboard", "log:CreateLogStore", "log:CreateSavedSearch", "log:UpdateSavedSearch" ], "Resource": "acs:log:*:*:project/*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "ai-lens.log.aliyuncs.com" } } } ] }