Grant a RAM user permissions to operate CloudLens for SLS.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Overview
Grant CloudLens for SLS permissions to a RAM user using either of the following methods:
Add system policies: You can grant all permissions on Simple Log Service to the RAM user. You cannot modify the system policies. You do not need to configure parameters.
Add custom policies: You can create custom policies and attach the policies to the RAM user. This method allows you to perform fine-grained access control, but requires complex configurations.
System policy
-
Log on to the RAM console by using your Alibaba Cloud account or as a RAM administrator.
-
Grant the RAM user read-only permissions
AliyunLogReadOnlyAccessor management permissionsAliyunLogFullAccesson Simple Log Service. For more information, see Manage RAM user permissions.
Custom policy
Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.
-
Create a custom policy.
Grant read-only or read and write permissions on CloudLens for SLS to a RAM user.
Read-only permissions
The RAM user can only view CloudLens for SLS pages.
On the Create Policy page, click the JSON tab and replace the content with the following policy. For more information, see Using the script editor.
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:GetProjectLogs" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": "log:GetProductDataCollection", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" }Read and write permissions
The RAM user can perform all CloudLens for SLS operations.
On the Create Policy page, click the JSON tab and replace the content with the following policy. For more information, see Using the script editor.
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:CreateProject", "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard", "log:UpdateLogStore", "log:GetProjectLogs" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:GetProductDataCollection", "log:OpenProductDataCollection", "log:CloseProductDataCollection" ], "Resource": "acs:log:*:*:project/*", "Effect": "Allow" }, { "Action": "log:SetGeneralDataAccessConfig", "Resource": "acs:log:*:*:resource/sls.general_data_access.sls.global_conf.standard_channel/record", "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "audit.log.aliyuncs.com" } } }, { "Action": [ "log:ListCollectionPolicies", "log:UpsertCollectionPolicy", "log:DeleteCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" } -
Attach the custom policy to the RAM user. For more information, see Manage RAM user permissions.