All Products
Search

This Product

    Simple Log Service:Grant a RAM user the permissions to process data

    Document Center

    Simple Log Service:Grant a RAM user the permissions to process data

    Last Updated:Mar 13, 2026

    If you want to use a RAM user to process data, grant the required access policy to the RAM user. This topic describes the authorization steps.

    Procedure

    1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

    2. Create a custom policy. On the JSON tab of the Create Policy page, replace the existing script in the code editor with the following policy document. For more information, see Create a custom policy on the JSON tab.

      Important

      Replace ProjectName and LogstoreName in the following content with the names of the Simple Log Service project and Logstore that you want to use for data processing. For more information about how to view project and Logstore names, see Manage projects and Manage a Logstore.

      Read-only permissions

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:GetIngestProcessor",
                "log:ListIngestProcessors"
            ],
            "Resource": "acs:log:*:*:project/ProjectName/ingestprocessor/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:GetLogStore"
            ],
            "Resource": "acs:log:*:*:project/ProjectName/logstore/LogstoreName"
        }
    ]
}

      Read and write permissions

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:PutIngestProcessor",
                "log:GetIngestProcessor",
                "log:ListIngestProcessors",
                "log:DeleteIngestProcessor"
            ],
            "Resource": "acs:log:*:*:project/ProjectName/ingestprocessor/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:UpdateLogStoreProcessor"
            ],
            "Resource": [
                "acs:log:*:*:project/ProjectName/logstore/LogstoreName"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:UpdateMetricStoreProcessor"
            ],
            "Resource": [
                "acs:log:*:*:project/ProjectName/metricstore/MetricStoreName"
            ]
        }
    ]
}

    3. Attach the created custom policy to the RAM user. For more information, see Grant permissions to a RAM user.

    References

    This topic describes the steps to create and use custom policies. Custom policies allow you to implement fine-grained access control, but you must maintain and manage their content. You can also grant system policies to a RAM identity. This eliminates the need to maintain and manage policy content, simplifying authorization. However, system policies grant broader permissions, which might pose security risks. For more information about the system policies supported by Simple Log Service, see System policies for Simple Log Service.