Grant a RAM user the permissions to process data

Updated at:
Copy as MD

To use a RAM user for data processing, you must grant the RAM user the required permissions. This topic describes how to authorize a RAM user by using a custom policy.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

  2. Create a custom policy. On the JSON tab of the Create Policy page, replace the existing script in the code editor with the following policy document. For more information, see Using the script editor.

    Important

    Replace ProjectName and LogstoreName in the following policy with the actual names of your Simple Log Service project and Logstore. To view project and Logstore names, see Manage projects and Manage a Logstore.

    Read-only permissions

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "log:GetIngestProcessor",
                    "log:ListIngestProcessors"
                ],
                "Resource": "acs:log:*:*:project/ProjectName/ingestprocessor/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "log:GetLogStore"
                ],
                "Resource": "acs:log:*:*:project/ProjectName/logstore/LogstoreName"
            }
        ]
    }

    Read and write permissions

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "log:PutIngestProcessor",
                    "log:GetIngestProcessor",
                    "log:ListIngestProcessors",
                    "log:DeleteIngestProcessor"
                ],
                "Resource": "acs:log:*:*:project/ProjectName/ingestprocessor/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "log:UpdateLogStoreProcessor"
                ],
                "Resource": [
                    "acs:log:*:*:project/ProjectName/logstore/LogstoreName"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "log:UpdateMetricStoreProcessor"
                ],
                "Resource": [
                    "acs:log:*:*:project/ProjectName/metricstore/MetricStoreName"
                ]
            }
        ]
    }
  3. Attach the created custom policy to the RAM user. For more information, see Manage RAM user permissions.

References

Custom policies provide fine-grained access control but require you to maintain the policy content. Alternatively, you can grant system policies to a RAM identity, which simplifies authorization but grants broader permissions that might pose security risks. For more information about the system policies supported by Simple Log Service, see System policies for Simple Log Service.