All Products
Search
Document Center

Simple Log Service:Configure permissions to write alerts to an Eventstore

Last Updated:Jun 03, 2026

To write alert information to an Eventstore, you need a role with the required permissions. You can use a default role or create a custom role.

When you configure an alert rule, set the destination to Eventstore, enable the switch, and authorize a role.

Default role authorization

If you select Authorization Method for Default Role:

  1. Click Authorize Now to open the authorization page and complete authorization as prompted.

    Authorize the AliyunLogETLRole role when prompted. After authorization, click Authorization complete, click Refresh.

  2. After authorization, click After authorization, click Refresh to refresh the page. to view the role information.

    In the role information, Authorization Method is Default Role, and Role ARN is acs:ram::{AccountID}:role/aliyunlogetlrole.

Custom role authorization

If you select Custom Role for Authorization Method, create a policy and a custom role, then attach the policy to the role.

  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

  2. Create a custom policy. On the JSON tab of the Create Policy page, replace the existing script in the code editor with the following policy document. For more information, see Use the JSON editor.

    {
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "log:PostLogStoreLogs",
          "Resource": "*"
        }
      ]
    }
                
  3. Create a RAM role to be assumed by the Alibaba Cloud service. For more information, see Create a service RAM role.

    Important
    • When creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.

    • Check the trust policy of the RAM role. Make sure that the Service element contains at least "log.aliyuncs.com".

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "log.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
  4. Attach the created custom policy to the RAM role. For more information, see Manage permissions for a RAM role.

Next steps

Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View the basic information of a RAM role. When you create an alert rule, select Authorization Method for Custom Role and enter the role ARN.