A Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service is used to authorize cross-service access in Alibaba Cloud. This topic describes how to create a RAM role whose trusted entity is an Alibaba Cloud service and grant the RAM role the permissions to access Simple Log Service.
Step 1: Create a RAM role
Create a RAM role whose Principal Type is Cloud Service and Principal Name is Simple Log Service.
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
On the Create Role page, set Principal Type to Cloud Service, select an Alibaba Cloud service for the Principal Name parameter, and then click OK.
NoteAvailable Alibaba Cloud services for the Principal Name parameter are subject to the RAM console.
Step 2: Grant permissions to the RAM role
After a RAM role is created, the RAM role has no permissions. You can grant permissions to the RAM role. RAM provides the following system policies for Simple Log Service. We recommend that you grant only the required permissions to the RAM role based on the principle of least privilege.
AliyunLogFullAccess: This policy grants the permissions to manage all Simple Log Service resources.
AliyunLogReadOnlyAccess: This policy grants the read-only permissions on all Simple Log Service resources.
If system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create custom policies. For more information about sample policies, see Examples of using custom policies to grant permissions to a RAM user and Overview.
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.
You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.
In the Grant Permission panel, select the required policy and click Grant permissions. In this example, the AliyunLogReadOnlyAccess policy is selected.
Click Close.