After you create a RAM user and authorize the RAM user to access Simple Log Service, you can use the RAM user to manage your resources in Simple Log Service. This topic describes how to create a RAM user and authorize the RAM user to access Simple Log Service.
You may need to grant O&M staff the permissions to manage your Simple Log Service resources and grant other staff the permissions to access Simple Log Service resources based on your business requirements. In this case, you can create RAM users and grant required permissions to the RAM users. Then, the related staff such as the O&M staff can access Simple Log Service resources as RAM users. For data security reasons, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users. For more information about RAM users, see Introduction.
Step 1: Create a RAM user
Log on to the Resource Access Management (RAM) console with an Alibaba Cloud account.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
(Optional) Tag: You can click the icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select an access mode and configure the required parameters.
To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.
If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:
Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.
If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.
Step 2: Grant permissions to the RAM user
By default, a RAM user has no permissions. After you create a RAM user, you must attach system policies or custom policies to the RAM user before the RAM user can perform related operations. Resource Access Management (RAM) provides the following two system policies for Simple Log Service:
AliyunLogFullAccess: the permissions to manage all Simple Log Service resources.
AliyunLogReadOnlyAccess: the read-only permissions on all Simple Log Service resources.
If the system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create a custom policy. For information about the examples of policies, see Use custom policies to grant permissions to a RAM user and Overview.
To attach the AliyunLogReadOnlyAccess policy to a RAM user, perform the following steps:
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, find the RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, select the AliyunLogReadOnlyAccess policy and click OK.
Confirm the authorization result and click Complete.