All Products
Search

This Product

    Simple Log Service:Overview

    Document Center

    Simple Log Service:Overview

    Last Updated:Jun 02, 2026

    This topic explains how to grant a Resource Access Management (RAM) user access to Simple Log Service resources in your Alibaba Cloud account.

    Background information

    You own the projects, Logstores, collection configurations, and machine groups that you create, and you have full permissions on them by default. A newly created RAM user has no permissions on any resources in your Alibaba Cloud account. To grant a RAM user access, create an authorization policy in RAM and attach it to the user.

    Note

    Before using RAM to authorize access to Simple Log Service resources, read Use a RAM role to access resources across Alibaba Cloud accounts and RAM overview.

    If you do not need other users to access your Simple Log Service resources, skip this section.

    RAM policies

    The following policies control RAM user access to Simple Log Service resources. Choose the policy that matches the level of access you want to grant.

    • AliyunLogFullAccess — grants full access to all Simple Log Service resources in the account.

        {
    "Version": "1",
    "Statement": [
      {
        "Action": "log:*",
        "Resource": "*",
        "Effect": "Allow"
      }
    ]
  }

    • AliyunLogReadOnlyAccess — grants read-only access to all Simple Log Service resources in the account.

       {
    "Version": "1",
    "Statement": [
      {
        "Action": [
          "log:Get*",
          "log:List*"
        ],
        "Resource": "*",
        "Effect": "Allow"
      }
    ]
  }

    • Upload data to a specified Logstore — grants permission to upload data to a specific Logstore using APIs and SDKs.

      Replace <your-project-name> and <your-logstore-name> with your actual project and Logstore names.

        {
    "Version": "1",
    "Statement": [
      {
        "Action": [
          "log:Post*",
          "log:BatchPost*"
        ],
        "Resource": ["acs:log:*:*:project/<your-project-name>/logstore/<your-logstore-name>"],
        "Effect": "Allow"
      }
    ]
  }

    • Query data of a specified Logstore in the console — grants read-only access to a specific Logstore in the console, including querying logs, pulling logs, and viewing the Logstore list.

      Replace <your-project-name> and <your-logstore-name> with your actual project and Logstore names.

        {
    "Version": "1",
    "Statement": [
      {
        "Action": ["log:List*"],
        "Resource": ["acs:log:*:*:project/<your-project-name>/*"],
        "Effect": "Allow"
      },
      {
        "Action": ["log:Get*"],
        "Resource": ["acs:log:*:*:project/<your-project-name>/logstore/<your-logstore-name>"],
        "Effect": "Allow"
      }
    ]
  }

    Related topics