This topic describes how to use custom policies to grant permissions to a RAM user.

Important
  • Logstores that are displayed in a policy include Logstores and Metricstores. If you want to manage Metricstores, the following policies also apply.
  • To ensure data security, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users. You must grant RAM users the read-only permissions on the project list before the RAM user can view the projects in the project list. For more information, see Attach system policies to a RAM user and Create a custom policy.

Grant permissions to a RAM user in the RAM console

  • The read-only permissions on projects
    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
    • The permissions to view the project list of the Alibaba Cloud account
    • The read-only permissions on the projects that are specified by the Alibaba Cloud account
    Note If you grant a RAM user the read-only permissions on a project, the RAM user cannot view the logs in the project. You must also grant the read-only permissions on specific Logstores in the project.
    Use the following policy: 
    {
   "Version": "1",
   "Statement": [
     {
       "Action": ["log:ListProject"],
       "Resource": ["acs:log:*:*:project/*"],
       "Effect": "Allow"
      },
     {
       "Action": [
         "log:Get*",
         "log:List*"
       ],
       "Resource": "acs:log:*:*:project/<Project name>/*",
       "Effect": "Allow"
     }
   ]
 }
  • The read-only permissions on a specified Logstore and the permissions to create and manage saved searches
    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
    • The permissions to view the project list of the Alibaba Cloud account
    • The read-only permissions on a specified Logstore and the permissions to create and manage saved searches
    Use the following policy: 
    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListProject"
      ],
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:List*"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/dashboard",
        "acs:log:*:*:project/<Project name>/dashboard/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*",
        "log:Create*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/savedsearch",
        "acs:log:*:*:project/<Project name>/savedsearch/*"
      ],
      "Effect": "Allow"
    }
  ]
}
  • The read-only permissions on a specified Logstore and the permissions to view all saved searches and dashboards in a project
    For example, you want to use your Alibaba Cloud account to grant the following permissions to a RAM user:
    • The permissions to view the project list of the Alibaba Cloud account
    • The read-only permissions on a specified Logstore and the permissions to view all saved searches and dashboards in the project to which the Logstore belongs
    Use the following policy: 
    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListProject"
      ],
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:List*"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/logstore/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/dashboard",
        "acs:log:*:*:project/<Project name>/dashboard/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:Get*",
        "log:List*"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/savedsearch",
        "acs:log:*:*:project/<Project name>/savedsearch/*"
      ],
      "Effect": "Allow"
    }
  ]
}

Use API operations to grant permissions to a RAM user

  • The permissions to write data to a specified project
    To grant a RAM user only the permissions to write data to a specified project, use the following policy: 
    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:Post*"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/*",
      "Effect": "Allow"
    }
  ]
}
  • The permissions to write data to a specified Logstore

    To grant a RAM user only the permissions to write data to a specified Logstore, use the following policy: 

    {
  "Version":"1",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "log:PostLogStoreLogs"
      ],
      "Resource":[
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
      ]
    }
  ]
}
  • The permissions to consume data from a specified project
    To grant a RAM user only the permissions to consume data from a specified project, use the following policy: 
    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetConsumerGroupCheckPoint",
        "log:UpdateConsumerGroup",
        "log:ConsumerGroupHeartBeat",
        "log:ConsumerGroupUpdateCheckPoint",
        "log:ListConsumerGroup",
        "log:CreateConsumerGroup"
      ],
      "Resource": "acs:log:*:*:project/<Project name>/*",
      "Effect": "Allow"
    }
  ]
}
  • The permissions to consume data from a specified Logstore
    To grant a RAM user only the permissions to consume data from a specified Logstore, use the following policy: 
    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetConsumerGroupCheckPoint",
        "log:UpdateConsumerGroup",
        "log:ConsumerGroupHeartBeat",
        "log:ConsumerGroupUpdateCheckPoint",
        "log:ListConsumerGroup",
        "log:CreateConsumerGroup"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>",
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>/*"
      ],
      "Effect": "Allow"
    }
  ]
}
  • The permissions to specify encryption configurations for a specified Logstore
    If you attach the following policy to a RAM user, the RAM user must specify encryption configurations when the RAM user creates or modifies a Logstore. If you do not attach the policy to the RAM user, the RAM user does not need to specify encryption configurations when the RAM user creates or modifies a Logstore.
    Note You can specify the exact names of projects or Logstores in the policy or use asterisks (*) to support fuzzy match.
    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateLogStore",
        "log:UpdateLogStore"
      ],
      "Resource": [
        "acs:log:*:*:project/<Project name>/logstore/<Logstore name>",
        "acs:log:*:*:project/<Project name>/logstore/*"
      ],
      "Condition": {
        "Bool": {
          "log:Encrypted": "true"
        }
      }
    }
  ]
}

References

For more information, see the following topics: