To access the resources of other cloud services by using a CloudLens application, you must assign the AliyunServiceRoleForSLSStorageLens service-linked role to the application. This topic describes the scenarios and policy of the AliyunServiceRoleForSLSStorageLens service-linked role.
Scenarios
When you collect the logs from specific storage services in a CloudLens application, Simple Log Service calls the API operations of the storage services to obtain the relevant information. To read resource data from the storage services and modify the log collection settings, Simple Log Service must assume the AliyunServiceRoleForSLSStorageLens service-linked role. For more information, see Service-linked roles.
Description
Role name: AliyunServiceRoleForSLSStorageLens
Policy attached to the role: AliyunServiceRolePolicyForSLSStorageLens
Policy document:
{ "Version": "1", "Statement": [ { "Action": [ "nas:DescribeFileSystems" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:CreateProject", "log:GetProject", "log:ListProject", "log:ListLogStores", "log:GetLogStore", "log:CreateIndex", "log:UpdateIndex", "log:GetIndex", "log:CreateDashboard", "log:UpdateDashboard", "log:ListDashboard", "log:CreateLogStore", "log:CreateSavedSearch", "log:UpdateSavedSearch", "log:CreateLogtailPipelineConfig", "log:GetLogtailPipelineConfig", "log:ListLogtailPipelineConfig", "log:DeleteLogtailPipelineConfig", "log:UpdateLogtailPipelineConfig", "log:CreateMachineGroup", "log:RemoveConfigFromGroup", "log:ApplyConfigToGroup", "log:GetMachineGroup", "log:ListTagResources", "log:TagResources" ], "Resource": [ "acs:log:*:*:project/*" ], "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "storagelens.log.aliyuncs.com" } } } ] }