A project policy is an authorization policy for projects in Simple Log Service. You can use a project policy to grant specified networks or IP addresses permissions to access Simple Log Service resources.
Background
By default, you can write data to a Simple Log Service (SLS) project from any IP address. When you write data to SLS using LoongCollector (formerly Logtail), data from unexpected sources may also be written. Therefore, you can use a project policy as a security block to specify the IP address ranges from which data can be written. For example, you have a stable production cluster A that writes logs to Project A. You have also configured automated O&M policies such as alerts for Project A. To prevent logs from test clusters or new clusters from being mistakenly written to Project A and interfering with daily O&M, you can use a project policy.
Usage notes
You can configure project policies only using a software development kit (SDK). This operation is not supported in the console.
You must understand authorization information, such as Action, Resource, and Condition. For more information, see Authorization information.
When you configure a project policy, if you set the principal to an anonymous account (*):
If the policy does not contain a Condition element, the project policy applies to all users except the project owner.
If the policy contains a Condition element, the project policy applies to all users, including the project owner.
Examples
This section provides an example of how to set a project policy using the Java SDK. For information about other languages, see SDK Overview.
Download the Java SDK package.
Create the src/main/java/com/aliyun/openservices/log/sample/ProjectPolicyDemo.java file.
Use the sample code for your scenario and modify the parameter values as described in the comments.
Allow access only from a specified VPC
Sample code | Permission policy |
To obtain the parameters in the code, perform the following steps: package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// This example obtains the AccessKey ID and AccessKey secret from environment variables.
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // Replace the value with the endpoint of the region where the Simple Log Service project resides.
static String projectName = "example-project";// Replace the value with the name of the Simple Log Service project.
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
try {
client.GetProject(projectName);
} catch (LogException e) {
Assert.fail("should not fail : " + e.GetErrorCode());
}
String policyText="{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:*\"],\"Principal\": [\"*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Condition\": {\"StringNotEquals\": {\"acs:SourceVpc\": [\"vpc-t4nlw426y44rd3iq4****\"]}},\"Effect\":\"Deny\"}]}";
client.setProjectPolicy(projectName, policyText);
client.getProjectPolicy(projectName);
Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
}
}
| The following permission policy is used for `policyText` in the sample code. This policy allows only requests from the VPC whose ID is `vpc-t4nlw426y44rd3iq4****` to access the `example-project` project. {
"Version": "1",
"Statement": [
{
"Action": [
"log:*"
],
"Principal": [
"*"
],
"Resource": "acs:log:*:*:project/example-project/*",
"Condition": {
"StringNotEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
}
},
"Effect": "Deny"
}
]
}
|
Block access from specific IP addresses
Sample code | Permission policy |
To obtain the parameters in the code, perform the following steps: package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// This example obtains the AccessKey ID and AccessKey secret from environment variables.
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // Replace the value with the endpoint of the region where the Simple Log Service project resides.
static String projectName = "example-project";// Replace the value with the name of the Simple Log Service project.
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
try {
client.GetProject(projectName);
} catch (LogException e) {
Assert.fail("should not fail : " + e.GetErrorCode());
}
String policyText="{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"*\"],\"Principal\": [\"*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Condition\": {\"IpAddress\":{\"acs:SourceIp\":[\"192.168.0.0\",\"172.16.215.218\"]}},\"Effect\":\"Deny\"}]}";
client.setProjectPolicy(projectName, policyText);
client.getProjectPolicy(projectName);
Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
}
}
| The following permission policy denies access to the `example-project` project from the IP addresses `192.168.0.0` and `172.16.215.218`. {
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"*"
],
"Principal":[
"*"
],
"Resource":"acs:log:*:*:project/example-project/*",
"Condition":{
"IpAddress":{
"acs:SourceIp":[
"192.168.0.0",
"172.16.215.218"
]
}
}
}
]
}
|
Block writes from the Internet
Sample code | Permission policy |
To obtain the parameters in the code, perform the following steps: package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// This example obtains the AccessKey ID and AccessKey secret from environment variables.
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // Replace the value with the endpoint of the region where the Simple Log Service project resides.
static String projectName = "example-project";// Replace the value with the name of the Simple Log Service project.
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
try {
client.GetProject(projectName);
} catch (LogException e) {
Assert.fail("should not fail : " + e.GetErrorCode());
}
String policyText="{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:PostLogStoreLogs\"],\"Principal\": [\"*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Condition\":{\"StringNotLike\": {\"acs:SourceVpc\":[\"vpc-*\"]}},\"Effect\":\"Deny\"}]}";
client.setProjectPolicy(projectName, policyText);
client.getProjectPolicy(projectName);
Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
}
}
| The following permission policy denies requests to write logs to the `example-project` project over the Internet. {
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"log:PostLogStoreLogs"
],
"Principal": [
"*"
],
"Resource": "acs:log:*:*:project/example-project/*",
"Condition": {
"StringNotLike": {
"acs:SourceVpc": [
"vpc-*"
]
}
}
}
]
}
|
Delete a project policy
If you no longer need access control, you can delete the project policy.
package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// This example obtains the AccessKey ID and AccessKey secret from environment variables.
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // Replace the value with the endpoint of the region where the Simple Log Service project resides.
static String projectName = "example-project";// Replace the value with the name of the Simple Log Service project.
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
client.deleteProjectPolicy(projectName);
Assert.assertEquals("", client.getProjectPolicy(projectName).getPolicyText());
}
}
icon to the right of the project name to go to the project overview page. In the Endpoints section, copy the Internet endpoint.