Grant a RAM user the permissions to perform operations on Log Audit Service - Simple Log Service

This topic describes how to grant a Resource Access Management (RAM) user the permissions to perform operations on Log Audit Service.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

You can grant a RAM user the permissions to perform operations on Log Audit Service in one of the following modes:

Simple mode: You can grant all permissions on Simple Log Service to the RAM user. You do not need to configure parameters.
Custom mode: You can create custom policies and attach the policies to the RAM user. This mode allows you to perform fine-grained access control. However, the configurations in this mode are complex.

Simple mode

Log on to the RAM console by using your Alibaba Cloud account. Then, attach the AliyunLogFullAccess and AliyunRAMFullAccess policies to the RAM user. This way, the RAM user has all permissions on Simple Log Service. For more information, see Grant permissions to a RAM user.

Custom mode

Log on to the RAM console.

Create a policy.

In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab, replace the existing script in the code editor with one of the following scripts, and then click Next to edit policy information.

You can grant the read-only permissions or read and write permissions on Log Audit Service to the RAM user.

Read-only permissions: Use the following script to authorize the RAM user only to view each page of Log Audit Service.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:GetApp"
            ],
            "Resource": [
                "acs:log:*:*:app/audit"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:Get*",
                "log:List*"
            ],
            "Resource": [
                "acs:log:*:*:project/slsaudit-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:GetProductDataCollection"
            ],
            "Resource": "acs:config:*:*:*"
        }
    ]
}

Read and write permissions: Use the following script to authorize the RAM user to perform all operations that are supported by Log Audit Service. For example, the RAM user can be authorized to modify global configurations.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:GetApp",
                "log:CreateApp"
            ],
            "Resource": [
                "acs:log:*:*:app/audit"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:Get*",
                "log:List*",
                "log:CreateJob",
                "log:UpdateJob",
                "log:CreateProject"
            ],
            "Resource": [
                "acs:log:*:*:project/slsaudit-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "log:GetProductDataCollection",
                "log:OpenProductDataCollection"
            ],
            "Resource": "acs:config:*:*:*"
        }
    ]
}

Configure the Name parameter and click OK.
In this example, set the policy name to log-slsaudit-policy.

Attach the policy to the RAM user.
1. In the left-side navigation pane, choose Identities > Users.
2. On the Users page, find the RAM user to which you want to attach the policy and click Add Permissions in the Actions column.
3. In the Select Policy section of the Add Permissions panel, click Custom Policy. Then, select the policy that you created in Step 2 and click OK.
4. Verify that the policy is attached to the RAM user and click Complete.