This topic describes how to grant a RAM user the permissions on the Tracing Analysis feature by attaching a custom policy to the RAM user.
Prerequisites
- You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.
- Make sure that the following system policies are not attached to the RAM user: AliyunTracingAnalysisFull-Access and AliyunTracingAnalysisReadOnlyAccess policies. Important If you attach a system policy of Tracing Analysis to a RAM user, you cannot attach a custom policy to the RAM user at the same time.
Background information
The system policies provided by Tracing Analysis are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control. For example, if you need to grant the permissions on a specific application to a RAM user, you must create a custom policy.
Step 1: Create a custom policy
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Policies page, click Create Policy.
- On the Create Policy page, click the JSON tab. Configure a permission policy in the editor. For more information, see Policy elements.
- Example: Create a custom policy that grants the read-only permissions on all applications in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Action": "xtrace:ReadXtraceApp", "Resource": "acs:xtrace:cn-hangzhou:*:xtrace/*", "Effect": "Allow" }, { "Action": "xtrace:Describe*", "Resource": "*", "Effect": "Allow" } ] } - Example: Create a custom policy that grants the read-only permissions on the applications whose names start with demo in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Action": "xtrace:ReadXtraceApp", "Resource": "acs:xtrace:cn-hangzhou:*:xtrace/demo*", "Effect": "Allow" }, { "Action": "xtrace:Describe*", "Resource": "*", "Effect": "Allow" } ] }
- Example: Create a custom policy that grants the read-only permissions on all applications in the China (Hangzhou) region.
- Click Next to edit policy information.
- Specify the Name and Description fields.
- Click OK.
Step 2: Attach the custom policy to a RAM user
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user.
- Click OK.
- Click Complete.
Policy elements
Effect
Specifies whether a statement result is an explicit allow or an explicit deny. Valid values: Allow and Deny.
Action
| Action | Permission |
|---|---|
| xtrace:Describe | The coarse-grained read-only permissions of Tracing Analysis and coarse-grained read permissions. Only the RAM users with this permission can log on to the Tracing Analysis console. |
| xtrace:ReadXtraceApp | The read-only permissions of Tracing Analysis. You can use this permission to view information such as the applications, application details, and details of API calls. You can also use this permission to control RAM permissions on applications and regions. |
| xtrace:SaveXtraceAppConfig | The permissions to save application configurations of Tracing Analysis. |
| xtrace:DeleteXtraceApp | The permissions to delete applications from Tracing Analysis. |
Resources
Specifies the resources on which the policy takes effect.
Sample statement:
"Resource": [
"acs:xtrace:<regionid>:*:xtrace/<appname>"
]- Replace
<regionid>with the specified region ID. If you want to grant the permissions on resources in all regions, replace <regionid> with*. - Replace
<appname>with the specified application name. If you want to grant permissions on all applications, replace <appname> with*. If you want to specify applications that have the same name prefix, replace <appname> withName prefix*. Example:k8s*.