Untuk mengakses sumber daya dari layanan cloud lain menggunakan Simple Log Service, seperti Log Audit Service atau EBS Lens, Anda dapat menetapkan peran terkait layanan AliyunServiceRoleForSLSAudit kepada aplikasi tersebut. Topik ini menjelaskan skenario dan kebijakan terkait peran AliyunServiceRoleForSLSAudit.
Skenario
Ketika mengumpulkan log dari layanan cloud tertentu dalam Simple Log Service, seperti Log Audit Service atau EBS Lens, Simple Log Service memanggil operasi API layanan cloud untuk mendapatkan informasi terkait. Untuk mengumpulkan informasi yang diperlukan, Simple Log Service harus mengasumsikan peran terkait layanan AliyunServiceRoleForSLSAudit guna mendapatkan izin membaca data sumber daya dari layanan cloud dan mengubah pengaturan pengumpulan log. Untuk detail lebih lanjut, lihat Peran Terkait Layanan.
Deskripsi
Ketika mengaktifkan Simple Log Service, peran terkait layanan bernama AliyunServiceRoleForSLSAlert akan dibuat secara otomatis.
Nama Peran: AliyunServiceRoleForSLSAudit.
Kebijakan yang Dilampirkan pada Peran: AliyunServiceRolePolicyForSLSAudit.
Dokumen Kebijakan:
{ "Version": "1", "Statement": [ { "Action": [ "resourcemanager:ListAccounts", "resourcemanager:GetAccount", "resourcemanager:GetResourceDirectory", "resourcemanager:GetFolder", "resourcemanager:ListFoldersForParent", "resourcemanager:ListAccountsForParent", "rds:DescribeRegions", "rds:DescribeSqlLogInstances", "rds:DescribeDBInstanceAttribute", "rds:ListTagResources", "rds:DisableSqlLogDistribution", "rds:EnableSqlLogDistribution", "rds:ModifySQLCollectorPolicy", "rds:DescribeSQLCollectorRetention", "polardb:DescribeRegions", "polardb:DescribeDBClusters", "polardb:DescribeSqlLogClusters", "polardb:ModifyDBClusterAuditLogCollector", "polardb:DescribeDBClusterAttribute", "polardb:DescribeSQLExplorerRetention", "kvstore:DescribeRegions", "kvstore:DescribeInstances", "kvstore:DescribeRedisLogConfig", "kvstore:ModifyAuditLogConfig", "kvstore:DescribeInstanceAttribute", "kvstore:DescribeEngineVersion", "kvstore:InitializeKvstorePermission", "drds:DescribeDrdsInstances", "drds:DescribeDrdsDBs", "drds:EnableSqlAuditExtraWrite", "drds:DisableSqlAuditExtraWrite", "drds:DescribeDrdsRegions", "drds:DescribeDrdsSqlAuditStatus", "slb:DescribeRegions", "slb:DescribeLoadBalancers", "slb:DescribeLoadBalancerAttribute", "slb:SetAccessLogsDownloadAttribute", "slb:DeleteAccessLogsDownloadAttribute", "slb:DescribeAccessLogsDownloadAttribute", "slb:ListTagResources", "alb:DescribeRegions", "alb:ListLoadBalancers", "alb:EnableLoadBalancerAccessLog", "alb:DisableLoadBalancerAccessLog", "alb:GetLoadBalancerAttribute", "cs:GetClustersByUid", "cs:GetClusters", "kms:DescribeKeyStores", "oss:GetBucketInfo", "oss:ListBuckets", "oss:GetBucketTagging", "oss:GetBucketWorm", "oss:GetBucketLifecycle", "oss:GetBucketReferer", "ecs:DescribeDisks", "ecs:DescribeSnapshots", "ecs:DescribeRegions", "ecs:DescribeInstances", "mse:GetGateway", "cen:ListTransitRouters", "cen:ListTransitRouterPeerAttachments", "cen:ListTransitRouterVbrAttachments", "vpc:DescribeVpcs", "vpc:GetNatGatewayAttribute", "vpc:DescribeNatGateways", "vpc:DescribeRegions", "hbase:DescribeInstance", "lindorm:GetLindormInstance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "oos:StartExecution", "oos:ListExecutions" ], "Resource": [ "acs:oos:*:*:template/ACS-LOG-BulkyInstallLogtail", "acs:oos:*:*:execution/*" ], "Effect": "Allow" }, { "Action": [ "ecs:InvokeCommand", "ecs:DescribeInvocations", "ecs:DescribeInvocationResults", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/cmd-ACS-LOG-InstallLogtail-*" ], "Effect": "Allow" }, { "Action": [ "log:CreateProject", "log:GetProject", "log:ListProject", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:PostLogStoreLogs", "log:BatchPostLogStoreLogs", "log:CreateIndex", "log:UpdateIndex", "log:CreateDashboard", "log:UpdateDashboard", "log:CreateLogStore", "log:CreateSavedSearch", "log:UpdateSavedSearch", "log:CreateJob", "log:UpdateJob", "log:ListShards", "log:GetCursorOrData", "log:GetConsumerGroupCheckPoint", "log:UpdateConsumerGroup", "log:ConsumerGroupHeartBeat", "log:ConsumerGroupUpdateCheckPoint", "log:ListConsumerGroup", "log:CreateConsumerGroup", "log:GetLogging", "log:CreateLogging", "log:UpdateLogging", "log:DeleteLogging", "log:PostProjectQuery", "log:GetProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery", "log:GetMachineGroup", "log:ListMachineGroup" ], "Resource": [ "acs:log:*:*:project/*" ], "Effect": "Allow" }, { "Action": [ "log:GetApp", "log:UpdateApp", "log:CreateApp" ], "Resource": [ "acs:log:*:*:app/audit" ], "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "r-kvstore.aliyuncs.com", "logdelivery.alb.aliyuncs.com" ] } } }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "audit.log.aliyuncs.com" } } } ] }