如需使用RAM使用者操作新版日誌審計服務,必須為RAM使用者授予相應的權限原則。本文介紹具體的授權步驟。
操作步驟
使用阿里雲帳號(主帳號)或Resource Access Management員登入RAM控制台。
建立一個自訂權限原則,其中在指令碼編輯頁簽,請使用以下指令碼替換配置框中的原有內容。具體操作,請參見通過指令碼編輯模式建立自訂權限原則。
唯讀許可權
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:ListTagResources", "log:ListMachineGroup", "log:GetAppliedMachineGroups", "log:GetLogtailPipelineConfig", "log:ListConfig", "log:ListMachines", "log:GetProjectLogs" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" }, { "Action": [ "log:GetResource", "log:ListResources", "log:GetResourceRecord", "log:ListResourceRecords" ], "Resource": "acs:log:*:*:resource/*", "Effect": "Allow" }, { "Action": [ "log:GetJob", "log:ListJobs" ], "Resource": "acs:log:*:*:project/*/job/*", "Effect": "Allow" } ], "Version": "1" }讀寫權限
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:CreateProject", "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard", "log:UpdateLogStore", "log:GetProjectLogs", "log:ListTagResources", "log:TagResources", "log:ListMachineGroup", "log:ListMachines", "log:ApplyConfigToGroup", "log:GetAppliedMachineGroups", "log:ListConfig", "log:CreateLogtailPipelineConfig", "log:UpdateLogtailPipelineConfig", "log:GetLogtailPipelineConfig", "log:DeleteLogtailPipelineConfig" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy", "log:UpsertCollectionPolicy", "log:DeleteCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "log:*", "Resource": "acs:log:*:*:resource/*" }, { "Effect": "Allow", "Action": "log:*", "Resource": "acs:log:*:*:project/*/job/*" } ], "Version": "1" }為RAM使用者添加建立的自訂權限原則。具體操作,請參見為RAM使用者授權。
相關文檔
當使用者使用日誌審計建立規則後,日誌審計會自動在當前帳號和成員帳號(開通資來源目錄後)下,建立管理服務關聯角色AliyunServiceRoleForSLSAudit,該角色主要用於讀取部分雲產品的資料。