全部产品
Search
文档中心

日志服务:授予RAM用户操作权限

更新时间:Mar 12, 2024

本文介绍如何授予阿里云RAM用户操作CloudLens for RDS的权限。

前提条件

已创建RAM用户。具体操作,请参见创建RAM用户

背景信息

您可以通过如下两种方式给RAM用户授予CloudLens for RDS的操作权限。

  • 系统权限策略:权限范围较大,用户无法修改系统权限策略的内容,但配置步骤简单。

  • 自定义权限策略:权限范围更精细,用户可以修改自定义权限策略的内容,配置步骤比系统权限策略更复杂。

极简授权

使用阿里云账号登录RAM控制台,为RAM用户授予全部管理权限(AliyunLogFullAccess、AliyunRAMFullAccess)。具体操作,请参见为RAM用户授权

自定义权限策略

  1. 使用阿里云账号登录RAM控制台

  2. 创建权限策略。

    1. 在左侧导航栏中,选择权限管理 > 权限策略

    2. 单击创建权限策略

    3. 创建权限策略页面的脚本编辑页签中,将配置框中的原有脚本替换为如下内容,然后单击继续编辑基本信息

      您可以授予RAM用户使用RDS Lens的只读权限或读写权限,具体权限策略说明如下:

      • 只读权限(只允许查看CloudLens for RDS中的各个页面。)

        {
            "Statement": [
               {
                    "Action": [
                        "rds:DescribeSqlLogInstances"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "log:GetLogStore",
                        "log:ListLogStores",
                        "log:GetIndex",
                        "log:GetLogStoreHistogram",
                        "log:GetLogStoreLogs",
                        "log:GetDashboard",
                        "log:ListDashboard",
                        "log:ListSavedSearch",
                        "log:GetProjectLogs"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:log:*:*:project/*/dashboard/*",
                        "acs:log:*:*:project/*/savedsearch/*"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": "log:GetProductDataCollection",
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:rds:*:*:dbinstance/*"
                    ],
                    "Effect": "Allow"
                }
            ],
            "Version": "1"
        }
      • 读写权限(允许操作CloudLens for RDS中的各个功能。)

        {
            "Statement": [
                {
                    "Action": [
                        "rds:DescribeSqlLogInstances",
                        "rds:DisableSqlLogDistribution",
                        "rds:EnableSqlLogDistribution",
                        "rds:ModifySQLCollectorPolicy"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "log:GetLogStore",
                        "log:CreateProject",
                        "log:ListLogStores",
                        "log:GetIndex",
                        "log:GetLogStoreHistogram",
                        "log:GetLogStoreLogs",
                        "log:GetDashboard",
                        "log:ListDashboard",
                        "log:ListSavedSearch",
                        "log:CreateLogStore",
                        "log:CreateIndex",
                        "log:UpdateIndex",
                        "log:ListLogStores",
                        "log:GetLogStore",
                        "log:GetLogStoreLogs",
                        "log:CreateDashboard",
                        "log:CreateChart",
                        "log:UpdateDashboard",
                        "log:UpdateLogStore",
                        "log:GetProjectLogs"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "log:GetProductDataCollection",
                        "log:OpenProductDataCollection",
                        "log:CloseProductDataCollection"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:rds:*:*:dbinstance/*"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "log:SetGeneralDataAccessConfig"
                    ],
                    "Resource": [
                        "acs:log:*:*:resource/sls.general_data_access.rds.global_conf.*/record"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": "ram:CreateServiceLinkedRole",
                    "Resource": "*",
                    "Effect": "Allow",
                    "Condition": {
                        "StringEquals": {
                            "ram:ServiceName": "audit.log.aliyuncs.com",
                            "ram:ServiceName": "rds.aliyuncs.com"
                        }
                    }
                }
            ],
            "Version": "1"
        }
    4. 设置名称,然后单击确定

      例如设置策略名称为log-rds-policy

  3. 为RAM用户授权。

    1. 在左侧导航栏中,选择身份管理 > 用户

    2. 找到目标RAM用户,单击添加权限

    3. 添加权限面板的选择权限区域,单击自定义策略,选中您在步骤2中创建的权限策略,然后单击确定

    4. 确认授权成功后,单击完成