The AliyunActionTrailDeliveryPolicy permission policy is used to grant permissions related to event delivery. This topic describes the scenarios in which the permission policy is used and the permissions of the policy.
Scenarios
Access Simple Log Service
If you create a trail and specify a Simple Log Service project to store events, ActionTrail must create a Logstore in the specified project and write events to the Logstore. In this case, ActionTrail must obtain the permissions to access Simple Log Service.
Access Object Storage Service (OSS)
If you create a trail and specify an OSS bucket to store events, ActionTrail must write events to the specified OSS bucket. In this case, ActionTrail must obtain the permissions to access OSS.
Access MaxCompute
If you create a trail and specify a MaxCompute project to store events, ActionTrail must write events to the specified project. In this case, ActionTrail must obtain the permissions to access MaxCompute.
Policy description
Policy name: AliyunActionTrailDeliveryPolicy
Policy content:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutObject",
"oss:GetBucketInfo",
"oss:GetBucketLifecycle",
"oss:GetBucketLocation",
"kms:ListKeys",
"kms:Listalias",
"kms:ListAliasesByKeyId",
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:GetProject"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs",
"log:CreateLogstore",
"log:GetLogstore",
"log:CreateIndex",
"log:UpdateIndex",
"log:GetIndex",
"log:GetLogStoreLogs"
],
"Resource": [
"acs:log:*:*:project/*/logstore/actiontrail_*",
"acs:log:*:*:project/*/logstore/insights_*"
],
"Effect": "Allow"
},
{
"Action": [
"log:CreateDashboard",
"log:UpdateDashboard"
],
"Resource": "acs:log:*:*:project/*/dashboard/*",
"Effect": "Allow"
},
{
"Action": [
"log:CreateSavedSearch",
"log:UpdateSavedSearch"
],
"Resource": [
"acs:log:*:*:project/*/savedsearch/actiontrail_*",
"acs:log:*:*:project/*/savedsearch/insights_*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "odps:updateUsersToAdmin",
"Resource": "acs:odps:*:*:projects/actiontrail_*"
}
]
}
Policy description: The permission policy allows ActionTrail to access resources in Simple Log Service and OSS. The following table describes the operations that are allowed by the permission policy.
Action | Description |
oss:GetBucketLocation | Queries the region of the OSS bucket. |
oss:PutObject | Writes event logs to a specified OSS bucket. |
oss:GetBucketInfo | Queries information about OSS buckets. |
oss:GetBucketLifecycle | Queries the lifecycle of an OSS bucket. |
kms:ListKeys | Queries a list of keys. |
kms:Listalias | Queries a list of aliases. |
kms:ListAliasesByKeyId | Queries aliases that are bound to a specified key. |
kms:DescribeKey | Queries the details of a key. |
kms:GenerateDataKey | Generates a data key. |
kms:Decrypt | Decrypts ciphertext into plaintext. |
log:GetProject | Queries whether a Simple Log Service project exists. |
log:PostLogStoreLogs | Writes events to a specified Simple Log Service Logstore. |
log:GetLogstore | Queries whether a Simple Log Service Logstore exists. |
log:CreateLogstore | Creates a Logstore. |
log:CreateIndex | Creates an index. |
log:UpdateIndex | Updates an index. |
log:GetIndex | Queries indexes. |
log:GetLogStoreLogs | Queries logs that are stored in a Logstore. |
log:CreateDashboard | Creates a dashboard. |
log:UpdateDashboard | Updates a dashboard. |
log:CreateSavedSearch | Creates a saved search |
log:UpdateSavedSearch | Updates a saved search. |
odps:updateUsersToAdmin | Updates a project role member. |