All Products
Search
Document Center

ActionTrail:Manage the permission policy for event delivery

Last Updated:Apr 29, 2024

The AliyunActionTrailDeliveryPolicy permission policy is used to grant permissions related to event delivery. This topic describes the scenarios in which the permission policy is used and the permissions of the policy.

Scenarios

  • Access Simple Log Service

    If you create a trail and specify a Simple Log Service project to store events, ActionTrail must create a Logstore in the specified project and write events to the Logstore. In this case, ActionTrail must obtain the permissions to access Simple Log Service.

  • Access Object Storage Service (OSS)

    If you create a trail and specify an OSS bucket to store events, ActionTrail must write events to the specified OSS bucket. In this case, ActionTrail must obtain the permissions to access OSS.

  • Access MaxCompute

    If you create a trail and specify a MaxCompute project to store events, ActionTrail must write events to the specified project. In this case, ActionTrail must obtain the permissions to access MaxCompute.

Policy description

Policy name: AliyunActionTrailDeliveryPolicy

Policy content:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:PutObject",
                "oss:GetBucketInfo",
                "oss:GetBucketLifecycle",
                "oss:GetBucketLocation",
                "kms:ListKeys",
                "kms:Listalias",
                "kms:ListAliasesByKeyId",
                "kms:DescribeKey",
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:GetProject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs",
                "log:CreateLogstore",
                "log:GetLogstore",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:GetIndex",
                "log:GetLogStoreLogs"
            ],
            "Resource": [
                "acs:log:*:*:project/*/logstore/actiontrail_*",
                "acs:log:*:*:project/*/logstore/insights_*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateDashboard",
                "log:UpdateDashboard"
            ],
            "Resource": "acs:log:*:*:project/*/dashboard/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateSavedSearch",
                "log:UpdateSavedSearch"
            ],
            "Resource": [
                "acs:log:*:*:project/*/savedsearch/actiontrail_*",
                "acs:log:*:*:project/*/savedsearch/insights_*"
            ],
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": "odps:updateUsersToAdmin",
            "Resource": "acs:odps:*:*:projects/actiontrail_*"
        }
    ]
}

Policy description: The permission policy allows ActionTrail to access resources in Simple Log Service and OSS. The following table describes the operations that are allowed by the permission policy.

Action

Description

oss:GetBucketLocation

Queries the region of the OSS bucket.

oss:PutObject

Writes event logs to a specified OSS bucket.

oss:GetBucketInfo

Queries information about OSS buckets.

oss:GetBucketLifecycle

Queries the lifecycle of an OSS bucket.

kms:ListKeys

Queries a list of keys.

kms:Listalias

Queries a list of aliases.

kms:ListAliasesByKeyId

Queries aliases that are bound to a specified key.

kms:DescribeKey

Queries the details of a key.

kms:GenerateDataKey

Generates a data key.

kms:Decrypt

Decrypts ciphertext into plaintext.

log:GetProject

Queries whether a Simple Log Service project exists.

log:PostLogStoreLogs

Writes events to a specified Simple Log Service Logstore.

log:GetLogstore

Queries whether a Simple Log Service Logstore exists.

log:CreateLogstore

Creates a Logstore.

log:CreateIndex

Creates an index.

log:UpdateIndex

Updates an index.

log:GetIndex

Queries indexes.

log:GetLogStoreLogs

Queries logs that are stored in a Logstore.

log:CreateDashboard

Creates a dashboard.

log:UpdateDashboard

Updates a dashboard.

log:CreateSavedSearch

Creates a saved search

log:UpdateSavedSearch

Updates a saved search.

odps:updateUsersToAdmin

Updates a project role member.