This topic describes how to authorize a Resource Access Management (RAM) user to use the access log feature of Classic Load Balancer (CLB). You need to use your Alibaba Cloud account to perform the authorization.
Prerequisites
The access log feature is enabled for your Alibaba Cloud account. For more information, see Enable the access log management feature.
Create a policy
This section describes how to create a custom policy on the JSON tab. You can also create a policy on the Visual editor tab. For more information, see the Create a custom policy on the Visual editor tab section of the "Create a custom policy" topic.
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
On the JSON tab, enter the following code and click OK.
{ "Statement": [ { "Action": [ "slb:Create*", "slb:List*" ], "Effect": "Allow", "Resource": "acs:log:*:*:project/*" }, { "Action": [ "log:Create*", "log:List*" ], "Effect": "Allow", "Resource": "acs:log:*:*:project/*" }, { "Action": [ "log:Create*", "log:List*", "log:Get*", "log:Update*" ], "Effect": "Allow", "Resource": "acs:log:*:*:project/*/logstore/*" }, { "Action": [ "log:Create*", "log:List*", "log:Get*", "log:Update*" ], "Effect": "Allow", "Resource": "acs:log:*:*:project/*/dashboard/*" }, { "Action": "cms:QueryMetric*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "slb:Describe*", "slb:DeleteAccessLogsDownloadAttribute", "slb:SetAccessLogsDownloadAttribute", "slb:DescribeAccessLogsDownloadAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ram:Get*", "ram:ListRoles" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }Specify the Name and Description fields.
Check and optimize the content of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
(Optional) Advanced optimization
You can move the pointer over Optional: advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Attach the policy to a RAM user
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Permission page, click Grant Permission.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
Resource Group: The authorization takes effect on a specific resource group.
NoteIf you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
Configure the Principal parameter.
The principal is the RAM role to which you want to grant permissions. You can select multiple RAM roles at a time.
Configure the Policy parameter.
A policy is a set of access permissions. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close. Return to the page and check whether the policy is attached to the RAM user. If the policy is attached to the RAM user, the RAM user can use the access log feature of CLB.