This topic introduces the basic concepts and operations of Resource Access Management (RAM). You can use these operations to manage user identities, control resource access, authorize RAM users to access Simple Log Service, authorize Simple Log Service to read logs, and authorize a RAM role to manage Simple Log Service resources.
Basic concepts
RAM allows you to manage user identities and control resource access. You can create RAM users for employees, systems, and applications and authorize the RAM users to access resources of your Alibaba Cloud account. If multiple users in your enterprise need to access the same resources, you can use RAM to grant the minimum permissions to these users. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with these users and reduces security risks.
RAM allows you to implement fine-grained access control on Simple Log Service resources. You can achieve this by creating RAM users and RAM roles and granting permissions on Simple Log Service resources to the users and roles.
Operations
Manage user identities
You can use RAM to manage user identities. You can use RAM to manage user identities under your Alibaba Cloud account such as RAM users, RAM roles, and user groups. You can also authorize these RAM users, RAM roles, and user groups to access and manage Simple Log Service resources of your Alibaba Cloud account.
Simple Log Service allows you to collect logs from cloud services such as API Gateway and Server Load Balancer (SLB). You can create a RAM role and authorize the role to access the services on the Cloud Resource Access Authorization page.
Role
Default permission
Description
AliyunLogArchiveRole
AliyunLogArchiveRolePolicy
Simple Log Service can assume this role to access SLB logs. The default policy is used to export SLB logs. To authorize Simple Log Service to assume this role, click Cloud Resource Access Authorization.
AliyunLogImportOSSRole
AliyunLogImportOSSRolePolicy
Simple Log Service can assume this role to access your Object Storage Service (OSS) resources. To authorize Simple Log Service to assume this role, click Cloud Resource Access Authorization.
AliyunLogDefaultRole
AliyunLogRolePolicy
Simple Log Service can assume this role to access your resources of other Alibaba Cloud services. To authorize Simple Log Service to assume this role, click Cloud Resource Access Authorization.
AliyunLogETLRole
AliyunLogETLRolePolicy
Simple Log Service can assume this role to extract, transform, and load data of other Alibaba Cloud services. To authorize Simple Log Service to assume this role, click Cloud Resource Access Authorization.
AliyunMNSLoggingRole
AliyunMNSLoggingRolePolicy
Simple Log Service can assume this role to access Message Service (MNS) logs. The default policy is used to export MNS logs and write logs to OSS. To authorize Simple Log Service to assume this role, click Cloud Resource Access Authorization.
Control resource access
You can grant permissions to RAM users, RAM roles, and user groups that belong to your Alibaba Cloud account.
You can use system policies or customize finer-grained policies. For more information, see Overview.
The following table describes the system policies that are supported by Simple Log Service.
Policy
Type
Description
AliyunLogFullAccess
System policy
The policy grants full access to Simple Log Service resources.
AliyunLogReadOnlyAccess
System policy
The policy grants read-only access to Simple Log Service resources.
Authorize a RAM user to access Simple Log Service
Your business may require you to provide O&M personnel management permissions on Simple Log Service resources, or other personnel may require access permissions on Simple Log Service resources. In this case, you need to grant the required permissions to the personnel. The personnel can then access Simple Log Service resources as RAM users. For data security reasons, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users.
For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service.
Authorize Simple Log Service to read logs
Simple Log Service can read log data and generate alerts based on the data. To allow Simple Log Service to read log data, you must grant the required permissions to Simple Log Service.
For more information, see Assign a RAM role to an Alibaba Cloud service.
Authorize a RAM role to manage Simple Log Service resources
A RAM role is a virtual identity that does not have any credentials, such as a password or an AccessKey pair. You can assign a RAM role to a trusted entity, such as an Alibaba Cloud account, RAM user, or Alibaba Cloud service. After the trusted entity receives an STS token for the RAM role, the trusted entity can use the STS token to access the resources that the RAM role is authorized to use.
Assign the RAM role to a trusted entity. The trusted entity can then manage Simple Log Service resources. For more information, see Create a RAM role whose trusted entity is an Alibaba Cloud account and grant the RAM role the permissions to access Simple Log Service.
Assign the RAM role to a mobile app. The mobile app can then directly access Simple Log Service and upload logs to Simple Log Service. For more information, see Build a service to upload logs from mobile apps to Simple Log Service.