All Products
Search

This Product

    Simple Log Service:Create a RAM role whose trusted entity is an Alibaba Cloud service and grant the RAM role the permissions to access Simple Log Service

    Document Center

    Simple Log Service:Create a RAM role whose trusted entity is an Alibaba Cloud service and grant the RAM role the permissions to access Simple Log Service

    Last Updated:Apr 17, 2024

    This topic describes how to create a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud service and grant the RAM role the permissions to access Simple Log Service. This type of RAM role is used to grant permissions on access across Alibaba Cloud services.

    Step 1: Create a RAM role

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the Select Role Type step, select Alibaba Cloud Service as the trusted entity and click Next.

    5. In the Configure Role step, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Role Type

      Select Normal Service Role.

      RAM Role Name

      Enter the name of the RAM role. Example: aliyunlogreadrole.

      Note

      Enter the description of the RAM role.

      Select Trusted Service

      Select Log Service from the drop-down list.

    6. In the Finish step, click Close.

    Step 2: Grant permissions to the RAM role

    After you create a RAM role, the RAM role does not have permissions. Before Simple Log Service can assume the RAM role to perform operations, you must attach the required system policies or custom policies to the RAM role. RAM provides the following system policies for Simple Log Service:

    • AliyunLogFullAccess: This policy grants the permissions to manage all Simple Log Service resources.

    • AliyunLogReadOnlyAccess: This policy grants the read-only permissions on all Simple Log Service resources.

    If the system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create custom policies. For more information about example policies, see Use custom policies to grant permissions to a RAM user and Overview.

    To attach a policy to a RAM role, perform the following steps. In this example, the AliyunLogReadOnlyAccess policy is used.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, find the RAM role and click Grant Permission in the Actions column.

    4. In the Grant Permission panel, select the AliyunLogReadOnlyAccess policy and click OK.

    5. Confirm the authorization result. Then, click Complete.