RAM authorization - Simple Log Service - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. You can use RAM to prevent RAM users from sharing the AccessKey pairs of your Alibaba Cloud account. You can also use RAM to grant minimum permissions to RAM users. RAM uses policies to define permissions.

This topic describes the elements, such as Action, Resource, and Condition, which are defined by SLS. You can use the elements to create policies in RAM. The code (RamCode) in RAM that is used to indicate SLS is log. You can grant permissions on SLS at the RESOURCE.

General structure of a policy

Policies can be stored as JSON files. The following code provides an example on the general structure of a policy:

            
            
          
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Effect: specifies the authorization effect. Valid values: Allow, Deny.
Action: specifies one or more API operations that are allowed or denied. For more information, see the Action section of this topic.
Resource: specifies one or more resources to which the policy applies. You can use an Alibaba Cloud Resource Name (ARN) to specify a resource. For more information, see the Resource section of this topic.
Condition: specifies one or more conditions that are required for the policy to take effect. This is an optional field. For more information, see the Condition section of this topic.
- Condition_operator: specifies the conditional operators. Different types of conditions support different conditional operators. For more information, see Policy elements.
- Condition_key: specifies the condition keys.
- Condition_value: specifies the condition values.

Action

SLS defines the values that you can use in the Action element of a policy statement. The following table describes the values.

Operation: the value that you can use in the Action element to specify the operation on a resource.
API operation: the API operation that you can call to perform the operation.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- For mandatory resource types, indicate with a prefix of * .
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition key: the condition keys that are defined by the Alibaba Cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Generic Condition Keyword.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Actions	API operation	Access level	Resource type	Condition key	Associated operation

Actions	API operation	Access level	Resource type	Condition key	Associated operation
log:ChangeResourceGroup	ChangeResourceGroup	update	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}`	log:TLSVersion	None
log:ConsumerGroupHeartBeat	ConsumerGroupHeartBeat	none	All Resources ``	log:TLSVersion	None
log:ConsumerGroupUpdateCheckPoint	ConsumerGroupUpdateCheckPoint	update	All Resources ``	log:TLSVersion	None
log:CreateConfig	CreateConfig	create	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logtailconfig/{#LogtailConfigName}`	log:TLSVersion	None
log:CreateConsumerGroup	CreateConsumerGroup	create	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#logstoreName}/consumergroup/{#ConsumerGroup}`	log:TLSVersion	None
log:CreateDashboard	CreateDashboard	create	All Resources ``	log:TLSVersion	None
log:CreateDomain	CreateDomain	create	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/domain/{#DomainName}`	log:TLSVersion	None
log:CreateIndex	CreateIndex	create	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstore}`	log:TLSVersion	None
log:CreateLogStore	CreateLogStore	create	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstoreName}`	log:TLSVersion log:Encrypted	None
log:CreateLogging	CreateLogging	create	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logging`	log:TLSVersion	None
log:CreateLogtailPipelineConfig	CreateLogtailPipelineConfig	create	All Resources ``	log:TLSVersion	None
log:CreateMachineGroup	CreateMachineGroup	create	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/{#MachineGroupName}`	log:TLSVersion	None
log:CreateProject	CreateProject	create	*Project `acs:log:{#regionId}:{#accountId}:project/{#projectName}`	log:TLSVersion	None
log:CreateSavedSearch	CreateSavedSearch	create	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/savedsearch/{#SavedSearchName}`	log:TLSVersion	None
log:CreateSqlInstance	CreateSqlInstance	create	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}`	None	None
log:CreateStoreView	CreateStoreView	create	All Resources ``	None	None
log:DeleteAlert	DeleteAlert	delete	All Resources ``	None	None
log:DeleteConsumerGroup	DeleteConsumerGroup	delete	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#logstoreName}/consumergroup/{#ConsumerGroup}`	log:TLSVersion	None
log:DeleteDashboard	DeleteDashboard	delete	All Resources ``	log:TLSVersion	None
log:DeleteDomain	DeleteDomain	delete	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/domain/{#DomainName}`	log:TLSVersion	None
log:DeleteExternalStore	DeleteExternalStore	delete	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/externalstore/{#ExternalStoreName}`	log:TLSVersion	None
log:DeleteIndex	DeleteIndex	delete	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstore}`	log:TLSVersion	None
log:DeleteLogStore	DeleteLogStore	delete	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstore}`	log:TLSVersion	None
log:DeleteMachineGroup	DeleteMachineGroup	delete	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/{#MachineGroupName}`	log:TLSVersion	None
log:DeleteProject	DeleteProject	delete	*Project `acs:log:{#regionId}:{#accountId}:project/{#project}`	log:TLSVersion	None
log:DeleteProjectPolicy	DeleteProjectPolicy	delete	All Resources ``	log:TLSVersion	None
log:DeleteSavedSearch	DeleteSavedSearch	delete	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/savedsearch/{#SavedSearchName}`	log:TLSVersion	None
log:DeleteStoreView	DeleteStoreView	delete	All Resources ``	None	None
log:DisableAlert	DisableAlert	none	All Resources ``	None	None
log:EnableAlert	EnableAlert	none	All Resources ``	None	None
log:EnableScheduledSQL	EnableScheduledSQL	none	All Resources ``	None	None
log:GetAlert	GetAlert	get	All Resources ``	None	None
log:GetAppliedConfigs	GetAppliedConfigs	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/{#MachineGroupName}`	log:TLSVersion	None
log:GetAppliedMachineGroups	GetAppliedMachineGroups	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logtailconfig/{#LogtailConfigName}`	log:TLSVersion	None
log:GetConfig	GetConfig	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logtailconfig/{#LogtailConfigName}`	log:TLSVersion	None
log:GetCursorOrData	GetCursorTime	get	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#LogstoreName}`	log:TLSVersion	None
log:GetCursorOrData	GetCursor	get	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#LogstoreName}`	log:TLSVersion	None
log:GetDashboard	GetDashboard	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/dashboard/{#DashboardName}`	log:TLSVersion	None
log:GetExternalStore	GetExternalStore	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/externalstore/{#ExternalStoreName}`	log:TLSVersion	None
log:GetIndex	GetIndex	get	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstore}`	log:TLSVersion	None
log:GetLogStore	GetLogStore	get	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstore}`	log:TLSVersion	None
log:GetLogStoreMeteringMode	GetLogStoreMeteringMode	get	All Resources ``	None	None
log:GetLogging	GetLogging	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logging`	log:TLSVersion	None
log:GetLogtailPipelineConfig	GetLogtailPipelineConfig	get	All Resources ``	log:TLSVersion	None
log:GetMachineGroup	GetMachineGroup	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/{#MachineGroupName}`	log:TLSVersion	None
log:GetProject	GetProject	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}`	log:TLSVersion	None
log:GetProjectPolicy	GetProjectPolicy	get	All Resources ``	log:TLSVersion	None
log:GetSavedSearch	GetSavedSearch	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/savedsearch/{#SavedSearchName}`	log:TLSVersion	None
log:GetStoreView	GetStoreView	get	All Resources ``	None	None
log:GetStoreViewIndex	GetStoreViewIndex	get	All Resources ``	None	None
log:ListConfig	ListConfig	list	Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logtailconfig/`	log:TLSVersion	None
log:ListConsumerGroup	ListConsumerGroup	get	LogStore `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#LogstoreName}/consumergroup/`	log:TLSVersion	None
log:ListDashboard	ListDashboard	list	Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/dashboard/`	log:TLSVersion	None
log:ListDomains	ListDomains	get	Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/domain/`	log:TLSVersion	None
log:ListLogStores	ListLogStores	get	LogStore `acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/`	log:TLSVersion	None
log:ListMachineGroup	ListMachineGroup	get	Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/`	log:TLSVersion	None
log:ListMachines	ListMachines	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/{#MachineGroupName}`	log:TLSVersion	None
log:ListOSSIngestions	ListOSSIngestions	list	All Resources ``	None	None
log:ListProject	ListProject	get	Project `acs:log:{#regionId}:{#accountId}:project/`	log:TLSVersion	None
log:ListSavedSearch	ListSavedSearch	get	Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/savedsearch/`	log:TLSVersion	None
log:ListScheduledSQLs	ListScheduledSQLs	none	All Resources ``	None	None
log:ListShards	ListShards	get	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#LogstoreName}`	log:TLSVersion	None
log:ListStoreViews	ListStoreViews	list	All Resources ``	None	None
log:ListTagResources	ListTagResources	get	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}`	log:TLSVersion	None
log:PutProjectPolicy	PutProjectPolicy	create	All Resources ``	log:TLSVersion	None
log:SplitShard	SplitShard	update	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#LogstoreName}`	log:TLSVersion	None
log:TagResources	TagResources	create	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}`	log:TLSVersion	None
log:UntagResources	UntagResources	delete	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}`	log:TLSVersion	None
log:UpdateConfig	UpdateConfig	update	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logtailconfig/{#LogtailConfigName}`	log:TLSVersion	None
log:UpdateConsumerGroup	UpdateConsumerGroup	update	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#logstoreName}/consumergroup/{#ConsumerGroup}`	log:TLSVersion	None
log:UpdateDashboard	UpdateDashboard	update	All Resources ``	log:TLSVersion	None
log:UpdateIndex	UpdateIndex	update	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstore}`	log:TLSVersion	None
log:UpdateLogStore	UpdateLogStore	update	*LogStore `acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstore}`	log:TLSVersion log:Encrypted	None
log:UpdateLogStoreMeteringMode	UpdateLogStoreMeteringMode	update	All Resources ``	log:TLSVersion	None
log:UpdateLogtailPipelineConfig	UpdateLogtailPipelineConfig	update	All Resources ``	log:TLSVersion	None
log:UpdateMachineGroup	UpdateMachineGroup	update	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/{#MachineGroupName}`	log:TLSVersion	None
log:UpdateMachineGroupMachine	UpdateMachineGroupMachine	update	All Resources ``	log:TLSVersion	None
log:UpdateProject	UpdateProject	update	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}`	log:TLSVersion	None
log:UpdateSavedSearch	UpdateSavedSearch	update	*Project `acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/savedsearch/{#SavedSearchName}`	log:TLSVersion	None
log:UpdateStoreView	UpdateStoreView	update	All Resources ``	None	None

Resource

SLS defines the values that you can use in the Resource. You can attach the policy to a RAM user or a RAM role so that the RAM user or the RAM role can perform a specific operation on a specific resource. The ARN is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

{#}indicates a variable. {#} must be replaced with an actual value. For example, {#ramcode} must be replaced with the actual code of an Alibaba Cloud service in RAM.
An asterisk (*) is used as a wildcard. Examples:
- {#resourceType} is set to *, all resources are specified.
- {#regionId} is set to *, all regions are specified.
- {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type	ARN

Resource type	ARN
AgentInstanceConfig	acs:log:{#regionId}:{#accountId}:agentinstanceconfig/{#configName} acs:log:{#regionId}:{#accountId}:agentinstanceconfig/*
Alert	acs:log:{#regionId}:{#accountId}:project/{#project}/alert/*
CollectionPolicy	acs:log::{#accountId}:collectionpolicy/* acs:log::{#accountId}:collectionpolicy/{#policyName}
ConsumeProcessor	acs:log:{#regionId}:{#accountId}:project/{#project}/consumeprocessor/* acs:log:{#regionId}:{#accountId}:project/{#project}/consumeprocessor/{#processorName}
Dashboard	acs:log::{#accountId}:project/{#projectName}/dashboard/{#dashboardId} acs:log::{#accountId}:project/*
ExternalStore	acs:log:{#regionId}:{#accountId}:externalstore/{#ProjectName}/{#ExternalStoreName}
IngestProcessor	acs:log:{#regionId}:{#accountId}:project/{#project}/ingestprocessor/{#processorName} acs:log:{#regionId}:{#accountId}:project/{#project}/ingestprocessor/*
LogStore	acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{l#ogstoreName}/consumergroup/{#ConsumerGroup} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#LogstoreName}/consumergroup/* acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstore} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#logstoreName}/consumergroup/{#ConsumerGroup} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logstore/{#LogstoreName} acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/* acs:log:{#Region}:{#AccountId}:project/{#ProjectName}/logstore/{#LogstoreName} acs:log:{#regionId}:{#accountId}:project/{#project}/logstore/{#logstoreName} acs:log:${regionId}:${accountId}:project/{#ProjectName}/logstore/{#LogstoreName}/consumergroup/{#ConsumerGroupName} acs:log::{#accountId}:project/{#ProjectName}/logstore/{#LogstoreName} acs:log::{#accountId}:project/{ProjectName}/logstore/{#LogstoreName}
MetricStore	acs:log:{#regionId}:{#accountId}:project/{#project}/metricstore/{#name} acs:log:{#regionId}:{#accountId}:project/{#project}/metricstore/* acs:log:{#regionId}:{#accountId}:project/{#project}/metricstore/{#metricstore}
ProcessConfig	acs:log:{#regionId}:{#accountId}:processconfig/*
Project	acs:log:{#regionId}:{#accountId}:project/{#ProjectName} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/{#MachineGroupName} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logtailconfig/{#LogtailConfigName} acs:log:{#Region}:{#AccountId}:project/{#ProjectName} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/dashboard/{DashboardName} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/dashboard/{#DashboardName} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/savedsearch/{#SavedSearchName} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logging acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/* acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/domain/* acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/dashboard/* acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/domain/{#DomainName} acs:log:{#regionId}:{#accountId}:project/* acs:log:{#regionId}:{#accountId}:project/{#project} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/externalstore/{#ExternalStoreName} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/machinegroup/{MachineGroup} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/dashboard/{#DashboardName} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}//dashboard/{#DashboardName} acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logtailconfig/* acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/savedsearch/* acs:log:{#regionId}:{#accountId}:project/{#ProjectName}/logtailconfig/{#LogtailConfigName}
Region	acs:log:{#regionId}:{#accountId}:*
Service	acs:log::{#AccountId}:service
Ticket	acs:log::{#accountId}:ticket/*
UnifiedObservabilityModel	acs:log:{#regionId}:{#accountId}:UnifiedObservabilityModel/* acs:log:{#regionId}:{#accountId}:UnifiedObservabilityModel/{#instanceId}

Condition

SLS defines the values that you can use in the Condition element of a policy statement. The following table describes the values. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to SLS. For more information about the common condition keys, see Generic Condition Keyword.

The data type determines the conditional operators that you can use to compare the value in a request with the value in a policy statement. You must use conditional operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the conditional operators that are supported by each data type, see Policy elements.

Condition key	Description	Data type

Condition key	Description	Data type
log:Encrypted	Whether to specify encryption configuration when creating or modifying a Logstore	Boolean
log:TLSVersion	Version of TLS	String

What to do next

You can create a custom policy and attach the policy to a RAM user, RAM user group, or RAM role. For more information, see the following topics:

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)