All Products
Search

This Product

    Simple Log Service:Overview

    Document Center

    Simple Log Service:Overview

    Last Updated:Sep 03, 2024

    This topic describes how to access Log Service resources of an Alibaba Cloud account as a Resource Access Management (RAM) user. You can access these resources only after you grant the RAM user the required permissions by using RAM.

    Background information

    You can create projects, Logstores, Logtail configurations, and machine groups in Log Service. By default, you have full permissions on these resources. You can use the resources by calling the related API operations.

    However, if you use your Alibaba Cloud account to create a RAM user, the RAM user has no permission to use your resources. To allow the RAM user to use your resources, you must grant the required permissions to the RAM user.

    Note For more information about how to grant a RAM user the permissions to access Log Service resources, see Create a RAM role whose trusted entity is an Alibaba Cloud account and grant the RAM role the permissions to access Simple Log Service and RAM overview.

    If you do not need to grant other users the permissions to access Log Service resources of your Alibaba Cloud account, you can skip this section. If you skip this section, your understanding of other sections is unaffected.

    RAM policies

    You can attach the following policies to a RAM user. Then, the RAM user has the corresponding permissions on your Log Service resources.
    • AliyunLogFullAccess
      If you attach this policy to a RAM user, the RAM user has full permissions to access Log Service resources of your Alibaba Cloud account. The following example shows the policy: 
        {
    "Version": "1",
    "Statement": [
      {
        "Action": "log:*",
        "Resource": "*",
        "Effect": "Allow"
      }
    ]
  }
    • AliyunLogReadOnlyAccess
      If you attach this policy to a RAM user, the RAM user has the read-only permissions to access Log Service resources of your Alibaba Cloud account. The following example shows the policy: 
       {
    "Version": "1",
    "Statement": [
      {
        "Action": [
          "log:Get*",
          "log:List*"
        ],
        "Resource": "*",
        "Effect": "Allow"
      }
    ]
  }
    • Upload data to a specified Logstore

      If you attach this policy to a RAM user, the RAM user has the permissions to upload data to a specified Logstore by using the API operations and SDKs. The following example shows the policy:

        {
    "Version": "1",
    "Statement": [
      {
        "Action": [
          "log:Post*",
          "log:BatchPost*"
        ],
        "Resource": ["acs:log:*:*:project/<The name of the specified project>/logstore/<The name of the specified Logstore>"],
        "Effect": "Allow"
      }
    ]
  }
    • Query data of a specified Logstore in the console
      If you attach this policy to a RAM user, the RAM user has the read-only permissions to query the data of a specified Logstore in the console. The permissions allow the RAM user to query logs, pull logs, and view the Logstore list. The following example shows the policy: 
        {
    "Version": "1",
    "Statement": [
      {
        "Action": ["log:List*"],
        "Resource": ["acs:log:*:*:project/<The name of the specified project>/*"],
        "Effect": "Allow"
      },
      {
        "Action": ["log:Get*"],
        "Resource": ["acs:log:*:*:project/<The name of the specified project>/logstore/<The name of the specified Logstore>"],
        "Effect": "Allow"
      }
    ]
  }

    References