A project policy is an authorization policy for projects in Simple Log Service (SLS). You can use a project policy to grant specified networks or IP addresses permissions to access SLS resources.
Background
By default, data can be written to an SLS project from any IP address. When using LoongCollector (formerly Logtail), data from unexpected sources may also be included. To enhance security, use a project policy to specify allowed IP address ranges for data writing. For example, if you have a stable production cluster A that writes logs to Project A and has automated O&M policies like alerts, implement a project policy to prevent logs from test or new clusters from mistakenly being written to Project A and disrupting daily operations.
Usage notes
You can only configure project policies using the SDK. This action is not supported in the console.
You must understand authorization information, such as Action, Resource, and Condition. For more information, see Authorization information.
When you configure a project policy, if you set the principal to an anonymous account (*):
If the policy does not contain a Condition element, the project policy applies to all users except the project owner.
If the policy contains a Condition element, the project policy applies to all users, including the project owner.
Examples
This section provides an example of how to set a project policy using the Java SDK. For information about other languages, see SDK Overview.
Download the Java SDK package.
Create the src/main/java/com/aliyun/openservices/log/sample/ProjectPolicyDemo.java file.
Use the sample code for your scenario and modify the parameter values as described in the comments.
Allow access only from a specified VPC
Sample code | Permission policy |
To obtain the parameters in the code, perform the following steps: package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// This example obtains the AccessKey ID and AccessKey secret from environment variables.
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // Replace the value with the endpoint of the region where the SLS project resides.
static String projectName = "example-project";// Replace the value with the name of the SLS project.
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
try {
client.GetProject(projectName);
} catch (LogException e) {
Assert.fail("should not fail : " + e.GetErrorCode());
}
String policyText="{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:*\"],\"Principal\": [\"*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Condition\": {\"StringNotEquals\": {\"acs:SourceVpc\": [\"vpc-t4nlw426y44rd3iq4****\"]}},\"Effect\":\"Deny\"}]}";
client.setProjectPolicy(projectName, policyText);
client.getProjectPolicy(projectName);
Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
}
}
| The following permission policy is used for policyText in the sample code. This policy allows only requests from the VPC whose ID is vpc-t4nlw426y44rd3iq4**** to access the example-project. {
"Version": "1",
"Statement": [
{
"Action": [
"log:*"
],
"Principal": [
"*"
],
"Resource": "acs:log:*:*:project/example-project/*",
"Condition": {
"StringNotEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
}
},
"Effect": "Deny"
}
]
}
|
Block access from specific IP addresses
Sample code | Permission policy |
To obtain the parameters in the code, perform the following steps: package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// This example obtains the AccessKey ID and AccessKey secret from environment variables.
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // Replace the value with the endpoint of the region where the SLS project resides.
static String projectName = "example-project";// Replace the value with the name of the SLS project.
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
try {
client.GetProject(projectName);
} catch (LogException e) {
Assert.fail("should not fail : " + e.GetErrorCode());
}
String policyText="{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"*\"],\"Principal\": [\"*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Condition\": {\"IpAddress\":{\"acs:SourceIp\":[\"192.168.0.0\",\"172.16.215.218\"]}},\"Effect\":\"Deny\"}]}";
client.setProjectPolicy(projectName, policyText);
client.getProjectPolicy(projectName);
Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
}
}
| The following permission policy denies access to the example-project from the IP addresses 192.168.0.0 and 172.16.215.218. {
"Version":"1",
"Statement":[
{
"Effect":"Deny",
"Action":[
"*"
],
"Principal":[
"*"
],
"Resource":"acs:log:*:*:project/example-project/*",
"Condition":{
"IpAddress":{
"acs:SourceIp":[
"192.168.0.0",
"172.16.215.218"
]
}
}
}
]
}
|
Block writes from the Internet
Sample code | Permission policy |
To obtain the parameters in the code, perform the following steps: package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// This example obtains the AccessKey ID and AccessKey secret from environment variables.
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // Replace the value with the endpoint of the region where the SLS project resides.
static String projectName = "example-project";// Replace the value with the name of the SLS project.
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
try {
client.GetProject(projectName);
} catch (LogException e) {
Assert.fail("should not fail : " + e.GetErrorCode());
}
String policyText="{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"log:PostLogStoreLogs\"],\"Principal\": [\"*\"],\"Resource\":\"acs:log:*:*:project/" + projectName + "/*\",\"Condition\":{\"StringNotLike\": {\"acs:SourceVpc\":[\"vpc-*\"]}},\"Effect\":\"Deny\"}]}";
client.setProjectPolicy(projectName, policyText);
client.getProjectPolicy(projectName);
Assert.assertEquals(policyText, client.getProjectPolicy(projectName).getPolicyText());
}
}
| The following permission policy denies requests to write logs to the example-project over the Internet. {
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"log:PostLogStoreLogs"
],
"Principal": [
"*"
],
"Resource": "acs:log:*:*:project/example-project/*",
"Condition": {
"StringNotLike": {
"acs:SourceVpc": [
"vpc-*"
]
}
}
}
]
}
|
Delete a project policy
If you no longer need access control, delete the project policy.
package com.aliyun.openservices.log.sample;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.exception.LogException;
import org.junit.Assert;
public class ProjectPolicyDemo {
// This example obtains the AccessKey ID and AccessKey secret from environment variables.
static String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
static String accessKey = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
static String endPoint = "your-endpoint"; // Replace the value with the endpoint of the region where the SLS project resides.
static String projectName = "example-project";// Replace the value with the name of the SLS project.
static Client client = new Client(endPoint, accessKeyId, accessKey);
public static void main(String[] args) throws LogException {
client.deleteProjectPolicy(projectName);
Assert.assertEquals("", client.getProjectPolicy(projectName).getPolicyText());
}
}
icon to the right of the project name to go to the project overview page. In the Endpoint section, copy the public endpoint.