Grant the operation permissions on CloudLens for SLS to a RAM user - Simple Log Service

This topic describes how to grant the operation permissions on CloudLens for SLS to a Resource Access Management (RAM) user.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

Before you can use a RAM user to manage CloudLens for SLS, you must use the Alibaba Cloud account to which the RAM user belongs to grant the required permissions. You can grant permissions by using the following types of policies:

Simple mode: You can grant all permissions on Simple Log Service to the RAM user. You cannot modify the policy document. You do not need to configure parameters.
Custom mode: You can create custom policies and attach the policies to the RAM user. This mode allows you to perform fine-grained access control. However, this mode requires complex configurations.

Grant permissions to a RAM user by using a system policy

Grant the RAM user the AliyunLogReadOnlyAccess and AliyunLogFullAccess permissions. The AliyunLogReadOnlyAccess permission allows read-only operations on Simple Log Service. The AliyunLogFullAccess permission allows management operations on Simple Log Service. For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

Grant permissions to a RAM user by using a custom policy

Log on to the RAM console by using your Alibaba Cloud account.

Create a custom policy.

In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the one of the following policy documents, and then click Next to edit policy information.

You can grant the read-only permissions or the read and write permissions on CloudLens for SLS to a RAM user.

Read-only permissions: The RAM user can only view the pages of CloudLens for SLS.

{
    "Statement": [
        {
            "Action": [
                "log:GetLogStore",
                "log:ListLogStores",
                "log:GetIndex",
                "log:GetLogStoreHistogram",
                "log:GetLogStoreLogs",
                "log:GetDashboard",
                "log:ListDashboard",
                "log:ListSavedSearch",
                "log:GetProjectLogs"
            ],
            "Resource": [
                "acs:log:*:*:project/*/logstore/*",
                "acs:log:*:*:project/*/dashboard/*",
                "acs:log:*:*:project/*/savedsearch/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "log:GetProductDataCollection",
            "Resource": "acs:log:*:*:project/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:ListCollectionPolicies"
            ],
            "Resource": "acs:log::*:collectionpolicy/*",
            "Effect": "Allow"
        },
        {
            "Action": "log:ListProject",
            "Resource": "acs:log:*:*:project/*",
            "Effect": "Allow"
        }
      
    ],
    "Version": "1"
}

Read and write permissions: The RAM user can perform all operations that are supported by CloudLens for SLS.

{
    "Statement": [
        {
            "Action": [
                "log:GetLogStore",
                "log:ListLogStores",
                "log:GetIndex",
                "log:GetLogStoreHistogram",
                "log:GetLogStoreLogs",
                "log:GetDashboard",
                "log:ListDashboard",
                "log:ListSavedSearch",
                "log:CreateProject",
                "log:CreateLogStore",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:ListLogStores",
                "log:GetLogStore",
                "log:GetLogStoreLogs",
                "log:CreateDashboard",
                "log:CreateChart",
                "log:UpdateDashboard",
                "log:UpdateLogStore",
                "log:GetProjectLogs"
            ],
            "Resource": [
                "acs:log:*:*:project/*/logstore/*",
                "acs:log:*:*:project/*/dashboard/*",
                "acs:log:*:*:project/*/savedsearch/*"
            ],
            "Effect": "Allow"
        },        
        {
            "Action": [
                "log:GetProductDataCollection",
                "log:OpenProductDataCollection",
                "log:CloseProductDataCollection"
            ],
            "Resource": "acs:log:*:*:project/*",
            "Effect": "Allow"
        },
        {
            "Action": "log:SetGeneralDataAccessConfig",
            "Resource": "acs:log:*:*:resource/sls.general_data_access.sls.global_conf.standard_channel/record",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "audit.log.aliyuncs.com"              }
            }
        },
        {
            "Action": [
                "log:ListCollectionPolicies",
                "log:UpsertCollectionPolicy",
                "log:DeleteCollectionPolicy"
            ],
            "Resource": "acs:log::*:collectionpolicy/*",
            "Effect": "Allow"
        },
        {
            "Action": "log:ListProject",
            "Resource": "acs:log:*:*:project/*",
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}

Configure the Name parameter and click OK.
In this example, set the policy name to log-sls-policy.

Grant permissions to the RAM user.
1. In the left-side navigation pane, choose Identities > Users.
2. On the Users page, find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
3. In the Policy section of the Grant Permission panel, select Custom Policy from the drop-down list, select the policy that you created in Step 2, and then click Grant permission.