All Products
Search

This Product

    Simple Log Service:Grant a RAM user the permissions to use the Scheduled SQL feature

    Document Center

    Simple Log Service:Grant a RAM user the permissions to use the Scheduled SQL feature

    Last Updated:Dec 19, 2024

    This topic describes how to grant a RAM user the permissions to use the Scheduled SQL feature.

    Prerequisites

    A RAM user is created. For more information, see Create a RAM user.

    Procedure

    1. Log on to the RAM console by using you Alibaba Cloud account or a RAM user who has administrative rights.

    2. Create a custom policy.

      On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.

      Important

      • Replace ProjectName and LogstoreName in the script based on your actual situation.

      • If you want to use a RAM user to configure alert rules for Scheduled SQL jobs, you must grant the RAM user the permissions to manage alerts. For more information, see Authorize a RAM user to manage alerts.

      • Logstores that are displayed in a policy can also be metricstores. If you want to manage metricstores, the following policy also applies. 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "log:GetJobInstance",
        "log:ModifyJobInstance",
        "log:ModifyJobInstanceState",
        "log:ListJobInstances"
      ],
      "Resource": "acs:log:*:*:project/ProjectName/job/*/jobinstance/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:ListJobs",
        "log:GetJob",
        "log:CreateJob",
        "log:UpdateJob",
        "log:DeleteJob"
      ],
      "Resource": "acs:log:*:*:project/ProjectName/job/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:ListLogStores",
        "log:ListSavedSearch",
        "log:ListDashboard"
      ],
      "Resource": "acs:log:*:*:project/ProjectName/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:GetLogStore",
        "log:GetIndex",
        "log:GetLogStoreHistogram",
        "log:GetLogStoreLogs"
      ],
      "Resource": "acs:log:*:*:project/ProjectName/logstore/LogstoreName"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:PassRole",
        "ram:GetRole",
        "ram:ListRoles"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateLogStore",
        "log:CreateIndex",
        "log:UpdateIndex"
      ],
      "Resource": [
        "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateDashboard",
        "log:CreateChart",
        "log:UpdateDashboard"
      ],
      "Resource": [
        "acs:log:*:*:project/sls-alert-*/dashboard/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateProject"
      ],
      "Resource": [
        "acs:log:*:*:project/sls-alert-*"
      ]
    }
  ]
}

    3. Add the created custom policy to the RAM user. For more information, see Grant permissions to a RAM user.