If you use a Resource Access Management (RAM) user to perform operations on the new version of Log Audit Service, you must use your Alibaba Cloud account to grant the required permissions to the RAM user.
Procedure
Log on to the RAM console.
Create a custom policy.
In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy.
On the page that appears, click the JSON tab, replace the existing script in the code editor with the following content, and then click Next to edit policy information.
Read-only permissions
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:ListTagResources", "log:ListMachineGroup", "log:GetAppliedMachineGroups", "log:GetLogtailPipelineConfig", "log:ListConfig", "log:ListMachines", "log:GetProjectLogs" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" }Read and write permissions
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:CreateProject", "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard", "log:UpdateLogStore", "log:GetProjectLogs", "log:ListTagResources", "log:TagResources", "log:ListMachineGroup", "log:ListMachines", "log:ApplyConfigToGroup", "log:GetAppliedMachineGroups", "log:ListConfig", "log:CreateLogtailPipelineConfig", "log:UpdateLogtailPipelineConfig", "log:GetLogtailPipelineConfig", "log:DeleteLogtailPipelineConfig" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy", "log:UpsertCollectionPolicy", "log:DeleteCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" }Enter the policy name and click OK.
Attach the custom policy to your RAM user.
In the left-side navigation pane, choose Identities > Users. On the page that appears, find the RAM user and click Add Permissions in the Actions column.
In the panel that appears, go to the Policy section, select Custom Policy from the drop-down list, select the custom policy that you created, and then click Grant permissions.
References
After you create a rule in Log Audit Service, Log Audit Service automatically creates the AliyunServiceRoleForSLSAudit service-linked role within the current account. If a resource directory is enabled for the account, Log Audit Service also creates the role within each member of the resource directory. Log Audit Service can assume the role to read data from other cloud services. For more information, see Manage the AliyunServiceRoleForSLSAudit service-linked role.