If you use a Resource Access Management (RAM) user to perform operations on the new version of Log Audit Service, you must grant the required permissions to the RAM user.
Procedure
Log on to the RAM console by using you Alibaba Cloud account or a RAM user who has administrative rights.
Create a custom policy. On the JSON tab, replace the existing contents in the editor with the following script. For more information, see Create a custom policy in script edit mode.
Read-only permissions
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:ListTagResources", "log:ListMachineGroup", "log:GetAppliedMachineGroups", "log:GetLogtailPipelineConfig", "log:ListConfig", "log:ListMachines", "log:GetProjectLogs" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" }Read and write permissions
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:CreateProject", "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard", "log:UpdateLogStore", "log:GetProjectLogs", "log:ListTagResources", "log:TagResources", "log:ListMachineGroup", "log:ListMachines", "log:ApplyConfigToGroup", "log:GetAppliedMachineGroups", "log:ListConfig", "log:CreateLogtailPipelineConfig", "log:UpdateLogtailPipelineConfig", "log:GetLogtailPipelineConfig", "log:DeleteLogtailPipelineConfig" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy", "log:UpsertCollectionPolicy", "log:DeleteCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" }Add the created custom policy to the RAM user. For more information, see Grant permissions to a RAM user.
References
After you create a rule in Log Audit Service, Log Audit Service automatically creates the AliyunServiceRoleForSLSAudit service-linked role within the current account. If a resource directory is enabled for the account, Log Audit Service also creates the role within each member of the resource directory. Log Audit Service can assume the role to read data from other cloud services. For more information, see Manage the AliyunServiceRoleForSLSAudit service-linked role.