This topic describes how to authorize a Resource Access Management (RAM) user to manage alerts. After the authorization is complete, you can create an alert rule to monitor data across projects, regions, or Alibaba Cloud accounts.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Grant the read-only permissions on alerts to the RAM user
Method 1: Attach a system policy to the RAM user
Log on to the RAM console by using your Alibaba Cloud account. Then, attach the AliyunLogReadOnlyAccess policy to the RAM user. This policy grants the read-only permissions on alerts. For more information, see Grant permissions to a RAM user.
Method 2: Create a custom policy and attach the custom policy to the RAM user
Log on to the RAM console by using your Alibaba Cloud account.
Create a custom policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the page that appears, click the JSON tab, replace the existing script in the code editor with the following content, and then click Next to edit policy information.
NoteProject name specifies the project whose alerts you want to grant the read-only permissions on. Replace the variable with an actual project name.
sls-alert-* specifies all projects to which the global alert center belongs within your Alibaba Cloud account. The projects store the data of alerts within your Alibaba Cloud account. The data includes the evaluation data for each alert rule, stored logs, and global reports that are related to alerts. If you do not need to view the global reports, you can delete
acs:log:*:*:project/sls-alert-*/*from the resource list.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "log:GetLogStore" ], "Resource": [ "acs:log:*:*:project/Project name/logstore/internal-alert-history", "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log" ] }, { "Effect": "Allow", "Action": [ "log:GetJob", "log:ListJobs" ], "Resource": "acs:log:*:*:project/Project name/job/*" }, { "Effect": "Allow", "Action": [ "log:GetProject" ], "Resource": [ "acs:log:*:*:project/sls-alert-*" ] }, { "Effect": "Allow", "Action": [ "log:GetLogStoreLogs", "log:ListLogStores", "log:GetIndex", "log:GetDashboard", "log:ListDashboard" ], "Resource": [ "acs:log:*:*:project/Project name/*", "acs:log:*:*:project/sls-alert-*/*" ] }, { "Effect": "Allow", "Action": [ "log:GetResource", "log:ListResources", "log:GetResourceRecord", "log:ListResourceRecords" ], "Resource": [ "acs:log:*:*:resource/*" ] } ] }On the Create Policy page, configure the Name parameter and click OK.
Grant permissions to the RAM user.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
In the Policy section of the Grant Permission panel, select Custom Policy from the drop-down list, select the policy that you created in Step 2, and then click Grant permission.
Grant the management permissions on alerts to the RAM user
Method 1: Attach a system policy to the RAM user
Log on to the RAM console by using your Alibaba Cloud account. Then, attach the AliyunLogFullAccess policy to the RAM user. This policy grants the management permissions on Simple Log Service. For more information, see Grant permissions to a RAM user.
Method 2: Create a custom policy and attach the custom policy to the RAM user
Log on to the RAM console by using your Alibaba Cloud account.
Create a custom policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the page that appears, click the JSON tab, replace the existing script in the code editor with the following content, and then click Next to edit policy information.
NoteProject name specifies the project whose alerts you want to grant the management permissions on. Replace the variable with an actual project name.
sls-alert-* specifies all projects to which the global alert center belongs within your Alibaba Cloud account. The projects store the data of alerts within your Alibaba Cloud account. The data includes the evaluation data for each alert rule, stored logs, and global reports that are related to alerts. If you want to authorize a RAM user to manage only one project to which the global alert center belongs, you must set sls-alert-* to the name of the project in the
sls-alert-${uid}-${region}format. Example:sls-alert-148****6461-cn-hangzhou.If you want to use a RAM user to manage alert-related system Logstores, such as Logstores that store historical alerts and Logstores to which the global alert center belongs, you must grant the RAM user the permissions to create Logstores, create indexes, and update indexes. Then, you can use the RAM user to view alert-related reports such as Alert History.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "log:GetLogStore", "log:UpdateLogStore", "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex" ], "Resource": [ "acs:log:*:*:project/Project name/logstore/internal-alert-history", "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log" ] }, { "Effect": "Allow", "Action": [ "log:*" ], "Resource": "acs:log:*:*:project/Project name/job/*" }, { "Effect": "Allow", "Action": [ "log:GetProject", "log:CreateProject" ], "Resource": [ "acs:log:*:*:project/sls-alert-*" ] }, { "Effect": "Allow", "Action": [ "log:GetLogStoreLogs", "log:ListLogStores", "log:GetIndex", "log:GetDashboard", "log:CreateDashboard", "log:UpdateDashboard", "log:ListDashboard" ], "Resource": [ "acs:log:*:*:project/Project name/*", "acs:log:*:*:project/sls-alert-*/*" ] }, { "Effect": "Allow", "Action": [ "log:*" ], "Resource": [ "acs:log:*:*:resource/*" ] } ] }On the Create Policy page, configure the Name parameter and click OK.
Grant permissions to the RAM user.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
In the Policy section of the Grant Permission panel, select Custom Policy from the drop-down list, select the policy that you created in Step 2, and then click Grant permission.
Create alert rules to monitor data across projects
Configure authorization
If you want to use a RAM user to create alert rules to monitor data, you must use your Alibaba Cloud account to grant the management permissions on alerts to the RAM user. For more information, see Authorize a RAM user to manage alerts.
Specify a query statement. For more information, see Create an alert rule.
Configure authorization. The following table describes the authorization methods that you can use.
Authorization method
Description
Use the default authorization method
If you use an alert rule that is configured for a project to monitor data in different Logstores and Metricstores of the project, you can use the default authorization method.
Use a built-in role
If you use an alert rule that is configured for a project to monitor data in the Logstores and Metricstores of a different project within the same Alibaba Cloud account, you can assign a built-in role to Simple Log Service.
Use a custom role
If you use an alert rule that is configured for projects across Alibaba Cloud accounts to monitor data in the Logstores and Metricstores of the projects, you can assign a custom role to Simple Log Service.
Procedure
Use the default authorization method
On the Advanced Settings tab, select Default from the Authorization drop-down list.
Use a built-in role
On the Advanced Settings tab, select Built-in Role from the Authorization drop-down list. If this is your first time to configure authorization, you must use an Alibaba Cloud account to complete authorization on the Cloud Resource Access Authorization page. After the authorization is complete, Simple Log Service creates a RAM role named
AliyunSLSAlertMonitorRole. Then, Simple Log Service can assume the RAM role to read data from the specified Logstores.
Use a custom role (within an Alibaba Cloud account)
If you use an alert rule to monitor data in different Logstores and Metricstores across multiple projects within an Alibaba Cloud account, you can assign a custom role to Simple Log Service.
Use an Alibaba Cloud account to perform the following steps:
Create a RAM role whose trusted entity is Simple Log Service.
Create a custom policy on the JSON tab.
In the code editor, enter the following policy document. Replace the project name with an actual value. You can modify the custom policy to grant fine-grained permissions to the RAM role. For example, if you want to grant the role the permissions to create an alert rule only in a specific project, you can specify the project in the
Resourceelement of the custom policy. Example:acs:log:*:*:project/my-project.{ "Statement": [ { "Action": [ "log:ListProject" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:*" ] }, { "Action": [ "log:ListLogStores", "log:GetLogStoreLogs", "log:GetIndex" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:project/Project name/*" ] } ], "Version": "1" }Attach the custom policy to the RAM role. For more information, see Grant permissions to a RAM role.
Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role.
Enter the ARN of the RAM role to assign the role to Simple Log Service.
Use a custom role (across multiple Alibaba Cloud accounts)
If you use an alert rule to monitor data in different Logstores and Metricstores across multiple Alibaba Cloud accounts, you can assign a custom role to Simple Log Service. For example, you can use Alibaba Cloud Account A to create an alert rule and use the alert rule to monitor data in the Logstores and Metricstores of Alibaba Cloud Account B.
Use an Alibaba Cloud account to perform the following steps:
Create a RAM role whose trusted entity is Simple Log Service.
Modify the trust policy of the RAM role. You can modify the trust policy of the RAM role based on the following policy document. Replace the ID of Alibaba Cloud Account A with an actual value. You can view the ID of your Alibaba Cloud account in the account center.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ID of Alibaba Cloud Account A@log.aliyuncs.com", "log.aliyuncs.com" ] } } ], "Version": "1" }Create a custom policy on the JSON tab.
Replace the content in the code editor with the following policy document. Replace the project name with an actual value. You can modify the custom policy to grant fine-grained permissions to the RAM role. For example, if you want to grant the role the permissions to create an alert rule only in a specific project, you can specify the project in the
Resourceelement of the custom policy. Example:acs:log:*:*:project/my-project.{ "Statement": [ { "Action": [ "log:ListProject" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:*" ] }, { "Action": [ "log:ListLogStores", "log:GetLogStoreLogs", "log:GetIndex" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:project/Project name/*" ] } ], "Version": "1" }Attach the custom policy to the RAM role. For more information, see Grant permissions to a RAM role.
Enter the ARN of the RAM role to assign the role to Simple Log Service.
Grant permissions to a RAM user
If you want to monitor data across projects, regions, or Alibaba Cloud accounts based on an alert rule by using a RAM user, the RAM user must have permissions to query data in the required Logstores or Metricstores. In this case, you must use your Alibaba Cloud account to attach the following policy to the RAM user. This policy grants the RAM user the permissions to assume the required RAM role. For more information, see Grant permissions to a RAM user.
{
"Action": "ram:PassRole",
"Effect": "Allow",
"Resource": "*"
}