To monitor data across projects, regions, or Alibaba Cloud accounts using an alert rule, Simple Log Service must assume a Resource Access Management (RAM) role to access the necessary Logstores or Metricstores. You must therefore grant the appropriate permissions to the RAM role.
Scenarios
Authorization method | Applicable scenarios |
Default | If you use an alert rule that is configured for a project to monitor data in different Logstores and Metricstores of the project, you can use the default authorization method. |
Built-in Role | If you use an alert rule that is configured for a project to monitor data in the Logstores and Metricstores of a different project within the same Alibaba Cloud account, you can assign a built-in role to Simple Log Service. |
Custom Role | If you use an alert rule to monitor data across Alibaba Cloud accounts, you can assign a custom role to Simple Log Service. In this case, you can grant fine-grained permissions to the RAM role. |
Step 1: Configure authorization
Specify a query statement. For more information, see Create an Alert Rule.
Configure an authorization method.
Default authorization
For monitoring data within the same project using an alert rule, the Default authorization method is suitable.
In the Advanced Configuration tab, set the Authorization Method to Default.
Built-in role authorization
For monitoring data in different projects within the same Alibaba Cloud account, assign the Built-in Role to Simple Log Service.
In the Advanced Configuration tab, select Authorization Method as Built-in Role. If this is the first time you are configuring this, use the Alibaba Cloud account to complete the authorization as prompted on the page. After authorization, Simple Log Service will create a RAM role named
AliyunSLSAlertMonitorRole
and assume it to read data from the source Logstore.Custom role authorization (within an account)
For monitoring data across multiple Alibaba Cloud accounts, assign a Custom Role to Simple Log Service.
Create a RAM role with Alibaba Cloud Service as the trusted entity and select Simple Log Service as the trusted service.
Create a custom policy. On the JSON tab, replace the existing contents in the editor with the following script. For more information, see Create a custom policy in script edit mode.
ImportantAdjust the Project name as needed. For more granular permissions, such as authorizing only the creation of monitoring rules for a specific project, include the project in the
Resource
field of the policy, likeacs:log:*:*:project/my-project
.{ "Statement": [ { "Action": [ "log:ListProject" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:*" ] }, { "Action": [ "log:ListLogStores", "log:GetLogStoreLogs", "log:GetIndex" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:project/Project名称/*" ] } ], "Version": "1" }
Add the created custom policy to the RAM role. For more information, see Grant permissions to a RAM role.
What to do next
Obtain the ARN of the RAM role. For more information, see View a RAM role.
For Custom Role authorization, input the RAM role identity. For details, see Create Alerting and Monitoring System Rule.
Custom role authorization (across accounts)
For monitoring data in different Logstores and Metricstores across multiple Alibaba Cloud accounts, assign a custom role to Simple Log Service. For instance, create an alert rule in Alibaba Cloud Account A to monitor data in Alibaba Cloud Account B's Logstores and Metricstores.
In Alibaba Cloud Account B, perform the following:
Create a RAM role with Alibaba Cloud Service as the trusted entity and select Simple Log Service as the trusted service.
Modify the RAM role's trust policy. For details, see Modify the Trust Policy of the RAM Role.
ImportantSubstitute the actual
ID of Alibaba Cloud Account A
. The Alibaba Cloud account ID can be found in the Account Center.{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ID of Alibaba Cloud Account A@log.aliyuncs.com", "log.aliyuncs.com" ] } } ], "Version": "1" }
Create a custom policy. On the JSON tab, replace the existing contents in the editor with the following script. For more information, see Create a custom policy in script edit mode.
ImportantReplace the script content accordingly. Adjust the Project name as needed. For more granular permissions, such as authorizing only the creation of monitoring rules for a specific project, include the project in the
Resource
field of the policy, likeacs:log:*:*:project/my-project
.{ "Statement": [ { "Action": [ "log:ListProject" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:*" ] }, { "Action": [ "log:ListLogStores", "log:GetLogStoreLogs", "log:GetIndex" ], "Effect": "Allow", "Resource": [ "acs:log:*:*:project/ProjectName/*" ] } ], "Version": "1" }
Add the created custom policy to the RAM role. For more information, see Grant permissions to a RAM role.
Obtain the ARN of the RAM role. For more information, see View a RAM role.
What to do next
Obtain the ARN of the RAM role. For more information, see View a RAM role.
In Alibaba Cloud Account A, create an alert using Custom Role authorization with the Role ARN from the RAM role in Alibaba Cloud Account B. For more information, see Create Alerting and Monitoring Rules.
Step 2: Grant permissions to the RAM users
After configuring the Built-in Role or Custom Role, grant the necessary permissions to RAM users to query Metricstores or Logstores by adding the following permission policy using the Alibaba Cloud account. For guidance on granting permissions to RAM users, see Grant Permissions to RAM Users.
{
"Action": "ram:PassRole",
"Effect": "Allow",
"Resource": "acs:ram::ID of Alibaba Cloud Account:Role ARN"
}