All Products
Search

This Product

    Simple Log Service:Grant permissions to write alerts to an Eventstore

    Document Center

    Simple Log Service:Grant permissions to write alerts to an Eventstore

    Last Updated:Dec 22, 2024

    Simple Log Service can write alerts to an Eventstore only after Simple Log Service is granted the required permissions. This topic describes how to do so by using the default role or a custom role.

    When you configure an alert monitoring rule, you must grant the required permissions to Simple Log Service after you select Eventstore for Destination and turn on Enable.

    Default role

    If you select Default Role for Authorization Method, you must perform the following operations:

    1. Click Authorize. Then, you are navigated to the authorization page. Complete the authorization as prompted.

    2. After the authorization is complete, click After authorization, click Refresh to refresh the page. The system displays the role information.

    Custom role

    If you select Custom Role for Authorization Method, you must perform the following operations in the Resource Access Management (RAM) console.

    1. Log on to the RAM console by using you Alibaba Cloud account or a RAM user who has administrative rights.

    2. Create a custom policy. On the JSON tab, replace the existing contents in the editor with the following script. For more information, see Create a custom policy in script edit mode.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "log:PostLogStoreLogs",
      "Resource": "*"
    }
  ]
}

    3. Create a RAM role that Alibaba Cloud services need to assume. For more information, see Create a RAM role with Alibaba Cloud service as a trusted entity.

      Important

      • When you create a RAM role, you must select Trusted Entity Type as Alibaba Cloud Service and select Trusted Service as Log Service.

      • Check the trust policy of the role as follows. The Service content must at least include "log.aliyuncs.com".

        {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "log.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

    4. Add the created custom policy to the RAM role. For more information, see Grant permissions to a RAM role.

    What to do next

    Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View a RAM role.When you create an alert rule, select Custom Role for Authorization Method and enter the role's ARN.