All Products
Search
Document Center

Simple Log Service:Authorize a RAM user to operate CloudLens for RDS

Last Updated:Dec 20, 2024

This topic describes how to grant the operation permissions on CloudLens for RDS to a Resource Access Management (RAM) user.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

You can grant the operation permissions on CloudLens for RDS to a RAM user in one of the following methods:

  • Simple mode: You can grant all permissions on Simple Log Service to the RAM user. You cannot modify the policy document. You do not need to configure parameters.

  • Custom mode: You can create custom policies and attach the policies to the RAM user. This mode allows you to perform fine-grained access control. However, this mode requires complex configurations.

System policy

Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights. Attach the AliyunLogFullAccess policy to your RAM user. This way, the RAM user has all permissions on Simple Log Service. For more information, see Grant permissions to a RAM user.

Custom policy

  1. Log on to the RAM console by using you Alibaba Cloud account or a RAM user who has administrative rights.

  2. Create a policy.

    You can grant the read-only permissions or the read and write permissions on CloudLens for RDS to a RAM user.

    Read-only permissions

    The RAM user can only view the pages of CloudLens for RDS.

    On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.

    {
        "Statement": [
           {
                "Action": [
                    "rds:DescribeSqlLogInstances"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:GetLogStore",
                    "log:ListLogStores",
                    "log:GetIndex",
                    "log:GetLogStoreHistogram",
                    "log:GetLogStoreLogs",
                    "log:GetDashboard",
                    "log:ListDashboard",
                    "log:ListSavedSearch",
                    "log:GetProjectLogs"
                ],
                "Resource": [
                    "acs:log:*:*:project/*/logstore/*",
                    "acs:log:*:*:project/*/dashboard/*",
                    "acs:log:*:*:project/*/savedsearch/*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": "log:GetProductDataCollection",
                "Resource": [
                    "acs:log:*:*:project/*/logstore/*",
                    "acs:rds:*:*:dbinstance/*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": "log:ListProject",
                "Resource": "acs:log:*:*:project/*",
                "Effect": "Allow"
            }
        ],
        "Version": "1"
    }

    Read and write permissions

    The RAM user can perform all operations that are supported by CloudLens for RDS.

    On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.

    {
        "Statement": [
            {
                "Action": [
                    "rds:DescribeSqlLogInstances",
                    "rds:DisableSqlLogDistribution",
                    "rds:EnableSqlLogDistribution",
                    "rds:ModifySQLCollectorPolicy"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:GetLogStore",
                    "log:CreateProject",
                    "log:ListLogStores",
                    "log:GetIndex",
                    "log:GetLogStoreHistogram",
                    "log:GetLogStoreLogs",
                    "log:GetDashboard",
                    "log:ListDashboard",
                    "log:ListSavedSearch",
                    "log:CreateLogStore",
                    "log:CreateIndex",
                    "log:UpdateIndex",
                    "log:ListLogStores",
                    "log:GetLogStore",
                    "log:GetLogStoreLogs",
                    "log:CreateDashboard",
                    "log:CreateChart",
                    "log:UpdateDashboard",
                    "log:UpdateLogStore",
                    "log:GetProjectLogs"
                ],
                "Resource": [
                    "acs:log:*:*:project/*/"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:GetProductDataCollection",
                    "log:OpenProductDataCollection",
                    "log:CloseProductDataCollection"
                ],
                "Resource": [
                    "acs:log:*:*:project/*/logstore/*",
                    "acs:rds:*:*:dbinstance/*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "log:SetGeneralDataAccessConfig"
                ],
                "Resource": [
                    "acs:log:*:*:resource/sls.general_data_access.rds.global_conf.*/record"
                ],
                "Effect": "Allow"
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "audit.log.aliyuncs.com",
                        "ram:ServiceName": "rds.aliyuncs.com"
                    }
                }
            },
            {
                "Action": "log:ListProject",
                "Resource": "acs:log:*:*:project/*",
                "Effect": "Allow"
            }
        ],
        "Version": "1"
    }
  3. Add the created custom policy to the RAM user. For more information, see Grant permissions to a RAM user.