This topic describes how to grant the operation permissions on CloudLens for RDS to a Resource Access Management (RAM) user.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Background information
You can grant the operation permissions on CloudLens for RDS to a RAM user in one of the following modes:
Simple mode: You can grant all permissions on Simple Log Service to the RAM user. You cannot modify the policy document. You do not need to configure parameters.
Custom mode: You can create custom policies and attach the policies to the RAM user. This mode allows you to perform fine-grained access control. However, this mode requires complex configurations.
Simple mode
Log on to the RAM console by using your Alibaba Cloud account. Then, attach the AliyunLogFullAccess and AliyunRAMFullAccess policies to your RAM user. This way, the RAM user has all permissions on Simple Log Service. For more information, see Grant permissions to a RAM user.
Custom mode
Log on to the RAM console by using your Alibaba Cloud account.
Create a policy.
In the left-side navigation pane, choose
.On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab, replace the existing script in the code editor with one of the following policy documents, and then click Next to edit policy information.
You can grant the read-only permissions or the read and write permissions on CloudLens for RDS to a RAM user.
Read-only permissions: The RAM user can only to view the pages of CloudLens for RDS.
{ "Statement": [ { "Action": [ "rds:DescribeSqlLogInstances" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:GetProjectLogs" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": "log:GetProductDataCollection", "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:rds:*:*:dbinstance/*" ], "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" }
Read and write permissions: The RAM user can perform all operations that are supported by CloudLens for RDS.
{ "Statement": [ { "Action": [ "rds:DescribeSqlLogInstances", "rds:DisableSqlLogDistribution", "rds:EnableSqlLogDistribution", "rds:ModifySQLCollectorPolicy" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "log:GetLogStore", "log:CreateProject", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard", "log:UpdateLogStore", "log:GetProjectLogs" ], "Resource": [ "acs:log:*:*:project/*/" ], "Effect": "Allow" }, { "Action": [ "log:GetProductDataCollection", "log:OpenProductDataCollection", "log:CloseProductDataCollection" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:rds:*:*:dbinstance/*" ], "Effect": "Allow" }, { "Action": [ "log:SetGeneralDataAccessConfig" ], "Resource": [ "acs:log:*:*:resource/sls.general_data_access.rds.global_conf.*/record" ], "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "audit.log.aliyuncs.com", "ram:ServiceName": "rds.aliyuncs.com" } } }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" }
Configure the Name parameter and click OK.
In this example, set the policy name to log-rds-policy.
Grant permissions to the RAM user.
In the left-side navigation pane, choose
.On the Users page, find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.
In the Policy section of the Grant Permission panel, select Custom Policy from the drop-down list, select the policy that you created in Step 2, and then click Grant permission.