全部产品
Search
文档中心

日志服务:授予RAM用户操作CloudLens for SLS的权限

更新时间:Jun 26, 2024

本文介绍如何授予RAM用户操作CloudLens for SLS的权限。

前提条件

已创建RAM用户。具体操作,请参见创建RAM用户

背景信息

如果使用RAM用户操作CloudLens for SLS,必须先用阿里云主账号为RAM用户授予权限策略。权限策略包括以下两种:

  • 系统权限策略:权限范围较大,用户无法修改系统权限策略的内容,但配置步骤简单。

  • 自定义权限策略:权限范围更精细,用户可以修改自定义权限策略的内容,配置步骤比系统权限策略更复杂。

授予RAM用户系统权限策略

为RAM用户授予日志服务的只读权限AliyunLogReadOnlyAccess或管理权限AliyunLogFullAccess。授权的具体操作,请参见为RAM用户授权

授予RAM用户自定义权限策略

  1. 使用阿里云账号登录RAM控制台

  2. 创建权限策略。

    1. 在左侧导航栏中,选择权限管理 > 权限策略

    2. 单击创建权限策略

    3. 创建权限策略页面的脚本编辑页签中,将配置框中的原有脚本替换为如下内容,然后单击继续编辑基本信息

      您可以授予RAM用户使用CloudLens for SLS的只读权限或读写权限,具体权限策略说明如下:

      • 只读权限(只允许查看CloudLens for SLS中的各个页面。)

        {
            "Statement": [
                {
                    "Action": [
                        "log:GetLogStore",
                        "log:ListLogStores",
                        "log:GetIndex",
                        "log:GetLogStoreHistogram",
                        "log:GetLogStoreLogs",
                        "log:GetDashboard",
                        "log:ListDashboard",
                        "log:ListSavedSearch",
                        "log:GetProjectLogs"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:log:*:*:project/*/dashboard/*",
                        "acs:log:*:*:project/*/savedsearch/*"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": "log:GetProductDataCollection",
                    "Resource": "acs:log:*:*:project/*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "log:ListCollectionPolicies"
                    ],
                    "Resource": "acs:log::*:collectionpolicy/*",
                    "Effect": "Allow"
                },
                {
                    "Action": "log:ListProject",
                    "Resource": "acs:log:*:*:project/*",
                    "Effect": "Allow"
                }
              
            ],
            "Version": "1"
        }
      • 读写权限(允许操作CloudLens for SLS中的各个功能。)

        {
            "Statement": [
                {
                    "Action": [
                        "log:GetLogStore",
                        "log:ListLogStores",
                        "log:GetIndex",
                        "log:GetLogStoreHistogram",
                        "log:GetLogStoreLogs",
                        "log:GetDashboard",
                        "log:ListDashboard",
                        "log:ListSavedSearch",
                        "log:CreateProject",
                        "log:CreateLogStore",
                        "log:CreateIndex",
                        "log:UpdateIndex",
                        "log:ListLogStores",
                        "log:GetLogStore",
                        "log:GetLogStoreLogs",
                        "log:CreateDashboard",
                        "log:CreateChart",
                        "log:UpdateDashboard",
                        "log:UpdateLogStore",
                        "log:GetProjectLogs"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:log:*:*:project/*/dashboard/*",
                        "acs:log:*:*:project/*/savedsearch/*"
                    ],
                    "Effect": "Allow"
                },        
                {
                    "Action": [
                        "log:GetProductDataCollection",
                        "log:OpenProductDataCollection",
                        "log:CloseProductDataCollection"
                    ],
                    "Resource": "acs:log:*:*:project/*",
                    "Effect": "Allow"
                },
                {
                    "Action": "log:SetGeneralDataAccessConfig",
                    "Resource": "acs:log:*:*:resource/sls.general_data_access.sls.global_conf.standard_channel/record",
                    "Effect": "Allow"
                },
                {
                    "Action": "ram:CreateServiceLinkedRole",
                    "Resource": "*",
                    "Effect": "Allow",
                    "Condition": {
                        "StringEquals": {
                            "ram:ServiceName": "audit.log.aliyuncs.com"              }
                    }
                },
                {
                    "Action": [
                        "log:ListCollectionPolicies",
                        "log:UpsertCollectionPolicy",
                        "log:DeleteCollectionPolicy"
                    ],
                    "Resource": "acs:log::*:collectionpolicy/*",
                    "Effect": "Allow"
                },
                {
                    "Action": "log:ListProject",
                    "Resource": "acs:log:*:*:project/*",
                    "Effect": "Allow"
                }
            ],
            "Version": "1"
        }
    4. 设置名称,然后单击确定

      例如设置策略名称为log-sls-policy

  3. 为RAM用户授权。

    1. 在左侧导航栏中,选择身份管理 > 用户

    2. 找到目标RAM用户,单击添加权限

    3. 新增授权面板的权限策略区域,在下拉列表选择自定义策略,然后选中您在步骤2中创建的权限策略,然后单击确认新增授权