本文介绍如何为RAM用户授予操作定时SQL的权限。
前提条件
已创建RAM用户。具体操作,请参见创建RAM用户。
操作步骤
使用阿里云账号(主账号)或RAM管理员登录RAM控制台。
创建一个自定义权限策略,其中在脚本编辑页签,请使用以下脚本替换配置框中的原有内容。具体操作,请参见通过脚本编辑模式创建自定义权限策略。
重要脚本中的
Project名称和Logstore名称请根据实际情况替换。如果您要使用RAM用户配置定时SQL任务告警,还需授予RAM用户告警操作权限。更多信息,请参见授予RAM用户告警操作权限。
权限策略中的Logstore包括了Logstore和MetricStore。当您的操作对象为MetricStore时,如下策略同样适用。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "log:GetJobInstance", "log:ModifyJobInstance", "log:ModifyJobInstanceState", "log:ListJobInstances" ], "Resource": "acs:log:*:*:project/Project名称/job/*/jobinstance/*" }, { "Effect": "Allow", "Action": [ "log:ListJobs", "log:GetJob", "log:CreateJob", "log:UpdateJob", "log:DeleteJob" ], "Resource": "acs:log:*:*:project/Project名称/job/*" }, { "Effect": "Allow", "Action": [ "log:ListLogStores", "log:ListSavedSearch", "log:ListDashboard" ], "Resource": "acs:log:*:*:project/Project名称/*" }, { "Effect": "Allow", "Action": [ "log:GetLogStore", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs" ], "Resource": "acs:log:*:*:project/Project名称/logstore/Logstore名称" }, { "Effect": "Allow", "Action": [ "ram:PassRole", "ram:GetRole", "ram:ListRoles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex" ], "Resource": [ "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log" ] }, { "Effect": "Allow", "Action": [ "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard" ], "Resource": [ "acs:log:*:*:project/sls-alert-*/dashboard/*" ] }, { "Effect": "Allow", "Action": [ "log:CreateProject" ], "Resource": [ "acs:log:*:*:project/sls-alert-*" ] } ] }为RAM用户添加创建的自定义权限策略。具体操作,请参见为RAM用户授权。