如果使用RAM用户操作新版日志审计服务,必须先使用阿里云账号(主账号)为RAM用户授予相应的权限策略。
操作步骤
登录RAM控制台。
创建自定义权限策略。
在左侧导航栏单击权限策略,然后单击创建权限策略按钮。
在脚本编辑页签,将配置框中的原有脚本替换为如下内容,然后单击继续编辑基本信息。
只读权限
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:ListTagResources", "log:ListMachineGroup", "log:GetAppliedMachineGroups", "log:GetLogtailPipelineConfig", "log:ListConfig", "log:ListMachines", "log:GetProjectLogs" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" }读写权限
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:CreateProject", "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard", "log:UpdateLogStore", "log:GetProjectLogs", "log:ListTagResources", "log:TagResources", "log:ListMachineGroup", "log:ListMachines", "log:ApplyConfigToGroup", "log:GetAppliedMachineGroups", "log:ListConfig", "log:CreateLogtailPipelineConfig", "log:UpdateLogtailPipelineConfig", "log:GetLogtailPipelineConfig", "log:DeleteLogtailPipelineConfig" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy", "log:UpsertCollectionPolicy", "log:DeleteCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" } ], "Version": "1" }在创建权限策略页,填写名称,然后单击确定。
为RAM身份授予自定义权限策略。
在左侧导航栏单击用户,然后单击目标RAM用户名称后操作列的添加权限。
在下拉列表中选择自定义策略,然后选择刚创建的自定义权限策略,单击确认新增授权。
相关文档
当用户使用日志审计创建规则后,日志审计会自动在当前账号和成员账号(开通资源目录后)下,自动创建管理服务关联角色AliyunServiceRoleForSLSAudit,该角色主要用于读取部分云产品的数据。