全部产品
Search
文档中心

日志服务:为RAM用户授权使用新版日志审计服务

更新时间:Aug 08, 2024

如果使用RAM用户操作新版日志审计服务,必须先使用阿里云账号(主账号)为RAM用户授予相应的权限策略。

操作步骤

  1. 登录RAM控制台

  2. 创建自定义权限策略。

    1. 在左侧导航栏单击权限策略,然后单击创建权限策略按钮。

    2. 脚本编辑页签,将配置框中的原有脚本替换为如下内容,然后单击继续编辑基本信息

      只读权限

      {
          "Statement": [
              {
                  "Action": [
                      "log:GetLogStore",
                      "log:ListLogStores",
                      "log:GetIndex",
                      "log:GetLogStoreHistogram",
                      "log:GetLogStoreLogs",
                      "log:GetDashboard",
                      "log:ListDashboard",
                      "log:ListSavedSearch",
                      "log:ListTagResources",
                      "log:ListMachineGroup",
                      "log:GetAppliedMachineGroups",
                      "log:GetLogtailPipelineConfig",
                      "log:ListConfig",
                      "log:ListMachines",
                      "log:GetProjectLogs"
                  ],
                  "Resource": [
                      "acs:log:*:*:project/*/logstore/*",
                      "acs:log:*:*:project/*/dashboard/*",
                      "acs:log:*:*:project/*/machinegroup/*",
                      "acs:log:*:*:project/*/logtailconfig/*",
                      "acs:log:*:*:project/*/savedsearch/*"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "log:ListCollectionPolicies",
                      "log:GetCollectionPolicy"
                  ],
                  "Resource": "acs:log::*:collectionpolicy/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "log:ListProject",
                  "Resource": "acs:log:*:*:project/*",
                  "Effect": "Allow"
              }
            
          ],
          "Version": "1"
      }

      读写权限

      {
          "Statement": [
              {
                  "Action": [
                      "log:GetLogStore",
                      "log:ListLogStores",
                      "log:GetIndex",
                      "log:GetLogStoreHistogram",
                      "log:GetLogStoreLogs",
                      "log:GetDashboard",
                      "log:ListDashboard",
                      "log:ListSavedSearch",
                      "log:CreateProject",
                      "log:CreateLogStore",
                      "log:CreateIndex",
                      "log:UpdateIndex",
                      "log:ListLogStores",
                      "log:GetLogStore",
                      "log:GetLogStoreLogs",
                      "log:CreateDashboard",
                      "log:CreateChart",
                      "log:UpdateDashboard",
                      "log:UpdateLogStore",
                      "log:GetProjectLogs",
                      "log:ListTagResources",
                      "log:TagResources",
                      "log:ListMachineGroup",
                      "log:ListMachines",
                      "log:ApplyConfigToGroup",
                      "log:GetAppliedMachineGroups",
                      "log:ListConfig",
                      "log:CreateLogtailPipelineConfig",
                      "log:UpdateLogtailPipelineConfig",
                      "log:GetLogtailPipelineConfig",
                      "log:DeleteLogtailPipelineConfig"
                  ],
                  "Resource": [
                      "acs:log:*:*:project/*/logstore/*",
                      "acs:log:*:*:project/*/dashboard/*",
                      "acs:log:*:*:project/*/machinegroup/*",
                      "acs:log:*:*:project/*/logtailconfig/*",
                      "acs:log:*:*:project/*/savedsearch/*"
                  ],
                  "Effect": "Allow"
              },        
              
              
              {
                  "Action": [
                      "log:ListCollectionPolicies",
                      "log:GetCollectionPolicy",
                      "log:UpsertCollectionPolicy",
                      "log:DeleteCollectionPolicy"
                  ],
                  "Resource": "acs:log::*:collectionpolicy/*",
                  "Effect": "Allow"
              },
              {
                  "Action": "log:ListProject",
                  "Resource": "acs:log:*:*:project/*",
                  "Effect": "Allow"
              }
          ],
          "Version": "1"
      }
    3. 创建权限策略页,填写名称,然后单击确定

  3. 为RAM身份授予自定义权限策略。

    1. 在左侧导航栏单击用户,然后单击目标RAM用户名称操作列的添加权限

      image

    2. 在下拉列表中选择自定义策略,然后选择刚创建的自定义权限策略,单击确认新增授权

      image

相关文档

当用户使用日志审计创建规则后,日志审计会自动在当前账号和成员账号(开通资源目录后)下,自动创建管理服务关联角色AliyunServiceRoleForSLSAudit,该角色主要用于读取部分云产品的数据。