如需使用RAM用户操作新版日志审计服务,必须为RAM用户授予相应的权限策略。本文介绍具体的授权步骤。
操作步骤
使用阿里云账号(主账号)或RAM管理员登录RAM控制台。
创建一个自定义权限策略,其中在脚本编辑页签,请使用以下脚本替换配置框中的原有内容。具体操作,请参见通过脚本编辑模式创建自定义权限策略。
只读权限
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:ListTagResources", "log:ListMachineGroup", "log:GetAppliedMachineGroups", "log:GetLogtailPipelineConfig", "log:ListConfig", "log:ListMachines", "log:GetProjectLogs" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" }, { "Action": [ "log:GetResource", "log:ListResources", "log:GetResourceRecord", "log:ListResourceRecords" ], "Resource": "acs:log:*:*:resource/*", "Effect": "Allow" }, { "Action": [ "log:GetJob", "log:ListJobs" ], "Resource": "acs:log:*:*:project/*/job/*", "Effect": "Allow" } ], "Version": "1" }读写权限
{ "Statement": [ { "Action": [ "log:GetLogStore", "log:ListLogStores", "log:GetIndex", "log:GetLogStoreHistogram", "log:GetLogStoreLogs", "log:GetDashboard", "log:ListDashboard", "log:ListSavedSearch", "log:CreateProject", "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex", "log:ListLogStores", "log:GetLogStore", "log:GetLogStoreLogs", "log:CreateDashboard", "log:CreateChart", "log:UpdateDashboard", "log:UpdateLogStore", "log:GetProjectLogs", "log:ListTagResources", "log:TagResources", "log:ListMachineGroup", "log:ListMachines", "log:ApplyConfigToGroup", "log:GetAppliedMachineGroups", "log:ListConfig", "log:CreateLogtailPipelineConfig", "log:UpdateLogtailPipelineConfig", "log:GetLogtailPipelineConfig", "log:DeleteLogtailPipelineConfig" ], "Resource": [ "acs:log:*:*:project/*/logstore/*", "acs:log:*:*:project/*/dashboard/*", "acs:log:*:*:project/*/machinegroup/*", "acs:log:*:*:project/*/logtailconfig/*", "acs:log:*:*:project/*/savedsearch/*" ], "Effect": "Allow" }, { "Action": [ "log:ListCollectionPolicies", "log:GetCollectionPolicy", "log:UpsertCollectionPolicy", "log:DeleteCollectionPolicy" ], "Resource": "acs:log::*:collectionpolicy/*", "Effect": "Allow" }, { "Action": "log:ListProject", "Resource": "acs:log:*:*:project/*", "Effect": "Allow" }, { "Effect": "Allow", "Action": "log:*", "Resource": "acs:log:*:*:resource/*" }, { "Effect": "Allow", "Action": "log:*", "Resource": "acs:log:*:*:project/*/job/*" } ], "Version": "1" }为RAM用户添加创建的自定义权限策略。具体操作,请参见为RAM用户授权。
相关文档
当用户使用日志审计创建规则后,日志审计会自动在当前账号和成员账号(开通资源目录后)下,创建管理服务关联角色AliyunServiceRoleForSLSAudit,该角色主要用于读取部分云产品的数据。