授权RAM用户操作定时SQL

本文介绍如何为RAM用户授予操作定时SQL的权限。

前提条件

已创建RAM用户。具体操作,请参见创建RAM用户

操作步骤

  1. 使用阿里云账号(主账号)或RAM管理员登录RAM控制台

  2. 创建一个自定义权限策略,其中在脚本编辑页签,请使用以下脚本替换配置框中的原有内容。具体操作,请参见通过脚本编辑模式创建自定义权限策略

    重要
    • 脚本中的Project名称Logstore名称请根据实际情况替换。

    • 如果您要使用RAM用户配置定时SQL任务告警,还需授予RAM用户告警操作权限。更多信息,请参见授予RAM用户告警操作权限

    • 权限策略中的Logstore包括了Logstore和MetricStore。当您的操作对象为MetricStore时,如下策略同样适用。

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "log:GetJobInstance",
            "log:ModifyJobInstance",
            "log:ModifyJobInstanceState",
            "log:ListJobInstances"
          ],
          "Resource": "acs:log:*:*:project/Project名称/job/*/jobinstance/*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "log:ListJobs",
            "log:GetJob",
            "log:CreateJob",
            "log:UpdateJob",
            "log:DeleteJob"
          ],
          "Resource": "acs:log:*:*:project/Project名称/job/*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "log:ListLogStores",
            "log:ListSavedSearch",
            "log:ListDashboard"
          ],
          "Resource": "acs:log:*:*:project/Project名称/*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "log:GetLogStore",
            "log:GetIndex",
            "log:GetLogStoreHistogram",
            "log:GetLogStoreLogs"
          ],
          "Resource": "acs:log:*:*:project/Project名称/logstore/Logstore名称"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ram:PassRole",
            "ram:GetRole",
            "ram:ListRoles"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "log:CreateLogStore",
            "log:CreateIndex",
            "log:UpdateIndex"
          ],
          "Resource": [
            "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "log:CreateDashboard",
            "log:CreateChart",
            "log:UpdateDashboard"
          ],
          "Resource": [
            "acs:log:*:*:project/sls-alert-*/dashboard/*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "log:CreateProject"
          ],
          "Resource": [
            "acs:log:*:*:project/sls-alert-*"
          ]
        }
      ]
    }
  3. 为RAM用户添加创建的自定义权限策略。具体操作,请参见为RAM用户授权