AI 助理
备案控制台登录注册
官方文档
输入文档关键字查找
首页日志服务操作指南日志应用日志审计(新版)授权RAM用户操作日志审计(新版)

授权RAM用户操作日志审计(新版)

更新时间:2025-03-05 08:46:55
产品详情
我的收藏

如需使用RAM用户操作新版日志审计服务,必须为RAM用户授予相应的权限策略。本文介绍具体的授权步骤。

操作步骤

  1. 使用阿里云账号(主账号)或RAM管理员登录RAM控制台

  2. 创建一个自定义权限策略,其中在脚本编辑页签,请使用以下脚本替换配置框中的原有内容。具体操作,请参见通过脚本编辑模式创建自定义权限策略

    只读权限
    读写权限
    {
  "Statement": [
    {
      "Action": [
        "log:GetLogStore",
        "log:ListLogStores",
        "log:GetIndex",
        "log:GetLogStoreHistogram",
        "log:GetLogStoreLogs",
        "log:GetDashboard",
        "log:ListDashboard",
        "log:ListSavedSearch",
        "log:ListTagResources",
        "log:ListMachineGroup",
        "log:GetAppliedMachineGroups",
        "log:GetLogtailPipelineConfig",
        "log:ListConfig",
        "log:ListMachines",
        "log:GetProjectLogs"
      ],
      "Resource": [
        "acs:log:*:*:project/*/logstore/*",
        "acs:log:*:*:project/*/dashboard/*",
        "acs:log:*:*:project/*/machinegroup/*",
        "acs:log:*:*:project/*/logtailconfig/*",
        "acs:log:*:*:project/*/savedsearch/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:ListCollectionPolicies",
        "log:GetCollectionPolicy"
      ],
      "Resource": "acs:log::*:collectionpolicy/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:ListProject",
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:GetResource",
        "log:ListResources",
        "log:GetResourceRecord",
        "log:ListResourceRecords"
      ],
      "Resource": "acs:log:*:*:resource/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:GetJob",
        "log:ListJobs"
      ],
      "Resource": "acs:log:*:*:project/*/job/*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}
    {
  "Statement": [
    {
      "Action": [
        "log:GetLogStore",
        "log:ListLogStores",
        "log:GetIndex",
        "log:GetLogStoreHistogram",
        "log:GetLogStoreLogs",
        "log:GetDashboard",
        "log:ListDashboard",
        "log:ListSavedSearch",
        "log:CreateProject",
        "log:CreateLogStore",
        "log:CreateIndex",
        "log:UpdateIndex",
        "log:ListLogStores",
        "log:GetLogStore",
        "log:GetLogStoreLogs",
        "log:CreateDashboard",
        "log:CreateChart",
        "log:UpdateDashboard",
        "log:UpdateLogStore",
        "log:GetProjectLogs",
        "log:ListTagResources",
        "log:TagResources",
        "log:ListMachineGroup",
        "log:ListMachines",
        "log:ApplyConfigToGroup",
        "log:GetAppliedMachineGroups",
        "log:ListConfig",
        "log:CreateLogtailPipelineConfig",
        "log:UpdateLogtailPipelineConfig",
        "log:GetLogtailPipelineConfig",
        "log:DeleteLogtailPipelineConfig"
      ],
      "Resource": [
        "acs:log:*:*:project/*/logstore/*",
        "acs:log:*:*:project/*/dashboard/*",
        "acs:log:*:*:project/*/machinegroup/*",
        "acs:log:*:*:project/*/logtailconfig/*",
        "acs:log:*:*:project/*/savedsearch/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:ListCollectionPolicies",
        "log:GetCollectionPolicy",
        "log:UpsertCollectionPolicy",
        "log:DeleteCollectionPolicy"
      ],
      "Resource": "acs:log::*:collectionpolicy/*",
      "Effect": "Allow"
    },
    {
      "Action": "log:ListProject",
      "Resource": "acs:log:*:*:project/*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": "log:*",
      "Resource": "acs:log:*:*:resource/*"
    },
    {
      "Effect": "Allow",
      "Action": "log:*",
      "Resource": "acs:log:*:*:project/*/job/*"
    }
  ],
  "Version": "1"
}

  3. RAM用户添加创建的自定义权限策略。具体操作,请参见RAM用户授权

相关文档

当用户使用日志审计创建规则后,日志审计会自动在当前账号和成员账号(开通资源目录后)下,创建管理服务关联角色AliyunServiceRoleForSLSAudit,该角色主要用于读取部分云产品的数据。

上一篇:将操作审计日志接入日志审计下一篇:数据接入
  • 本页导读 (1)
  • 操作步骤
  • 相关文档
AI助理

点击开启售前

在线咨询服务

你好,我是AI助理

可以解答问题、推荐解决方案等