AI 助理
备案控制台
文档
输入文档关键字查找
首页 日志服务 操作指南 日志应用 日志审计(新版) 授权RAM用户操作日志审计(新版)

授权RAM用户操作日志审计(新版)

更新时间:
产品详情
我的收藏

如需使用RAM用户操作新版日志审计服务,必须为RAM用户授予相应的权限策略。本文介绍具体的授权步骤。

操作步骤

  1. 使用阿里云账号(主账号)或RAM管理员登录RAM控制台

  2. 创建一个自定义权限策略,其中在脚本编辑页签,请使用以下脚本替换配置框中的原有内容。具体操作,请参见通过脚本编辑模式创建自定义权限策略

    只读权限

    {
    "Statement": [
        {
            "Action": [
                "log:GetLogStore",
                "log:ListLogStores",
                "log:GetIndex",
                "log:GetLogStoreHistogram",
                "log:GetLogStoreLogs",
                "log:GetDashboard",
                "log:ListDashboard",
                "log:ListSavedSearch",
                "log:ListTagResources",
                "log:ListMachineGroup",
                "log:GetAppliedMachineGroups",
                "log:GetLogtailPipelineConfig",
                "log:ListConfig",
                "log:ListMachines",
                "log:GetProjectLogs"
            ],
            "Resource": [
                "acs:log:*:*:project/*/logstore/*",
                "acs:log:*:*:project/*/dashboard/*",
                "acs:log:*:*:project/*/machinegroup/*",
                "acs:log:*:*:project/*/logtailconfig/*",
                "acs:log:*:*:project/*/savedsearch/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:ListCollectionPolicies",
                "log:GetCollectionPolicy"
            ],
            "Resource": "acs:log::*:collectionpolicy/*",
            "Effect": "Allow"
        },
        {
            "Action": "log:ListProject",
            "Resource": "acs:log:*:*:project/*",
            "Effect": "Allow"
        }
      
    ],
    "Version": "1"
}

    读写权限

    {
    "Statement": [
        {
            "Action": [
                "log:GetLogStore",
                "log:ListLogStores",
                "log:GetIndex",
                "log:GetLogStoreHistogram",
                "log:GetLogStoreLogs",
                "log:GetDashboard",
                "log:ListDashboard",
                "log:ListSavedSearch",
                "log:CreateProject",
                "log:CreateLogStore",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:ListLogStores",
                "log:GetLogStore",
                "log:GetLogStoreLogs",
                "log:CreateDashboard",
                "log:CreateChart",
                "log:UpdateDashboard",
                "log:UpdateLogStore",
                "log:GetProjectLogs",
                "log:ListTagResources",
                "log:TagResources",
                "log:ListMachineGroup",
                "log:ListMachines",
                "log:ApplyConfigToGroup",
                "log:GetAppliedMachineGroups",
                "log:ListConfig",
                "log:CreateLogtailPipelineConfig",
                "log:UpdateLogtailPipelineConfig",
                "log:GetLogtailPipelineConfig",
                "log:DeleteLogtailPipelineConfig"
            ],
            "Resource": [
                "acs:log:*:*:project/*/logstore/*",
                "acs:log:*:*:project/*/dashboard/*",
                "acs:log:*:*:project/*/machinegroup/*",
                "acs:log:*:*:project/*/logtailconfig/*",
                "acs:log:*:*:project/*/savedsearch/*"
            ],
            "Effect": "Allow"
        },        
        
        
        {
            "Action": [
                "log:ListCollectionPolicies",
                "log:GetCollectionPolicy",
                "log:UpsertCollectionPolicy",
                "log:DeleteCollectionPolicy"
            ],
            "Resource": "acs:log::*:collectionpolicy/*",
            "Effect": "Allow"
        },
        {
            "Action": "log:ListProject",
            "Resource": "acs:log:*:*:project/*",
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}

  3. 为RAM用户添加创建的自定义权限策略。具体操作,请参见为RAM用户授权

相关文档

当用户使用日志审计创建规则后,日志审计会自动在当前账号和成员账号(开通资源目录后)下,创建管理服务关联角色AliyunServiceRoleForSLSAudit,该角色主要用于读取部分云产品的数据。

上一篇:将操作审计日志接入日志审计下一篇:数据接入
文档推荐