授予RAM用户操作CloudLens for OSS的权限

本文介绍如何授予RAM用户操作CloudLens for OSS的权限。

前提条件

已创建RAM用户。具体操作,请参见创建RAM用户

背景信息

您可以通过如下两种方式授予RAM用户操作CloudLens for OSS的权限。

  • 系统权限策略:权限范围较大,用户无法修改系统权限策略的内容,但配置步骤简单。

  • 自定义权限策略:权限范围更精细,用户可以修改自定义权限策略的内容,配置步骤比系统权限策略更复杂。

极简授权

使用阿里云账号登录RAM控制台,为RAM用户授予全部管理权限(AliyunLogFullAccess、AliyunRAMFullAccess)。具体操作,请参见为RAM用户授权

自定义权限策略

  1. 使用阿里云账号登录RAM控制台

  2. 创建权限策略。

    1. 在左侧导航栏中,选择权限管理 > 权限策略

    2. 单击创建权限策略

    3. 创建权限策略页面的脚本编辑页签中,将配置框中的原有脚本替换为如下内容,然后单击继续编辑基本信息

      您可以授予RAM用户使用CloudLens for OSS的只读权限或读写权限,具体权限策略说明如下:

      • 只读权限(只允许查看CloudLens for OSS中的各个页面。)

        {
            "Statement": [
                {
                    "Action": [
                        "log:GetLogStore",
                        "log:ListLogStores",
                        "log:GetIndex",
                        "log:GetLogStoreHistogram",
                        "log:GetLogStoreLogs",
                        "log:GetDashboard",
                        "log:ListDashboard",
                        "log:ListSavedSearch",
                        "log:GetSubStore",
                        "log:GetProjectLogs"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:log:*:*:project/*/dashboard/*",
                        "acs:log:*:*:project/*/savedsearch/*"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": "log:GetProductDataCollection",
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:oss:*:*:*"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": "log:ListJob",
                    "Resource": "acs:log:*:*:project/*/job/*",
                    "Effect": "Allow"
                },
                {
                    "Action": "log:ListProject",
                    "Resource": "acs:log:*:*:project/*",
                    "Effect": "Allow"
                }
                
            ],
            "Version": "1"
        }
      • 读写权限(允许操作CloudLens for OSS中的各个功能。)

        {
            "Statement": [
                {
                    "Action": [
                        "log:GetLogStore",
                        "log:ListLogStores",
                        "log:GetIndex",
                        "log:GetLogStoreHistogram",
                        "log:GetLogStoreLogs",
                        "log:GetSubStore",
                        "log:GetDashboard",
                        "log:ListDashboard",
                        "log:ListSavedSearch",
                        "log:CreateLogStore",
                        "log:CreateIndex",
                        "log:UpdateIndex",
                        "log:CreateDashboard",
                        "log:CreateChart",
                        "log:UpdateDashboard",
                        "log:UpdateLogStore",
                        "log:UpdateSubStoreTTL",
                        "log:GetProjectLogs"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:log:*:*:project/*/dashboard/*",
                        "acs:log:*:*:project/*/savedsearch/*"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "log:GetProductDataCollection",
                        "log:OpenProductDataCollection",
                        "log:CloseProductDataCollection"
                    ],
                    "Resource": [
                        "acs:log:*:*:project/*/logstore/*",
                        "acs:oss:*:*:*"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "log:SetGeneralDataAccessConfig"
                    ],
                    "Resource": [
                        "acs:log:*:*:resource/sls.general_data_access.oss.global_conf.standard_channel/record"
                    ],
                    "Effect": "Allow"
                },
                {
                    "Action": "log:*",
                    "Resource": "acs:log:*:*:project/*/job/*",
                    "Effect": "Allow"
                },
                {
                    "Action": "log:CreateProject",
                    "Resource": "acs:log:*:*:project/sls-alert-*",
                    "Effect": "Allow"
                },
                {
                    "Action": "ram:CreateServiceLinkedRole",
                    "Resource": "*",
                    "Effect": "Allow",
                    "Condition": {
                        "StringEquals": {
                            "ram:ServiceName": "audit.log.aliyuncs.com"
                        }
                    }
                },
                {
                    "Action": "log:ListProject",
                    "Resource": "acs:log:*:*:project/*",
                    "Effect": "Allow"
                }
            ],
            "Version": "1"
        }
    4. 设置名称,然后单击确定

      例如设置策略名称为log-oss-policy

  3. 为RAM用户授权。

    1. 在左侧导航栏中,选择身份管理 > 用户

    2. 找到目标RAM用户,单击添加权限

    3. 新增授权面板的权限策略区域,在下拉列表选择自定义策略,然后选中您在步骤2中创建的权限策略,然后单击确认新增授权