This topic describes how to authorize a RAM user to manage alerts.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

You can authorize a RAM user to manage alerts in one of the following modes:
  • Simple mode: You can grant all permissions on Log Service to the RAM user. You do not need to configure parameters.
    • Log on to the RAM console by using your Alibaba Cloud account. Then, attach the AliyunLogFullAccess policy to the RAM user. This way, the RAM user has all permissions on Log Service. For more information, see Create a RAM user and authorize the RAM user to access Log Service.
    • If you want to use the RAM user to assume a system role or a custom role to query data in Metricstores or Logstores, you must specify the ram:PassRole action to grant permissions to the RAM role. The following code shows the sample policy:
      {
           "Action": "ram:PassRole",
           "Effect": "Allow",
           "Resource": "acs:ram::ID of your Alibaba Cloud account:ARN of the role"
       }
      For more information about how to grant permissions to a system role or a custom role, see Configure access control policies.
  • Custom mode: You can create custom policies and attach the policies to the RAM user. This mode requires complex configurations and provides fine-grained access control.

    In this topic, the custom mode is used as an example.

Procedure

  1. Log on to the RAM console.
  2. Create a policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, configure the following parameters and click OK.
      Parameter Description
      Policy Name Enter a name for the policy.
      Configuration Mode Select Script.
      Policy Document Replace the content in the editor with the following script.
      • Project name specifies the project to which the alerts belong. You must enter the actual project name.
      • sls-alert-* specifies all the projects to which Global Alert Center belongs within your Alibaba Cloud account. Each of the projects stores data of the alerts within your Alibaba Cloud account. The data includes evaluation data for each alert rule, logs recorded based on each alert rule, and global reports that are related to alerts.

        If you want to authorize a RAM user to manage only one project to which Global Alert Center belongs, you must set sls-alert-* to the name of the project in the sls-alert-${uid}-${region} format. Example: sls-alert-148****6461-cn-hangzhou.

      {
          "Version": "1",
          "Statement": [
         {
              "Effect": "Allow",
           "Action": [
             "log:CreateLogStore",
             "log:CreateIndex",
             "log:UpdateIndex"
           ],
           "Resource": [
             "acs:log:*:*:project/Project name/logstore/internal-alert-history",
             "acs:log:*:*:project/sls-alert-*/logstore/internal-alert-center-log"
           ]
           },
         {
           "Effect": "Allow",
           "Action": [
             "log:CreateDashboard",
             "log:CreateChart",
             "log:UpdateDashboard"
           ],
           "Resource": [
            "acs:log:*:*:project/Project name/dashboard/*",
            "acs:log:*:*:project/sls-alert-*/dashboard/*"
          ]
         },
         {
           "Effect": "Allow",
           "Action": [
              "log:*"
           ],
           "Resource": "acs:log:*:*:project/Project name/job/*"
         },
         {
           "Effect": "Allow",
           "Action": [
              "log:CreateProject"
           ],
           "Resource": [
              "acs:log:*:*:project/sls-alert-*"
           ]
         },
         {
            "Effect": "Allow",
            "Action": [
              "log:GetLogStoreLogs",
                     "log:listLogStores",
              "log:GetIndex"
            ],
            "Resource": "acs:log:*:*:project/Project name",
                 "Resource": "acs:log:*:*:project/Project name/*"
         },
         {
           "Action": "ram:PassRole",
           "Effect": "Allow",
           "Resource": "acs:ram::ID of your Alibaba Cloud account:ARN of the role"
         }
       ]
      }
  3. Attach the policy to the RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find the RAM user and click Add Permissions in the Actions column.
    3. In the Add Permissions panel, go to the Select Policy section and click System Policy. Then, click the AliyunRAMReadOnlyAccess policy.
    4. In the Add Permissions panel, go to the Select Policy section and click Custom Policy. Then, click the policy created in Step 2 and click OK.
    5. Click Complete.