To monitor data across multiple projects, regions, or Alibaba Cloud accounts, you must use your Alibaba Cloud account or a RAM user to authorize Log Service to read data from the required Logstores and Metricstores. The RAM user must have permissions to perform operations that are related to the alerting feature.

Authorization methods

You can use the default method to authorize Log Service. You can also assign the built-in role or a custom role to Log Service based on your business requirements. After you complete the authorization, Log Service can access Logstores and Metricstores.

Authorization methods Scenario
Use the default method If you use an alert monitoring rule to monitor data in the Logstores and Metricstores of a project, you can use the default method to authorize Log Service. In this case, the alert monitoring rule belongs to the project.
Assign the built-in role to Log Service If you use an alert monitoring rule that belongs to a project to monitor data in the Logstores and Metricstores of other projects, you can assign the built-in role to Log Service. These projects belong to the same Alibaba Cloud account, but the data is stored in different projects or regions.
Assign a custom role to Log Service If you use an alert monitoring rule to monitor data across multiple Alibaba Cloud accounts, or across multiple regions or projects that belong to the same Alibaba Cloud account, you can assign a custom role to Log Service. You can use custom roles to perform fine-grained access control.

Use the default method to authorize Log Service

If you use an alert monitoring rule to monitor data in the Logstores and Metricstores of a project, you can use the default method to authorize Log Service. To use the default method to authorize Log Service when you create an alert monitoring rule, select Default from the Authorization drop-down list on the Advanced Settings tab in the Query Statistics dialog box. For more information, see Create an alert monitoring rule for logs.

Assign the built-in role to Log Service

If you use an alert monitoring rule to monitor data in the Logstores and Metricstores of multiple projects that belong to the same Alibaba Cloud account, you can assign the AliyunSLSAlertMonitorRole built-in role to Log Service. Then, Log Service can read data from the Logstores and Metricstores. To assign the AliyunSLSAlertMonitorRole built-in role to Log Service when you create an alert monitoring rule, perform the following steps. For more information, see Create an alert monitoring rule for logs.

  1. In the Alert Monitoring Rule panel, click the text box in the Query Statistics field.
  2. On the Advanced Settings tab, select Built-in Role from the Authorization drop down list.
  3. If you configure the built-in role for the first time, click Authorize.
    Note If you use a RAM user, you must use your Alibaba Cloud account to authorize the RAM user.
    neizih
  4. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.

Assign a custom role to Log Service to monitor data within an Alibaba Cloud account

You can use a custom role to monitor data in the Logstores and Metricstores of multiple projects that belong to the same Alibaba Cloud account.

Before you perform the following steps, you must create a RAM role. For more information, see Create a RAM role.

  1. Log on to the RAM console.
  2. Create a policy to manage alerts.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set the parameters and click OK. The following table describes the parameters.
      Parameter Description
      Policy Name The name of the policy, for example, sls-alert-monitor-1-policy.
      Configuration Mode Select Script.
      Policy Document The content of the policy. Replace the content in the editor with the following script. Replace Project name with the name of the project in which you want to create an alert monitoring rule.

      You can modify the policy to perform fine-grained access control. For example, if you want to authorize the role to create alert monitoring rules in only one project, you can specify the project in the Resource element of the following policy, for example, acs:log:*:*:project/my-project.

      {
        "Statement": [
          {
            "Action": [
              "log:ListProject"
            ],
            "Effect": "Allow",
            "Resource": [
              "acs:log:*:*:*"
            ]
          },
          {
            "Action": [
              "log:ListLogStores",
              "log:GetLogStoreLogs",
              "log:GetIndex"
            ],
            "Effect": "Allow",
            "Resource": [
              "acs:log:*:*:project/Project name/*"
            ]
          }
        ],
        "Version": "1"
      }
    4. Click OK.
  3. Attach the policy to the RAM role.
    1. In the left-side navigation pane, choose Identities > Roles.
    2. On the Roles page, find the RAM role and click Add Permissions in the Actions column.
    3. On the Custom Policy tab, select the policy that you created in Step 2. Then, click OK. In this example, the policy is sls-alert-monitor-1-policy.
    4. Confirm the authorization result and click Complete.
    5. On the Roles page, click the name of the RAM role.
    6. On the Trust Policy Management tab, click Edit Trust Policy.
      Add log.aliyuncs.com to the Service element. The following policy allows Log Service to obtain a temporary token to manage the resources of the Alibaba Cloud account.
      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
  4. In the Basic Information section of the details page of the RAM role, obtain the Alibaba Cloud Resource Name (ARN).
    After you complete the authorization, you can use the ARN of the RAM role when you create an alert monitoring rule. For more information, see Create an alert monitoring rule for logs. Assign a custom role to Log Service to monitor the data within an Alibaba Cloud account

Assign a custom role to Log Service to monitor data across multiple Alibaba Cloud accounts

You can use a custom role to monitor data in the Logstores and Metricstores of multiple Alibaba Cloud accounts. For example, you can use Alibaba Cloud Account A to create an alert monitoring rule and use the rule to monitor data in the Logstores and Metricstores of Alibaba Cloud Account B. To assign a custom role to Log Service, perform the following steps.

Before you perform the following steps, you must create a RAM role. For more information, see Create a RAM role.

  1. Use Alibaba Cloud Account B to log on to the RAM console.
  2. Create a policy to manage alerts.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set the parameters and click OK. The following table describes the parameters.
      Parameter Description
      Policy Name The name of the policy, for example, sls-alert-monitor-2-policy.
      Configuration Mode Select Script.
      Policy Document The content of the policy. Replace the content in the editor with the following script. Replace Project name with the name of the project in which you want to create an alert monitoring rule.

      You can modify the policy to perform fine-grained access control. For example, if you want to authorize the role to create alert monitoring rules in only one project, you can specify the project in the Resource element of the following policy, for example, acs:log:*:*:project/my-project.

      {
        "Statement": [
          {
            "Action": [
              "log:ListProject"
            ],
            "Effect": "Allow",
            "Resource": [
              "acs:log:*:*:*"
            ]
          },
          {
            "Action": [
              "log:ListLogStores",
              "log:GetLogStoreLogs",
              "log:GetIndex"
            ],
            "Effect": "Allow",
            "Resource": [
              "acs:log:*:*:project/Project name/*"
            ]
          }
        ],
        "Version": "1"
      }
    4. Click OK.
  3. Attach the policy to the RAM role.
    1. In the left-side navigation pane, choose Identities > Roles.
    2. On the Roles page, find the RAM role and click Add Permissions in the Actions column.
    3. On the Custom Policy tab, select the policy that you created in Step 2. Then, click OK. In this example, the policy is sls-alert-monitor-2-policy.
    4. Confirm the authorization result and click Complete.
    5. On the Roles page, click the name of the RAM role.
    6. On the Trust Policy Management tab, click Edit Trust Policy.
      Add ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the ID of your Alibaba Cloud account. You can view the ID of your Alibaba Cloud account in the Account Management console. The following policy allows Alibaba Cloud Account A to obtain a temporary token to monitor the data in the Logstores and Metricstores of Alibaba Cloud Account B.
      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "ID of Alibaba Cloud Account A@log.aliyuncs.com",
                          "log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
  4. In the Basic Information section of the details page of the RAM role, obtain the ARN.
    After you complete the authorization, you can use the ARN of the RAM role when you create an alert monitoring rule. For more information, see Create an alert monitoring rule for logs. Assign a custom role to Log Service to monitor the data within an Alibaba Cloud account