Access data by using a custom role

0.0.201

Simple Log Service allows you to use a default role, a custom role, or an AccessKey pair to create a data transformation job. When you create a data transformation job, you can set the Authorization Method parameter to Custom Role. This topic describes how to grant a custom role the permissions to access data in a logstore.

Prerequisites

A Resource Access Management (RAM) role is created. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

Important

When you create a RAM role, you must set the Select Trusted Entity parameter to Alibaba Cloud Service and the Select Trusted Service parameter to Log Service.

Check the trust policy of the RAM role. Make sure that the Service element contains at least "log.aliyuncs.com".

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "log.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

Grant the RAM role the read-only permissions on a source logstore

After you use an Alibaba Cloud account to grant the RAM role the read-only permissions on a source logstore, the RAM role can read data from the source logstore. When you create a data transformation job, you can use the RAM role. For more information, see Create a data transformation job.

Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

Create a custom policy. In this example, the log-etl-source-reader-policy policy is created. The policy grants the read-only permissions on a source logstore. For more information, see Create a custom policy on the JSON tab.

On the JSON tab of the Create Policy page, you can use the policy document that uses exact match or fuzzy match for authorization to replace the existing script in the code editor.

Exact match for authorization

Fuzzy match for authorization

In this example, the source project name is log-project-prod, and the source logstore name is access_log. Replace the project and logstore names based on your business requirements.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetConsumerGroupCheckPoint",
        "log:UpdateConsumerGroup",
        "log:ConsumerGroupHeartBeat",
        "log:ConsumerGroupUpdateCheckPoint",
        "log:ListConsumerGroup",
        "log:CreateConsumerGroup"
      ],
      "Resource": [
        "acs:log:*:*:project/log-project-prod/logstore/access_log",
        "acs:log:*:*:project/log-project-prod/logstore/access_log/*"
      ],
      "Effect": "Allow"
    }
  ]
}

In this example, the source project names are log-project-dev-a, log-project-dev-b, and log-project-dev-c, and the source logstore names are app_a_log, app_b_log, and app_c_log. Replace the project and logstore names based on your business requirements.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetConsumerGroupCheckPoint",
        "log:UpdateConsumerGroup",
        "log:ConsumerGroupHeartBeat",
        "log:ConsumerGroupUpdateCheckPoint",
        "log:ListConsumerGroup",
        "log:CreateConsumerGroup"
      ],
      "Resource": [
        "acs:log:*:*:project/log-project-dev-*/logstore/app_*_log",
    "acs:log:*:*:project/log-project-dev-*/logstore/app_*_log/*"
      ],
      "Effect": "Allow"
    }
  ]
}

Attach the created custom policy to the RAM role. For more information, see Grant permissions to a RAM role.

Grant the RAM role the write permissions on a destination logstore within the same Alibaba Cloud account

If the source and destination logstores belong to the same Alibaba Cloud account, you can use the Alibaba Cloud account to grant the write permissions to the RAM role. Then, the RAM role can write transformed data to the destination logstore. When you create a data transformation job, you can use the RAM role. For more information, see Create a data transformation job.

Create a custom policy. In this example, the log-etl-target-writer-policy policy is created. The policy grants the permissions to write transformation results to a destination logstore. For more information, see Create a custom policy on the JSON tab.
On the JSON tab of the Create Policy page, you can use the policy document that uses exact match or fuzzy match for authorization to replace the existing script in the code editor.
Exact match for authorization
Fuzzy match for authorization
In this example, the destination project name is log-project-prod, and the destination logstore name is access_log_output. Replace the project and logstore names based on your business requirements.
{ "Version": "1", "Statement": [ { "Action": [ "log:Post*", "log:BatchPost*" ], "Resource": "acs:log:*:*:project/log-project-prod/logstore/access_log_output", "Effect": "Allow" } ] }
In this example, the destination project names are log-project-dev-a, log-project-dev-b, and log-project-dev-c, and the destination logstore names are app_a_log_output, app_b_log_output, and app_c_log_output. Replace the project and logstore names based on your business requirements.
{ "Version": "1", "Statement": [ { "Action": [ "log:Post*", "log:BatchPost*" ], "Resource": "acs:log:*:*:project/log-project-dev-*/logstore/app_*_log_output", "Effect": "Allow" } ] }
Attach the created custom policy to the RAM role. For more information, see Grant permissions to a RAM role.

Grant the RAM role the write permissions on a destination logstore across Alibaba Cloud accounts

If the source and destination logstores belong to different Alibaba Cloud accounts, perform the following steps to grant permissions to the RAM role. For example, a data transformation job is created to read data from a source logstore that belongs to Alibaba Cloud Account A and write transformed data to a destination logstore that belongs to Alibaba Cloud Account B.

Important

Before you perform the following steps, make sure that you granted the RAM role the write permissions on a destination logstore within Alibaba Cloud Account B. For more information, see Grant a RAM role the write permissions on a destination logstore within the same Alibaba Cloud account.

Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, find the RAM role that you want to manage and click the role name.

On the Trust Policy tab, click Edit Trust Policy.

Add ID of Alibaba Cloud Account A to which the source logstore belongs to the Service element. Replace ID of Alibaba Cloud Account A to which the source logstore belongs with the ID of your Alibaba Cloud account. You can view the ID of your Alibaba Cloud account in the Account Management console. The following policy allows Alibaba Cloud Account A to manage the cloud resources of Alibaba Cloud Account B by using a temporary token.

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ID of Alibaba Cloud Account A to which the source logstore belongs@log.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View the information about a RAM role.

What to do next

You can specify the Alibaba Cloud Resource Name (ARN) of the RAM role for a data transformation job. For more information, see Create a data transformation job.

Feedback

Previous: Access data by using a default roleNext: Access data by using AccessKey pairs

On this page （1, T）

Prerequisites

Grant the RAM role the read-only permissions on a source logstore

Grant the RAM role the write permissions on a destination logstore within the same Alibaba Cloud account

Grant the RAM role the write permissions on a destination logstore across Alibaba Cloud accounts

What to do next

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

Prerequisites

Grant the RAM role the read-only permissions on a source logstore

Grant the RAM role the write permissions on a destination logstore within the same Alibaba Cloud account

Grant the RAM role the write permissions on a destination logstore across Alibaba Cloud accounts

What to do next

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)