This topic describes how to create a Resource Access Management (RAM) role whose trusted entity is an Alibaba Cloud account and grant the RAM role the permissions to access Simple Log Service. This type of RAM role is used for cross-account access and temporary authorization.
Background information
Roles and users are identities that are used in RAM. A RAM role is a virtual identity that does not have access credentials, such as a password or an AccessKey pair. If an entity user assumes a RAM role, the entity user can obtain and use the Security Token Service (STS) token of the role to access authorized resources. You can assign the RAM role to a trusted entity, which can be an Alibaba Cloud account, a RAM user, or an Alibaba Cloud service. For more information, see RAM role overview.
Step 1: Create a RAM role
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
In the Select Role Type step, select Alibaba Cloud Account as the trusted entity and click Next.
In the Configure Role step, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
RAM Role Name
Enter the name of the RAM role. Example: aliyunlogreadrole.
Note
Enter the description of the RAM role.
Select Trusted Alibaba Cloud Account
Specify the trusted Alibaba Cloud account.
Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions across Alibaba Cloud accounts.
In the Finish step, click Close.
Step 2: Grant permissions to the RAM role
After you create a RAM role, the RAM role does not have permissions. Before the specified Alibaba Cloud account can assume the RAM role to manage Simple Log Service resources, you must attach the required system policies or custom policies to the RAM role. RAM provides the following system policies for Simple Log Service:
AliyunLogFullAccess: This policy grants the permissions to manage all Simple Log Service resources.
AliyunLogReadOnlyAccess: This policy grants the read-only permissions on all Simple Log Service resources.
If the system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create custom policies. For more information about example policies, see Use custom policies to grant permissions to a RAM user and Overview.
To attach a policy to a RAM role, perform the following steps. In this example, the AliyunLogReadOnlyAccess policy is used.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, find the RAM role and click Grant Permission in the Actions column.
In the Grant Permission panel, select the AliyunLogReadOnlyAccess policy and click OK.
Confirm the authorization result. Then, click Complete.
Step 3: Assign the RAM role to a RAM user of the trusted Alibaba Cloud account
You must use the trusted Alibaba Cloud account to grant the AliyunSTSAssumeRoleAccess permission to a RAM user of the account. Then, the RAM user can call the AssumeRole operation of STS. After the authorization is complete, the RAM user can assume the RAM role created in Step 1: Create a RAM role.
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, find the RAM user that you want to manage and click Add Permissions in the Actions column.
In the Add Permissions panel, find the System Policy tab, select the AliyunSTSAssumeRoleAccess policy, and then click OK.
Confirm the authorization results. Then, click Complete.
Step 4: Obtain an STS token for the RAM role
After you grant the AssumeRole permission to the RAM user, the RAM user calls the AssumeRole operation to obtain a temporary STS token for the RAM role that is created in Step 1: Create a RAM role.
For more information about how to call the AssumeRole operation, see STS SDK for Java.
After a RAM user obtains the required AccessKey ID, AccessKey secret, and STS token, the RAM user can use Simple Log Service SDK to access the resources of Simple Log Service. For more information, see Overview of Simple Log Service SDK.