All Products
Search

This Product

    Simple Log Service:Use STS to enable cross-account access to Simple Log Service resources

    Document Center

    Simple Log Service:Use STS to enable cross-account access to Simple Log Service resources

    Last Updated:Jan 25, 2025

    You can use an Alibaba Cloud account (Alibaba Cloud Account A) to create a Resource Access Management (RAM) role, specify another Alibaba Cloud account (Alibaba Cloud Account B) to assume the RAM role, and grant the RAM role the specific permissions on Simple Log Service resources of Alibaba Cloud Account A. Then, you can grant the AssumeRole permission to a RAM user of Alibaba Cloud Account B. Then, you can use Alibaba Cloud Account B or the specified RAM user to call a Security Token Service (STS) API operation to obtain temporary security credentials. These credentials include the AccessKey ID, AccessKey secret, and security token. This way, you can use the RAM user to call Simple Log Service API operations and access Simple Log Service resources.

    Solution overview

    Enterprise A has an Alibaba Cloud account named Alibaba Cloud Account A, and Enterprise B has an Alibaba Cloud account named Alibaba Cloud Account B. To isolate business data or outsourced projects, the user of Alibaba Cloud Account A wants to grant Alibaba Cloud Account B the specific permissions on Simple Log Service resources of Alibaba Cloud Account A. The following permissions are granted:

    • Alibaba Cloud Account B is authorized to write data to Simple Log Service of Alibaba Cloud Account A. In addition, Alibaba Cloud Account B is authorized to use consumer groups to consume data from Simple Log Service of Alibaba Cloud Account A.

    • A RAM user of Alibaba Cloud Account B is authorized to write data to Simple Log Service of Alibaba Cloud Account A. In addition, the RAM user is authorized to use consumer groups to consume data from Simple Log Service of Alibaba Cloud Account A.

    • Alibaba Cloud Account B is authorized to call an STS API operation to obtain temporary security credentials and use the credentials to call Simple Log Service API operations. For more information, see What is STS?

    To meet the preceding requirements, perform the following steps:

    Step 1: The user of Alibaba Cloud Account A creates a RAM role for Alibaba Cloud Account B and grants permissions to Alibaba Cloud Account B

    Step 2: The user of Alibaba Cloud Account B creates the user-b RAM user and grants permissions to the RAM user

    Step 3: The user-b RAM user obtains temporary security credentials from STS to access Simple Log Service resources

    Step 1: The user of Alibaba Cloud Account A creates a RAM role for Alibaba Cloud Account B and grants permissions to Alibaba Cloud Account B

    The user of Alibaba Cloud Account A creates a RAM role, specifies Alibaba Cloud Account B to assume the RAM role, and grants the RAM role the specific permissions on Simple Log Service resources of Alibaba Cloud Account A.

    You can create a RAM role in the RAM console. For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service. You can also call the CreateRole API operation of RAM to create a RAM role. For more information, see CreateRole. The following example describes how to create a RAM role in the console.

    1. Log on to the Resource Access Management (RAM) console by using your Alibaba Cloud account.

    2. Create a RAM role and specify Alibaba Cloud Account B to assume the RAM role.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. On the Roles page, click Create Role.

      3. In the Select Role Type step of the Create Role wizard, select Alibaba Cloud Account for Select Trusted Entity and click Next.

      4. In the Configure Role step, configure the RAM Role Name and Note parameters. Select Other Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter, enter the ID of Alibaba Cloud Account B, and then click OK.

        Note

        To view the ID of an Alibaba Cloud account, move the pointer over the profile picture in the upper-right corner of the console.

        The following example shows the RAM role that was created in the preceding steps: 

        {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram ::<ID of Alibaba Cloud Account B>:root"
        ]
      }
    }
  ],
  "Version": "1"
}

    3. Create a custom policy. On the JSON tab of the Create Policy page, replace the existing script in the code editor with the following policy document. For more information, see Create a custom policy on the JSON tab.

      Grant the write permissions on Simple Log Service

      {
  "Version": "1",
  "Statement": [
    {
      "Action": "log:PostLogStoreLogs",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

      Grant the permissions to use consumer groups to pull data from Simple Log Service

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
         "log:GetCursorOrData",
         "log:CreateConsumerGroup",
         "log:ListConsumerGroup",
         "log:ConsumerGroupUpdateCheckPoint",
         "log:ConsumerGroupHeartBeat",
         "log:GetConsumerGroupCheckPoint",
         "log:UpdateConsumerGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
      Important

      The preceding policies grant permissions on all projects and Logstores of Alibaba Cloud Account A. If you want to grant permissions on a specific project and Logstore, include the following code in the Resource element of the policies:

      • To grant permissions on a project, use acs:log::{projectOwnerAliUid}:project/.

      • To grant permissions on a Logstore, use acs:log::{projectOwnerAliUid}:project/{projectName}/logstore/{logstoreName}/.

      For more information, see Resource list.

    4. Attach the created custom policy to the RAM role. For more information, see Grant permissions to a RAM role.

    Step 2: The user of Alibaba Cloud Account B creates the user-b RAM user and grants permissions to the RAM user

    The user of Alibaba Cloud Account B creates the user-b RAM user and attaches the AliyunSTSAssumeRoleAccess system policy to RAM user. The AliyunSTSAssumeRoleAccess policy grants the RAM user the permissions to call the AssumeRole API operation of STS.

    1. Use Alibaba Cloud Account B to log on to the RAM console.

    2. Create a RAM user named user-b and select Console Access and Using permanent AccessKey to access in the Access Mode section. For more information, see Create a RAM user.

      Important

      • An AccessKey secret for a RAM user is displayed only when you create an AccessKey pair. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.

      • An AccessKey pair is a permanent credential for application access. If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To prevent credential leak risks, we recommend that you use Security Token Service (STS) tokens. For more information, see Best practices for using an access credential to call API operations.

    3. Attach the AliyunSTSAssumeRoleAccess policy to the RAM user. This way, the RAM user can assume the RAM role to obtain Security Token Service (STS) tokens. For more information, see Grant permissions to a RAM user.

    Step 3: The user-b RAM user obtains STS tokens to access Simple Log Service resources

    1. Call the AssumeRole API operation to obtain the temporary AccessKey pair and security token. For more information, see AssumeRole.

      You can call this operation by using the following method:

      Call the operation by using STS SDK. For more information, see STS SDK overview.

    2. Call API operations of Simple Log Service. For more information, see Overview of Simple Log Service SDK.

    Sample code

    Based on Simple Log Service SDK for Java, the following code provides an example on how the user-b RAM user of Alibaba Cloud Account B writes data to a project within Alibaba Cloud Account A by using STS tokens. Sample code:

    package com.aliyun.openservices.log.sample;

import java.util.Date;
import java.util.Vector;

import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.common.LogItem;
import com.aliyun.openservices.log.exception.LogException;
import com.aliyun.openservices.log.request.PutLogsRequest;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.http.ProtocolType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;

public class StsSample {
	  // Now sts only support "cn-hangzhou"
	  public static final String REGION_CN_HANGZHOU = "cn-hangzhou";
	  // Current sts api version
	  public static final String STS_API_VERSION = "2015-04-01";
	  static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret,
	                                       String roleArn, String roleSessionName, String policy,
	                                       ProtocolType protocolType) throws ClientException {
	    try {
	      // Construct Alibaba Cloud Acs Client to ivoke OpenAPI
	      IClientProfile profile = DefaultProfile.getProfile(REGION_CN_HANGZHOU, accessKeyId, accessKeySecret);
	      DefaultAcsClient client = new DefaultAcsClient(profile);
	      // Create AssumeRoleRequest object
	      final AssumeRoleRequest request = new AssumeRoleRequest();
	      request.setVersion(STS_API_VERSION);
	      request.setMethod(MethodType.POST);
	      request.setProtocol(protocolType);
	      request.setRoleArn(roleArn);
	      request.setRoleSessionName(roleSessionName);
	      request.setPolicy(policy);
	      // send request
	      final AssumeRoleResponse response = client.getAcsResponse(request);
	      return response;
	    } catch (ClientException e) {
	      throw e;
	    }
	  }
	  public static void main(String[] args) {
	    // Only RAM user(sub account)can invoke AssumeRole interface
	    // Alibaba Cloud root account's AccessKeys can't invoke AssumeRole
	    // please create sub account in RAM web console (https://ram.console.aliyun.com), and create AK for this sub account
	    String accessKeyId = "<subaccountaccesskey>";
	    String accessKeySecret = "<subaccountaccesssecret>";
	    // AssumeRole API parameter: RoleArn, RoleSessionName, Policy, and DurationSeconds
	    // RoleArn can retrieve in RAM web console
	    // https://ram.console.aliyun.com/#/role/detail/< specifid rolename>/info
	    String roleArn = "<rolearn found in web console>";
	    // RoleSessionName is  temporary Token(mainly used for audit)
	    String roleSessionName = "bluemix-001";
	    String policy = "{\n" +
	            "    \"Version\": \"1\", \n" +
	            "    \"Statement\": [\n" +
	            "        {\n" +
	            "            \"Action\": \"log:PostLogStoreLogs\",\n" +
	            "            \"Resource\": \"*\",\n" +
	            "            \"Effect\": \"Allow\"\n" +
	            "        }\n" +
	            "    ]\n" +
	            "}";
	    System.out.println(policy);
	    // Only support HTTPS here
	    ProtocolType protocolType = ProtocolType.HTTPS;
	    AssumeRoleResponse response = new AssumeRoleResponse();
	    try {
	      response = assumeRole(accessKeyId, accessKeySecret,
	              roleArn, roleSessionName, policy, protocolType);
	      System.out.println("Expiration: " + response.getCredentials().getExpiration());
	      System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
	      System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
	      System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
	    } catch (ClientException e) {
	      System.out.println("Failed to get a token.");
	      System.out.println("Error code: " + e.getErrCode());
	      System.out.println("Error message: " + e.getErrMsg());
	    }
	    
	    // Simple Log Service parameter
	    // Simple Log Service endpoint document: https://www.alibabacloud.com/help/en/sls/developer-reference/api-sls-2020-12-30-endpoint
	    String logServiceEndpoint = "cn-hangzhou.log.aliyuncs.com";
	    // means project region must be cn-hangzhou
	    String project = "<log service project name>";
	    String logstore = "<log service logstore name>";
	    
	    // Construct Simple Log Service client object
	    Client client = new Client(logServiceEndpoint, 
	    		response.getCredentials().getAccessKeyId(), 
	    		response.getCredentials().getAccessKeySecret());
	    // Notice: the AK & Security Token will be expire in 1 hour
	    // so you must invoke asumeRole interface when expired
	    client.SetSecurityToken(response.getCredentials().getSecurityToken());
	    Vector<LogItem> logGroup = new Vector<LogItem>();
	    LogItem logItem = new LogItem((int) (new Date().getTime() / 1000));
	    logItem.PushBack("StsSample", "Send Data");
	    logGroup.add(logItem);
	    
	    PutLogsRequest req2 = new PutLogsRequest(project, logstore, "", "", logGroup);
	    try {
	    	client.PutLogs(req2);
	    } catch (LogException e) {
			System.out.println("Failed to send data.");
			System.out.println("Error code: " + e.GetErrorCode());
			System.out.println("Error message: " + e.GetErrorMessage());
	    }
	  }
}