All Products
Search
Document Center

Simple Log Service:Access data across Alibaba Cloud accounts by using a custom RAM role

Last Updated:Jun 06, 2024

When you run an Object Storage Service (OSS) data shipping job of the new version, the job reads data from a Logstore and ships the data to an OSS bucket. You can authorize the job to assume a custom Resource Access Management (RAM) role to access the required data. If the Logstore and OSS bucket belong to different Alibaba Cloud accounts, you can perform the steps that are described in this topic to authorize the job to access data by using a custom RAM role.

Prerequisites

RAM Role A is created in Alibaba Cloud Account A, and RAM Role B is created in Alibaba Cloud Account B. For more information, see Create a RAM role whose trusted entity is an Alibaba Cloud service and grant the RAM role the permissions to access Simple Log Service.

Note that the RAM role must meet the following requirements:

  • When you create the RAM role, select Alibaba Cloud Service as the trusted entity.

  • In the trust policy of the RAM role, the "Service" field must include "log.aliyuncs.com", as illustrated below.

    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "log.aliyuncs.com"
            ]
          }
        }
      ],
      "Version": "1"
    }

    image

Step 1: Grant RAM Role A the permissions to read data from a Logstore

After you grant RAM Role A the permissions to read data from a Logstore that belongs to Alibaba Cloud Account A, an OSS data shipping job can assume the role to read data from the Logstore.

  1. Use Alibaba Cloud Account A to log on to the RAM console.

  2. Create a policy that grants the permissions to read data from a Logstore.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the following policy document, and then click Next to edit policy information.

      • Policy that uses exact match

        You can replace the project and Logstore names based on your business requirements.

        {
            "Version":"1",
            "Statement":[
                {
                    "Action":[
                        "log:GetCursorOrData",
                        "log:ListShards"
                    ],
                    "Resource":[
                        "acs:log:*:*:project/Project name/logstore/Logstore name",
                        "acs:log:*:*:project/Project name/logstore/Logstore name/*"
                    ],
                    "Effect":"Allow"
                }
            ]
        }
      • Policy that uses fuzzy match

        In this example, fuzzy match is used. The project name can be log-project-dev-a, log-project-dev-b, or log-project-dev-c, and the Logstore name can be website_a_log, website_b_log, or website_c_log. You can replace the project and Logstore names based on your business requirements.

        {
            "Version":"1",
            "Statement":[
                {
                    "Action":[
                        "log:GetCursorOrData",
                        "log:ListShards"
                    ],
                    "Resource":[
                        "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*",
                        "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*/*"
        
                    ],
                    "Effect":"Allow"
                }
            ]
        }
    4. Configure Name and click OK.

      For example, you can specify log-oss-export-source-policy.

  3. Attach the policy to RAM Role A.

    1. In the left-side navigation pane, choose Identities > Roles.

    2. Find RAM Role A and click Grant Permission in the Actions column.

    3. In the Policy section of the Grant Permission panel, select Custom Policy. Then, select the policy that you created in Step 2 and click Grant Permissions. For this example, select log-oss-export-source-policy.

    4. Confirm the authorization results. Then, click Close.

  4. Obtain the Alibaba Cloud Resource Name (ARN) of RAM Role A.

    You can view the ARN of a RAM role in the Basic Information section of the role details page. Example: acs:ram::13****44:role/logrole. You must record the ARN. If you use a custom RAM role when you create an OSS data shipping job, you must enter the ARN of the role in the Logstore Read RAM Role field. ARN

Step 2: Grant RAM Role B the permissions to write data to an OSS bucket

After you grant RAM Role B the permissions to write data to an OSS bucket that belongs to Alibaba Cloud Account B, an OSS data shipping job can assume the role to write data that is read from the Logstore in Alibaba Cloud Account A to the bucket.

  1. Use Alibaba Cloud Account B to log on to the RAM console.

  2. Create a policy that grants the permissions to write data to an OSS bucket.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the following policy document, and then click Next to edit policy information.

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                      "oss:PutObject"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }

      If you want to implement finer-grained access control on OSS resources, you can configure the policy based on the instructions provided in RAM policies.

    4. Configure Name and click OK.

      For example, you can specify log-oss-export-sink-policy.

  3. Attach the policy to RAM Role B.

    1. In the left-side navigation pane, choose Identities > Roles.

    2. Find RAM Role B and click Grant Permission in the Actions column.

    3. In the Policy section of the Grant Permission panel, select Custom Policy. Then, select the policy that you created in Step 2 and click Grant Permissions. For this example, select log-oss-export-sink-policy.

    4. Confirm the authorization results. Then, click Complete.

  4. Modify the trust policy of RAM Role B.

    1. On the Roles page, click the name of RAM Role B.

    2. On the Trust Policy tab, click Edit Trust Policy.

    3. Modify the trust policy.

      Add ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service field. Replace ID of Alibaba Cloud Account A with the actual ID. You can view the ID of your Alibaba Cloud account in the Account Management console.

      The following policy allows Alibaba Cloud Account A to obtain a temporary Security Token Service (STS) token to manage the cloud resources of Alibaba Cloud Account B:

      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "log.aliyuncs.com",
                          "ID of Alibaba Cloud Account A@log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
    4. Click OK.

  5. Obtain the ARN of RAM Role B.

    You can view the ARN of a RAM role in the Basic Information section of the role details page. Example: acs:ram::11****55:role/ossrole. You must record the ARN. If you use a custom RAM role when you create an OSS data shipping job, you must enter the ARN of the role in the OSS Write RAM Role field.ARN