In this topic, Simple Log Service belongs to Alibaba Cloud Account A and Object Storage Service (OSS) belongs to Alibaba Cloud Account B. To ship data from a Simple Log Service Logstore to an OSS bucket, you can authorize an OSS data shipping job of the new version to assume a custom Resource Access Management (RAM) role.
Step 1: Grant the role-a RAM role the permissions to read data from a Logstore
After you grant a RAM role named role-a of Alibaba Cloud Account A the permissions to read data from a Logstore, an OSS data shipping job can assume the role to read data from the Logstore.
Log on to the RAM console by using Alibaba Cloud Account A.
Create a custom policy that grants the permissions to read data from a Logstore.
You can use a policy document that uses exact match or fuzzy match for authorization.
Exact match for authorization
On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.
ImportantYou can replace
Project nameandLogstore namein the policy document based on your business requirements.{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/Project name/logstore/Logstore name" ], "Effect":"Allow" } ] }Fuzzy match for authorization
On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.
ImportantIn this example, the names of the projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c, and the names of the Logstores are website_a_log, website_b_log, and website_c_log.
You can replace
log-project-dev-*andwebsite_*_log*in the policy document based on your business requirements.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*" ], "Effect":"Allow" } ] }Create a RAM role named
role-a. For more information, see Create a RAM role for a trusted Alibaba Cloud service.ImportantWhen you create a RAM role, you must set the Select Trusted Entity parameter to Alibaba Cloud Service and the Select Trusted Service parameter to Log Service.
Check the trust policy of the RAM role. Make sure that the
Serviceelement contains at least"log.aliyuncs.com".{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
Attach the created custom policy to the
role-aRAM role. For more information, see Grant permissions to a RAM role.
What to do next
Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View the information about a RAM role.
If you set the Logstore Read RAM Role parameter to Custom Role when you create an OSS data shipping job, you must enter the Alibaba Cloud Resource Name (ARN) of the role. For more information, see Create an OSS data shipping job (new version).
Step 2: Grant the role-b RAM role the permissions to write data to an OSS bucket
After you grant a RAM role named role-b of Alibaba Cloud Account B the permissions to write data to an OSS bucket, an OSS data shipping job can assume the role to write data that is read from the Logstore in Alibaba Cloud Account A to the OSS bucket.
Log on to the RAM console by using Alibaba Cloud Account B.
Create a custom policy that grants the permissions to write data to an OSS bucket.
On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.
{ "Version": "1", "Statement": [ { "Action": [ "oss:PutObject" ], "Resource": "*", "Effect": "Allow" } ] }NoteIf you want to implement finer-grained access control on OSS resources, you can configure a policy based on the instructions provided in RAM policies.
Create a RAM role named
role-b. For more information, see Create a RAM role for a trusted Alibaba Cloud service.ImportantWhen you create a RAM role, you must set the Select Trusted Entity parameter to Alibaba Cloud Service and the Select Trusted Service parameter to Log Service.
Check the trust policy of the RAM role. Make sure that the
Serviceelement contains at least"log.aliyuncs.com".{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
Modify the trust policy of the
role-bRAM role. For more information, see Edit the trust policy of a RAM role.ImportantAdd ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service element. Replace the ID of Alibaba Cloud Account A with the actual ID. You can view the ID of your Alibaba Cloud account in the Account Center console.
The following policy allows Alibaba Cloud Account A to obtain a Security Token Service (STS) token to manage the cloud resources of Alibaba Cloud Account B.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com", "ID of Alibaba Cloud Account A@log.aliyuncs.com" ] } } ], "Version": "1" }Attach the created custom policy to the
role-bRAM role. For more information, see Grant permissions to a RAM role.
What to do next
Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View the information about a RAM role.
If you set the OSS Write RAM Role parameter to Custom Role when you create an OSS data shipping job, you must enter the ARN of the role. For more information, see Create an OSS data shipping job (new version).
