When you run an Object Storage Service (OSS) data shipping job, the job pulls data from a logstore and ships the data to an OSS bucket. You can authorize the job to assume a custom Resource Access Management (RAM) role to access the required data. This topic describes how to authorize an OSS data shipping job to access data by using a custom RAM role.
Prerequisites
A RAM role is created. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
When you create a RAM role, you must set the Select Trusted Entity parameter to Alibaba Cloud Service and the Select Trusted Service parameter to Log Service.
Check the trust policy of the RAM role. Make sure that the
Serviceelement contains at least"log.aliyuncs.com".{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
Step 1: Grant the RAM role the permissions to read data from a logstore
After you grant a RAM role the permissions to read data from a logstore, you can assign the RAM role to an OSS data shipping job to read data from the logstore.
Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.
Create a custom policy that grants the permissions to read data from a Logstore.
You can use a policy document that uses exact match or fuzzy match for authorization.
Exact match for authorization
On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.
ImportantReplace
Project nameandLogstore namein the policy document based on your business requirements.{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/Project name/logstore/Logstore name" ], "Effect":"Allow" } ] }Fuzzy match for authorization
On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.
ImportantIn this example, the names of the projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c, and the names of the Logstores are website_a_log, website_b_log, and website_c_log.
Replace
log-project-dev-*andwebsite_*_log*in the policy document based on your business requirements.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*" ], "Effect":"Allow" } ] }Attach the created custom policy to the RAM role. For more information, see Grant permissions to a RAM role.
Step 2: Grant the RAM role the permissions to write data to an OSS bucket
After you grant a RAM role the permissions to write data to an OSS bucket, you can assign the RAM role to an OSS data shipping job to write the data that is read from a logstore to the OSS bucket.
Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.
Create a custom policy that grants the permissions to write data to an OSS bucket.
On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.
{ "Version": "1", "Statement": [ { "Action": [ "oss:PutObject" ], "Resource": "*", "Effect": "Allow" } ] }NoteIf you want to implement finer-grained access control on OSS resources, you can configure a policy based on the instructions provided in RAM policies.
Attach the created custom policy to the RAM role. For more information, see Grant permissions to a RAM role.
What to do next
Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View the information about a RAM role.
When you create an OSS data shipping job to ship data to OSS, the ARN is required if you select Custom Role for Logstore Read RAM Role or OSS Write RAM Role. For more information, see Create an OSS data shipping job (new version).