When you run an Object Storage Service (OSS) data shipping job, the job pulls data from a Logstore and ships the data to an OSS bucket. You can authorize the job to assume a custom Resource Access Management (RAM) role to access the required data. This topic describes how to authorize an OSS data shipping job to access data by using a custom RAM role.
Prerequisites
A RAM role is created. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
When you create the RAM role, select Alibaba Cloud Service for Select Trusted Entity.
Step 1: Grant the RAM role the permissions to read data from a Logstore
After you grant a RAM role the permissions to read data from a Logstore, you can assign the RAM role to an OSS data shipping job to read data from the Logstore.
Log on to the RAM console by using your Alibaba Cloud account.
Create a policy that grants the permissions to read data from a Logstore.
In the left-side navigation pane, choose
.On the Policies page, click Create Policy.
On the JSON tab of the Create Policy page, replace the existing script in the editor with one of the following scripts. Then, click Next to edit policy information.
Policy that uses exact names to match resources
You can replace the project and Logstore names based on your business requirements.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/Project name/logstore/Logstore name", "acs:log:*:*:project/Project name/logstore/Logstore name/*" ], "Effect":"Allow" } ] }
Policy that uses wildcard characters to match resources
In this example, fuzzy match is used. The project name can be log-project-dev-a, log-project-dev-b, or log-project-dev-c, and the Logstore name can be website_a_log, website_b_log, or website_c_log. You can replace the project and Logstore names based on your business requirements.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*", "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*/*" ], "Effect":"Allow" } ] }
Configure the Name parameter and click OK.
For example, you can specify log-oss-export-source-policy.
Attach the policy to the RAM role.
In the left-side navigation pane, choose .
Find the RAM role and click Grant Permission in the Actions column.
In the panel that appears, find the Policy section and select Custom Policy from the drop-down list. Then, select the policy that you created in Step 2 and click Grant Permissions. For this example, select log-oss-export-source-policy.
Confirm the authorization result. Then, click Close.
Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role.
In the Basic Information section of the RAM role, view the ARN of the RAM role. Example: acs:ram::13****44:role/logrole. We recommend that you record the ARN. If you use a custom role when you create an OSS data shipping job to ship data to OSS, you must enter the ARN in the Logstore Read RAM Role field.
Step 2: Grant the RAM role the permissions to write data to an OSS bucket
After you grant a RAM role the permissions to write data to an OSS bucket, you can assign the RAM role to an OSS data shipping job to write the data that is read from a Logstore to the OSS bucket.
Log on to the RAM console by using your Alibaba Cloud account.
Create a policy that grants the permissions to write data to an OSS bucket.
In the left-side navigation pane, choose
.On the Policies page, click Create Policy.
On the JSON tab of the Create Policy page, replace the existing script in the editor with the following script. Then, click Next to edit policy information.
{ "Version": "1", "Statement": [ { "Action": [ "oss:PutObject" ], "Resource": "*", "Effect": "Allow" } ] }
If you want to implement finer-grained access control on OSS resources, you can configure the policy based on the instructions provided in RAM policies.
Configure the Name parameter and click OK.
For example, you can specify log-oss-export-sink-policy.
Attach the policy to the RAM role.
In the left-side navigation pane, choose .
Find the RAM role and click Grant Permission in the Actions column.
In the panel that appears, find Select Policy and click Custom Policy. Then, select the policy that you created in Step 2 and click OK. For this example, select log-oss-export-sink-policy.
Confirm the authorization result. Then, click Complete.
Obtain the ARN of the RAM role.
In the Basic Information section of the RAM role, view the ARN of the RAM role. Example: acs:ram::13****44:role/ossrole. We recommend that you record the ARN. If you use a custom role when you create an OSS data shipping job to ship data to OSS, you must enter the ARN in the OSS Write RAM Role field.