All Products
Search
Document Center

Simple Log Service:Grant a RAM role the permissions to access Logstores across Alibaba Cloud accounts

Last Updated:Dec 06, 2024

When Scheduled SQL jobs run, the jobs execute SQL statements to analyze data in source Logstores, and then save the analysis results to destination Logstores or destination Metricstores. You can assign a Resource Access Management (RAM) role to a Scheduled SQL job to complete the preceding operations. If the source and destination Logstores do not belong to the same Alibaba Cloud account, perform the steps that are described in this topic to grant permissions to the RAM role. You can specify Logstores or Metricstores when you configure Scheduled SQL jobs. This topic describes how to grant a RAM role the permissions to access Logstores across Alibaba Cloud accounts.

Prerequisites

The RAM role named role-a is created in Alibaba Cloud Account A. The RAM role named role-b is created in Alibaba Cloud Account B. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

Important
  • When you create the RAM role, select Alibaba Cloud Service as the trusted entity.

  • In the trust policy of the RAM role, the "Service" field must include "log.aliyuncs.com", as illustrated below.

    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "log.aliyuncs.com"
            ]
          }
        }
      ],
      "Version": "1"
    }

Grant role-a the permissions to analyze data in the source Logstore

After you grant role-a the permissions to analyze data in the source Logstore that belongs to Alibaba Cloud Account A, a Scheduled SQL job can assume role-a to perform SQL analysis on the data in the source Logstore.

  1. Use Alibaba Cloud Account A to log on to the RAM console.

  2. Create a policy that contains the permissions to analyze the log data of a source Logstore.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. Click Create Policy.

    3. On the Create Policy page, click the JSON tab. Replace the existing script in the code editor with one of the following policy documents. Exact match or fuzzy match are supported for authorization.

      Exact match for authorization

      In this example, the name of the source project is log-project-prod. The name of the source Logstore is website_log. You must replace the names with the actual names of your projects and Logstores.

      Important

      When you create a policy, you can specify either a Logstore or Metricstore after the logstore keyword. If you want to manage Metricstores, you can also refer to the following policy document to create a policy.

      {
          "Version":"1",
          "Statement":[
              {
                  "Action":[
                      "log:PostProjectQuery"
                  ],
                  "Resource":[
                      "acs:log:*:*:project/log-project-prod/logstore/website_log",
                      "acs:log:*:*:project/log-project-prod/logstore/website_log/*"
                  ],
                  "Effect":"Allow"
              },
              {
                  "Action":[
                      "log:GetProjectQuery",
                      "log:PutProjectQuery",
                      "log:DeleteProjectQuery"
                  ],
                  "Resource":[
                      "acs:log:*:*:project/log-project-prod"
                  ],
                  "Effect":"Allow"
              }
          ]
      }

      Fuzzy match for authorization

      In this example, the names of the source projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c. The names of the source Logstores are website_a_log, website_b_log, and website_c_log. You must replace the names with the actual names of your projects and Logstores.

      {
          "Version":"1",
          "Statement":[
              {
                  "Action":[
                      "log:PostProjectQuery"
                  ],
                  "Resource":[
                      "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log",
                      "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log/*"
                  ],
                  "Effect":"Allow"
              },
              {
                  "Action":[
                      "log:GetProjectQuery",
                      "log:PutProjectQuery",
                      "log:DeleteProjectQuery"
                  ],
                  "Resource":[
                      "acs:log:*:*:project/log-project-dev-*"
                  ],
                  "Effect":"Allow"
              }
          ]
      }
    4. Click OK. In the dialog box that appears, configure the parameters. The following table describes the parameters.

      Parameter

      Description

      Name

      The name of the policy.

      Desciption

      The description of the policy.

  3. Grant role-a the required permissions.

    1. In the left-side navigation pane, choose Identities > Roles.

    2. Find the RAM role and click Grant Permission in the Actions column.

    3. Select the policy created in Step 2, and then click OK.

    4. Click Close.

Grant role-b the permissions to write data to the destination Logstore

After you grant role-b the permissions to write data to the destination Logstore that belongs to Alibaba Cloud Account B, a Scheduled SQL job can assume role-b to write SQL analysis results of Alibaba Cloud Account A to the destination Logstore.

  1. Use Alibaba Cloud Account B to log on to the RAM console.

  2. Create a policy that contains the permissions to write data to a destination Logstore.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. Click Create Policy.

    3. On the Create Policy page, click the JSON tab. Replace the existing script in the code editor with one of the following policy documents. Exact match or fuzzy match are supported for authorization.

      Exact match for authorization

      In this example, the name of the source project is log-project-prod. The name of the source Logstore is website_log_output. You must replace the names with the actual names of your projects and Logstores.

      Important

      When you create a policy, you can specify either a Logstore or Metricstore after the logstore keyword. If you want to manage Metricstores, you can also refer to the following policy document to create a policy.

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "log:Post*",
              "log:BatchPost*"
            ],
             "Resource": "acs:log:*:*:project/log-project-prod/logstore/website_log_output",
            "Effect": "Allow"
          }
        ]
      }

      Fuzzy match for authorization

      In this example, the names of the source projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c. The names of the source Logstores are website_a_log_output, website_b_log_output, and website_c_log_output. You must replace the names with the actual names of your projects and Logstores.

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "log:Post*",
              "log:BatchPost*"
            ],
             "Resource": "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log_output",
            "Effect": "Allow"
          }
        ]
      }
    4. Click OK. In the dialog box that appears, configure the parameters. The following table describes the parameters.

      Parameter

      Description

      Name

      The name of the policy.

      Desciption

      The description of the policy.

  3. Grant role-b the required permissions.

    1. In the left-side navigation pane, choose Identities > Roles.

    2. Find the RAM role and click Grant Permission in the Actions column.

    3. Select the policy created in Step 2, and then click OK.

    4. Click Close.

  4. Edit the trust policy of role-b.

    1. In the RAM role list, click the RAM role that you want to manage. In this example, click role-B.

    2. On the Trust Policy tab, click Edit Trust Policy.

    3. Modify the policy.

      Add ID of Alibaba Cloud Account A to the Service element. and replace the ID based on your business scenario. You can view the ID of your Alibaba Cloud account in the Account Center console.

      The following policy allows Alibaba Cloud Account A to obtain a temporary Security Token Service (STS) token to manage the cloud resources of Alibaba Cloud Account B:

      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "log.aliyuncs.com",
                          "ID of Alibaba Cloud Account A@log.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
    4. Click Save trust policy document.