If you want to use a Resource Access Management (RAM) user to ship logs from a Simple Log Service Logstore to an Object Storage Service (OSS) bucket within the same Alibaba Cloud account or across Alibaba Cloud accounts, you must grant the required permissions to the RAM user in the RAM console. This topic describes how to perform authorization in the RAM console.
How it works
The following process demonstrates how to ship logs from a Simple Log Service Logstore to an OSS bucket:
Your Alibaba Cloud account or a RAM user creates an OSS data shipping job.
Simple Log Service assumes the AliyunLogDefaultRole RAM role.
The RAM role reads logs in the Logstore.
The RAM role ships logs to the bucket.
Prerequisites
The AliyunLogDefaultRole RAM role is created by the owner of the required OSS bucket. For more information, visit the Cloud Resource Access Authorization page.
Use a RAM user to create an OSS data shipping job
When you create an OSS data shipping job, you can specify only one OSS bucket. If you want to ship logs to OSS buckets of two Alibaba Cloud accounts, you must create two data shipping jobs.
The Logstore and bucket belong to the same Alibaba Cloud account
Before you can use a RAM user to create data shipping jobs, you must use your Alibaba Cloud account to grant the required permissions to the RAM user.
Use your Alibaba Cloud account to log on to the RAM console.
Create a policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the following script, and then click Next to edit policy information.
NoteThe policy must include the PassRole permission.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "log:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "*" } ] }
Create a RAM user. For more information, see Create a RAM user.
Attach the policy to the RAM user.
In the left-side navigation pane, choose .
On the Users page, find the RAM user and click Add Permissions in the Actions column.
In the Grant Permission panel, click Custom Policy in the drop-down list of the Policy section, select the policy that you created in Step 2, and then click Grant permissions.
The Logstore and bucket belong to different Alibaba Cloud accounts
The Logstore and bucket belong to different Alibaba Cloud accounts. The Logstore belongs to Alibaba Cloud Account A, and the bucket belongs to Alibaba Cloud Account B.
Verify that all prerequisites are met within Alibaba Cloud Account B.
Modify the trust policy of the AliyunLogDefaultRole role within Alibaba Cloud Account B to allow Alibaba Cloud Account A to write data to the bucket of Alibaba Cloud Account B. For more information, see Modify the trust policy of the AliyunLogDefaultRole role.
Use Alibaba Cloud Account A to log on to the RAM console.
Create RAM User A1. For more information, see Create a RAM user.
Attach the AliyunRAMFullAccess policy to RAM User A1.
In the left-side navigation pane, choose
.On the Users page, find RAM User A1 and click Add Permissions in the Actions column.
In the Grant Permission panel, click System Policy in the drop-down list of the Policy section, select the AliyunRAMFullAccess policy, and then click Grant permissions.
After you attach the policy to RAM User A1, RAM User A1 has full access permissions on RAM.
If you want RAM User A1 to have only the permissions required for shipping data to OSS, you can attach a custom policy to RAM User A1. The following sample code provides an example of a custom policy. The value of the
Resource
element is the Alibaba Cloud Resource Name (ARN) of the AliyunLogDefaultRole role within Alibaba Cloud Account B. For more information about how to create a custom policy, see Create custom policies.{ "Statement": [ { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "acs:ram::${ID of Alibaba Cloud Account B}:role/aliyunlogdefaultrole" } ], "Version": "1" }
Obtain the ARN of the RAM role.
In the Basic Information section on the details page of the RAM role, obtain the ARN of the RAM role. Example: acs:ram::13234:role/logrole.
When you use RAM User A1 to create a data shipping job, enter the ARN in the OSS Write RAM Role field.
Use an Alibaba Cloud account to create an OSS data shipping job
Your Alibaba Cloud account has the permissions to manage all cloud resources. To reduce security risks, we recommend that you use RAM users.
When you create an OSS data shipping job, you can specify only one OSS bucket. If you want to ship logs to OSS buckets of two Alibaba Cloud accounts, you must create two data shipping jobs.
The Logstore and bucket belong to the same Alibaba Cloud account. In this case, you need to only complete the permission configuration that is described in the "Prerequisites" section of this topic.
The Logstore and bucket belong to different Alibaba Cloud accounts. The Logstore belongs to Alibaba Cloud Account A, and the bucket belongs to Alibaba Cloud Account B.
Verify that all prerequisites are met within Alibaba Cloud Account B.
Modify the trust policy of the AliyunLogDefaultRole role within Alibaba Cloud Account B to allow Alibaba Cloud Account A to write data to the bucket of Alibaba Cloud Account B. For more information, see Modify the trust policy of the AliyunLogDefaultRole role.
Modify the trust policy of the AliyunLogDefaultRole role
If you want to ship logs from a Simple Log Service Logstore of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, you must modify the trust policy of the AliyunLogDefaultRole role.
Go to the Cloud Resource Access Authorization page by using Alibaba Cloud Account B to create the AliyunLogDefaultRole role.
Log on to the RAM console by using Alibaba Cloud Account B.
In the left-side navigation pane, choose
.On the Roles page, find the
AliyunLogDefaultRole
role and click the name.On the page that appears, click the Trust Policy tab. Then, click Edit Trust Policy.
In the code editor, add ID of Alibaba Cloud Account A@log.aliyuncs.com to the
Service
element. ReplaceID of Alibaba Cloud Account A
with the ID of your Alibaba Cloud account. You can view the ID of your Alibaba Cloud account in the Account Center console. c{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "${ID of Alibaba Cloud Account A}@log.aliyuncs.com", "log.aliyuncs.com" ] } } ], "Version": "1" }
Obtain the ARN of the RAM role. In the Basic Information section on the details page of the RAM role, obtain the ARN of the RAM role. Example:
acs:ram::13234:role/logrole
.When you use Alibaba Cloud Account A to create a data shipping job, enter the ARN in the OSS Write RAM Role field.
References
Simple Log Service can obtain write permissions for all buckets by assuming the AliyunLogDefaultRole. If you need to narrow the scope of permissions, detach the AliyunLogRolePolicy permission from the AliyunLogDefaultRole role and grant the RAM policies to the AliyunLogDefaultRole.