You can use an Alibaba Cloud account to create a RAM role, specify another Alibaba Cloud account as the trusted entity, and grant the RAM role specific permissions on Log Service. Then, you can grant the AssumeRole permission to the RAM users of the other Alibaba Cloud account. This allows the RAM users to assume the RAM role. The other Alibaba Cloud account or the specified RAM users can call the corresponding Security Token Service (STS) API operation to obtain temporary security credentials. These credentials include the AccessKey ID, AccessKey secret, and security token. This allows these users to call Log Service API operations and access Log Service resources.

Background information

To isolate business data or outsource projects, the user of Alibaba Cloud Account A wants to grant Alibaba Cloud Account B specific permissions on Log Service. This allows the user of Alibaba Cloud B to manage and maintain the specified resources. The permissions are granted as follows:
  • The user of Alibaba Cloud Account B is authorized to write data to the Log Service resources of Alibaba Cloud Account A and use the consumer groups of Alibaba Cloud Account A.
  • The specified RAM users of Alibaba Cloud Account B are authorized to write data to the Log Service resources of Alibaba Cloud Account A and use the consumer groups of Alibaba Cloud Account A.
  • The user of Alibaba Cloud Account B can obtain STS temporary security credentials and call the Log Service API operations to manage Log Service resources of Alibaba Cloud Account A.

Procedure

  1. The user of Alibaba Cloud Account A creates a RAM role and specifies Alibaba Cloud Account B as the trusted entity. This allows Alibaba Cloud Account B to assume the RAM role.
  2. The user of Alibaba Cloud Account A grants a specified permission on Log Service to the RAM role.
  3. The user of Alibaba Cloud Account B creates RAM User B1 and assigns the AliyunSTSAssumeRoleAccess policy to RAM User B1. This allows RAM User B1 to call the STS AssumeRole API operation.
  4. RAM User B1 calls the STS AssumeRole API operation. This allows RAM User B1 to initiate Log Service API requests and manage the Log Service resources of Alibaba Cloud Account A.

Step 1: The user of Alibaba Cloud Account A creates a RAM role for Alibaba Cloud Account B

The user of Alibaba Cloud Account A creates a RAM role and specifies Alibaba Cloud Account B as the trusted entity. This allows Alibaba Cloud Account B to assume the RAM role.

The user of Alibaba Cloud Account A can use the RAM console or call the CreateRole API operation to create the RAM role. To use the RAM console, follow these steps:

  1. Use Alibaba Cloud Account A to log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. Click Create RAM Role, select Alibaba Cloud Account, and then click Next.
  4. Specify the RAM Role Name and Note parameters.
  5. Under Select Trusted Alibaba Cloud Account, select Other Alibaba Cloud Account.
  6. Enter the ID of Alibaba Cloud Account B and click OK.
    Note To view the ID, move your pointer over the profile picture in the upper-right corner of the console, and then click Security Settings.
The following sample describes the RAM role created in the preceding steps:
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::<The ID of Alibaba Cloud Account B>:root"
        ]
      }
    }
  ],
  "Version": "1"
}

Step 2: The user of Alibaba Cloud Account A grants a specified permission to the RAM role

To grant a specified permission to the RAM role created in Step 1, follow these steps:

  1. In the left-side navigation pane, click Policies under Permissions.
  2. On the page that appears, click Create Policy.
  3. On the Create Custom Policy page, specify the Policy Name and Note parameters.
  4. In the Configuration Mode section, select Script.
  5. Enter a policy and click OK.
    The policy specifies the permission that the user of Alibaba Cloud Account A grants to the user of Alibaba Cloud Account B.
    The following sample policy describes the permission to write data to Log Service:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": "log:PostLogStoreLogs",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    The following sample policy describes the permission to pull data from the Logstore shards that the consumer library allocates:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
             "log:GetCursorOrData",
             "log:CreateConsumerGroup",
             "log:ListConsumerGroup",
             "log:ConsumerGroupUpdateCheckPoint",
             "log:ConsumerGroupHeartBeat",
             "log:GetConsumerGroupCheckPoint",
             "log:UpdateConsumerGroup"
          ]
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    The preceding two sample policies grant permissions on all projects and Logstores of the specified user. If you want to grant permissions on a specified project and Logstore, use the following code in the resource element of the sample policies:
    • To grant permissions on a specified project, use acs:log::{projectOwnerAliUid}:project/.
    • To grant permissions on a specified Logstore, use acs:log::{projectOwnerAliUid}:project/{projectName}/logstore/{logstoreName}/.

    For more information, see Log Service resources used in RAM.

  6. In the left-side navigation pane, click RAM Roles.
  7. In the RAM Role Name column, find the target RAM role.
  8. Click Add Permissions. On the page that appears, the principle is automatically filled in.
  9. In the Policy Name column, select the policy created in the previous step and click OK. This allows you to grant the permission specified in the policy to the RAM role.
  10. Click Finished.

Step 3: The user of Alibaba Cloud Account B creates RAM User B1 and grants a permission to RAM User B1

The user of Alibaba Cloud Account B creates RAM User B1 and assigns the AliyunSTSAssumeRoleAccess policy to RAM User B1. This allows RAM User B1 to call the STS AssumeRole API operation.

  1. Use Alibaba Cloud Account B to log on to the RAM console.
  2. In the left-side navigation pane, click Users under Identities.
  3. Click Create User.
    Note To create multiple RAM users at a time, click Add User.
  4. Enter the basic information of RAM User B1, select Console Password Logon and Programmatic Access, and then click OK.
    Note In this step, the user of Alibaba Cloud Account B receives a verification code to verify the authorization.
  5. In the left-side navigation pane, click Users under Identities.
  6. In the User Logon Name/Display Name column, find the target RAM user.
  7. Click Add Permissions. On the page that appears, the principal is automatically filled in.
  8. In the Policy Name column, select the AliyunSTSAssumeRoleAccess policy to grant the permission specified in the policy to RAM User B1, and then click OK.
  9. Click Finished.

Step 4: RAM User B1 obtains STS temporary security credentials to access Log Service resources

  1. Call the STS AssumeRole API operation to obtain temporary security credentials. These credentials include the AccessKey ID, AccessKey secret, and security token.
    You can call this operation by using the following methods:
  2. Call the Log Service API operations.
    For more information about the Log Service SDK, see Overview.

Sample code

Click here to download the sample code. Based on the SDK for Java, the sample code describes how RAM User B1 of Alibaba Cloud Account B use STS to write data to the project of Alibaba Cloud Account A.