Before perform the OSS shipping task, the owner of the OSS bucket must configure quick authorization. After the authorization is complete, Log Service of the current account has the permission to write to OSS bucket.
This document describes the RAM authorization for OSS shipping tasks in different scenarios.
If you need more fine-grained access control for OSS buckets, see
Modify the authorization policy.
If a Log Service project and OSS bucket are not created with the same Alibaba Cloud account, see
If a sub-account must ship log data to OSS bucket that belongs to another Alibaba Cloud account, see
Shipping between sub-account and main account.
If a sub-account must ship log data of the current main account to the OSS bucket of the same account, see Grant RAM sub-account permissions to access Log Service.
After quick authorization, the role AliyunLogDefaultRole is granted to AliyunLogRolePolicy by default, and has write permission for all OSS buckets of account B.
If you need more fine-grained access control, revoke the AliyunLogRolePolicy authorization from the AliyunLogDefaultRole. See OSS authorization to create a more fine-grained permission policy, and authorize the AliyunLogDefaultRole.
If your Log Service project and OSS bucket are not created with the same Alibaba Cloud account, you must configure the authorization policy in following way.
For example, Log Service data of the account A must be shipped to the OSS bucket created by the account B.
Using quick authorization account B creates the role AliyunLogDefaultRole, and grants write permission to OSS.
In the RAM console, click Role Management on the left-side navigation pane. Then, select AliyunLogDefaultRole, and click the role name to see the basic information.
In the role description,
Serviceconfiguration indicates the legal user of the role. For example,
log.aliyuncs.comindicates that the current account can obtain the role to get OSS write permission.
Serviceconfiguration, you can modify the role description to add
A_ALIYUN_ID@log.aliyuncs.com. ID of the main account A can be viewed in the Account Management > Security Settings.
For example, ID of the account A is 1654218965343050, and modified description is as follows:
This role description indicates that account A has the permission to use Log Service to obtain the temporary token to operate the resources of the account B. For more information about the role description, see Authorization policies.
The account A creates a shipping task. When configuring the task, RAM role column must be filled with the RAM role identifier ARN of the OSS bucket owner, that is, the RAM role AliyunLogDefaultRole created by account B.
The ARN of the RAM role can be viewed in the basic information. The format is as follows:
If the sub-account a_1 of the main account A must use this role to create a shipping rule to ship logs to the OSS bucket of the account B. In this case, the main account A must grant the PassRole permission to the sub-account a_1.
The configuration is as follows:
Account B configures quick authorization and adds a description to the role. For more information, see
The main account A logs on to the RAM console and grants AliyunRAMFullAccess permission to the sub-account a_1.
In the RAM console, the main account A grants AliyunRAMFullAccess permission to the sub-account a_1.
On the User Management page, click Authorization on the right side of the sub-account a_1.
After successful authorization, a_1 has all RAM permissions.
To control the permission range of a_1, the main account A can grant a_1 only the permissions required for shipping logs to OSS by modifying
The contents of the
Resourcemust be replaced with the ARN of AliyunLogDefaultRole. The example of authorization policy is as follows:
The sub-account a_1 creates a shipping task. When configuring the task, RAM role column must be filled with the RAM role identifier ARN of the OSS bucket owner, that is, the RAM role AliyunLogDefaultRole created by account B.