You can use a RAM user to ship log data from Log Service to OSS. You can also ship log data from Log Service of an Alibaba Cloud account (Alibaba Cloud Account A) to Object Storage Service (OSS) of another Alibaba Cloud account (Alibaba Cloud Account B). Before you ship log data in the two scenarios, you must use RAM to authorize the RAM user or Alibaba Cloud accounts. This topic describes how to use RAM to grant required permissions in the two scenarios.

Prerequisites

Log Service is authorized to access the destination OSS bucket. For more information, see Cloud resource access authorization.

After the authorization is completed, Log Service can assume a role by using STS and write data to the destination OSS bucket.

Cloud resource access authorization

Overview

When you ship log data in different scenarios, you must use RAM to grant relevant permissions.

Modify a permission policy

After you implement cloud resource access authorization for Log Service, the AliyunLogRolePolicy policy is attached to the AliyunLogDefaultRole role. Log Service assumes the role and thus is authorized to ship log data to each OSS bucket. To implement finer-grained access control, you can detach the AliyunLogDefaultRole policy from the AliyunLogRolePolicy role, and attach a custom policy to the AliyunLogDefaultRole role. For more information, see Implement access control based on RAM policies.

Ship log data across Alibaba Cloud accounts

To ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, you must use RAM to authorize the two Alibaba Cloud accounts. The following procedure describes how to implement the authorization.

  1. Create a role named AliyunLogDefaultRole for Alibaba Cloud Account B on the cloud resource access authorization page.
  2. Log on to the RAM console by using Alibaba Cloud Account B.
  3. In the left-side navigation pane, click RAM Roles.
  4. On the RAM Roles page, click the role named AliyunLogDefaultRole in the RAM Role Name column.
  5. On the page that appears, click the Trust Policy Management tab. On this tab, click Edit Trust Policy.
    In the Edit Trust Policy dialog box, add a data entry in the format of Alibaba Cloud account ID@log.aliyuncs.com in the Service field. The Alibaba Cloud account ID is the ID of Alibaba Cloud Account A. To view the ID of Alibaba Cloud Account A, log on to the RAM console by using Alibaba Cloud Account A. On the page that appears, click the profile picture in the upper-right corner. On the page that appears, choose Account Management > Security Settings. The ID of the Alibaba Cloud Account A is displayed on the Security Settings page. This policy indicates that Log Service of Alibaba Cloud Account A is authorized to manage the cloud resources of Alibaba Cloud Account B by using a temporary STS token.
    {
    "Statement": [
     {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "The ID of Alibaba Cloud Account A@log.aliyuncs.com",
           "log.aliyuncs.com"
         ]
       }
     }
    ],
    "Version": "1"
    }
  6. Obtain the ARN of the RAM role.
    In the Basic Information section of the AliyunLogDefaultRole page, view the ARN of the AliyunLogDefaultRole role, for example, acs:ram::13234:role/logrole.

    When you configure a log shipping task, enter this ARN in the RAM Role field.

Use a RAM user to ship log data across Alibaba Cloud accounts

To use RAM User A1 of Alibaba Cloud Account A to ship log data from Log Service to an OSS bucket of Alibaba Cloud Account B, you must attach the PassRole policy to RAM User A1.

  1. Complete the configurations for Alibaba Cloud Account B, as described in Ship log data across Alibaba Cloud accounts.
  2. Log on to the RAM console by using Alibaba Cloud Account A.
  3. Create a RAM user named RAM User A1. For more information, see Create a RAM user.
  4. Attach the AliyunRAMFullAccess policy to RAM User A1.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find RAM User A1, and click Add Permissions in the Actions column.
    3. In the Add Permissions dialog box, click the System Policy tab under the Select Policy field. In the Authorization Policy Name list, click AliyunRAMFullAccess. The policy appears in the Selected column. Then, click OK.

      After this policy is attached to RAM User A1, RAM User A1 is granted full access to RAM.

      To grant permissions only on OSS to RAM User A1, you can attach a custom policy to RAM User A1. The following example is a sample script of a custom policy. The value of the Resource field is the ARN of the role named AliyunLogDefaultRole of Alibaba Cloud Account B. For more information about how to create a custom policy, see Use a RAM user to ship log data from Log Service to OSS of the same Alibaba Cloud account.

      {
      "Statement": [
      {
      "Action": "ram:PassRole",
      "Effect": "Allow",
      "Resource": "acs:ram::1111111:role/aliyunlogdefaultrole"
      }
      ],
      "Version": "1"
      }
  5. Obtain the ARN of the RAM role.
    In the Basic Information section of the AliyunLogDefaultRole page, view the ARN of the AliyunLogDefaultRole role, for example, acs:ram::13234:role/logrole.

    When you use RAM User A1 to configure a log shipping task, enter this ARN in the RAM Role field.

Use a RAM user to ship log data from Log Service to OSS of the same Alibaba Cloud account

To use a RAM user to create log shipping tasks, you must use your Alibaba Cloud account to grant the relevant permissions to the RAM user.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a permission policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Policy Name The name of the policy.
      Configuration Mode Select Script.
      Policy Document The content of the policy. Replace the content in the editor with the following script:
      Note The policy must include the PassRole permission.
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": "log:*",
            "Resource": "*"
          },
          {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "*"
          }
        ]
      }
  3. Create a RAM user. For more information, see Create a RAM user.
  4. Authorize the RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find the RAM user, and click Add Permissions in the Actions column.
    3. Click the Custom Policy tab under the Select Policy field, select the policy that you created in Step 2, and then click OK.