Before perform the OSS shipping task, the owner of the OSS bucket must configure quick authorization. After the authorization is complete, Log Service of the current account has the permission to write to OSS bucket.

This document describes the RAM authorization for OSS shipping tasks in different scenarios.

Modify the authorization policy

After quick authorization, the role AliyunLogDefaultRole is granted to AliyunLogRolePolicy by default, and has write permission for all OSS buckets of account B.

If you need more fine-grained access control, revoke the AliyunLogRolePolicy authorization from the AliyunLogDefaultRole. See OSS authorization to create a more fine-grained permission policy, and authorize the AliyunLogDefaultRole.

Cross-account shipping

If your Log Service project and OSS bucket are not created with the same Alibaba Cloud account, you must configure the authorization policy in following way.

For example, Log Service data of the account A must be shipped to the OSS bucket created by the account B.

  1. Using quick authorization account B creates the role AliyunLogDefaultRole, and grants write permission to OSS. 
  2. In the RAM console, click Role Management on the left-side navigation pane. Then, select AliyunLogDefaultRole, and click the role name to see the basic information.

    In the role description, Service configuration indicates the legal user of the role. For example, log.aliyuncs.com indicates that the current account can obtain the role to get OSS write permission.

  3. In Service configuration, you can modify the role description to add A_ALIYUN_ID@log.aliyuncs.com. ID of the main account A can be viewed in the Account Management > Security Settings.Account Management > 安全设置.
    For example, ID of the account A is  1654218965343050, and modified description is as follows:
    {
    "Statement": [
     {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "1654218965343050@log.aliyuncs.com",
           "log.aliyuncs.com"
         ]
       }
     }
    ],
    "Version": "1"
    }
    This role description indicates that account A has the permission to use Log Service to obtain the temporary token to operate the resources of the account B. For more information about the role description, see Authorization Policy Management.
  4. The account A creates a shipping task. When configuring the task, RAM role column must be filled with the RAM role identifier ARN of the OSS bucket owner, that is, the RAM role AliyunLogDefaultRole created by account B.

    The ARN of the RAM role can be viewed in the basic information. The format is as follows: acs:ram::13234:role/logrole.

Shipping between sub-account and main account

If the sub-account a_1 of the main account A must use this role to create a shipping rule to ship logs to the OSS bucket of the account B. In this case, the main account A must grant the PassRole permission to the sub-account a_1.

The configuration is as follows:

  1. Account B configures quick authorization and adds a description to the role. For more information, see Cross-account shipping.
  2. The main account A logs on to the RAM console and grants AliyunRAMFullAccess permission to the sub-account a_1.
    1. On the User Management page, click Authorization on the right side of the sub-account a_1.
    2. Search for AliyunRAMFullAccess in the authorizable policies, and add it to selected policies. Then click Confirm.

      After successful authorization, a_1 has all RAM permissions.

      To control the permission range of a_1, the main account A can grant a_1 only the permissions required for shipping logs to OSS by modifying Action and Resource parameters.

      The contents of the Resource must be replaced with the ARN of AliyunLogDefaultRole. The example of authorization policy is as follows:

      {
      "Statement": [
      {
      "Action": "ram:PassRole",
      "Effect": "Allow",
      "Resource": "acs:ram::1111111:role/aliyunlogdefaultrole"
      }
      ],
      "Version": "1"
      }
    3. The sub-account a_1 creates a shipping task. When configuring the task, RAM role column must be filled with the RAM role identifier ARN of the OSS ARN of the OSS bucket owner, that is, the RAM role AliyunLogDefaultRole created by account B.