If you want to allow a RAM user or an Alibaba Cloud account to ship your log data from Log Service to Object Storage Service (OSS), you must authorize the RAM user or the Alibaba Cloud account in the Resource Access Management (RAM) console. This topic describes how to perform authorization in the RAM console.

Prerequisites

Log Service is authorized to access the destination OSS bucket. You can go to the Cloud Resource Access Authorization page to complete the authorization.

After you perform the authorization, Log Service can assume a role to obtain a temporary credential that is provided by Security Token Service (STS). This way, Log Service can ship log data to the destination OSS bucket.

Overview

Before you ship log data, you must perform authorization in the RAM console based on your business requirements.

Modify a policy

After you complete authorization on the Cloud Resource Access Authorization page, the AliyunLogRolePolicy policy is attached to the AliyunLogDefaultRole role. Log Service can assume the AliyunLogDefaultRole role to ship log data to OSS buckets. If you want to perform fine-grained access control, you must detach the AliyunLogDefaultRole policy from the AliyunLogRolePolicy role and attach a custom policy to the AliyunLogDefaultRole role. For more information, see Overview.

Ship log data across multiple Alibaba Cloud accounts

Before you can ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, you must complete authorization in the RAM console. To complete authorization, perform the following steps:

  1. Use Alibaba Cloud Account B to complete the authorization on the Cloud Resource Access Authorization page. The AliyunLogDefaultRole role is created.
  2. Use Alibaba Cloud Account B to log on to the RAM console.
  3. In the left-side navigation pane, choose Identities > Roles.
  4. On the Roles page, click the name of the AliyunLogDefaultRole role in the Role Name column.
  5. On the page that appears, click the Trust Policy Management tab. Then, click Edit Trust Policy.
    In the Edit Trust Policy panel, add ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the ID of your Alibaba Cloud account. You can view the ID of your Alibaba Cloud account in the Account Management console. The following policy allows Alibaba Cloud Account A to obtain a temporary STS token to manage the cloud resources of Alibaba Cloud Account B.
    {
    "Statement": [
     {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "ID of Alibaba Cloud Account A@log.aliyuncs.com",
           "log.aliyuncs.com"
         ]
       }
     }
    ],
    "Version": "1"
    }
  6. Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role.
    In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13234:role/logrole.

    When you use Alibaba Cloud Account A to configure a log shipping task, enter the ARN in the RAM Role field.

Use a RAM user to ship log data across multiple Alibaba Cloud accounts

Before you can use RAM User A1 of Alibaba Cloud Account A to ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, you must use Alibaba Cloud Account A to grant the PassRole permission to RAM User A1.

  1. Complete the configurations for Alibaba Cloud Account B based on Ship log data across multiple Alibaba Cloud accounts.
  2. Use Alibaba Cloud Account A to log on to the RAM console.
  3. Create RAM User A1. For more information, see Create a RAM user.
  4. Attach the AliyunRAMFullAccess policy to RAM User A1.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find RAM User A1 and click Add Permissions in the Actions column.
    3. In the Add Permissions panel, click System Policy in the Select Policy section, select the AliyunRAMFullAccess policy, and then click OK.

      After you attach the policy to RAM User A1, RAM User A1 has full access permissions on RAM.

      If you want RAM User A1 to have permissions only on OSS, you must attach a custom policy to RAM User A1 based on the following example. The value of the Resource element is the ARN of the AliyunLogDefaultRole role of Alibaba Cloud Account B. For more information about how to create a custom policy, see Use a RAM user to ship log data within the same Alibaba Cloud account.

      {
      "Statement": [
      {
      "Action": "ram:PassRole",
      "Effect": "Allow",
      "Resource": "acs:ram::1111111:role/aliyunlogdefaultrole"
      }
      ],
      "Version": "1"
      }
  5. Obtain the ARN of the RAM role.
    In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13234:role/logrole.

    When you use RAM User A1 to configure a log shipping task, enter the ARN in the RAM Role field.

Use a RAM user to ship log data within the same Alibaba Cloud account

Before you can use a RAM user to create log shipping tasks, you must use your Alibaba Cloud account to grant the required permissions to the RAM user.

  1. Use your Alibaba Cloud account to log on to the RAM console.
  2. Create a policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set the parameters and click OK. The following table describes the parameters.
      Parameter Description
      Policy Name The name of the policy.
      Configuration Mode Select Script.
      Policy Document The content of the policy. Replace the content in the editor with the following script.
      Note The policy must include the PassRole permission.
      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": "log:*",
            "Resource": "*"
          },
          {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "*"
          }
        ]
      }
  3. Create a RAM user. For more information, see Create a RAM user.
  4. Grant the required permissions to the RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find the RAM user and click Add Permissions in the Actions column.
    3. In the Add Permissions panel, click Custom Policy in the Select Policy section, select the policy that you created in Step 2, and then click OK.