If you want to use a RAM user to ship your log data from Log Service to Object Storage Service (OSS) within the same Alibaba Cloud account or across Alibaba Cloud accounts, you must grant the required permissions to the RAM user in the Resource Access Management (RAM) console. This topic describes how to perform authorization in the RAM console.
Prerequisites
Log Service is authorized to connect to the destination OSS bucket. For more information about how to complete the authorization, visit the Cloud Resource Access Authorization page.
After the authorization, Log Service can assume a role to obtain a Security Token Service (STS) token, which provides temporary credentials for access. This way, Log Service can ship log data to the destination OSS bucket.
Overview
Before you can ship log data, you must perform authorization in the RAM console based on your business requirements.
For more information about how to perform fine-grained access control on the destination OSS bucket, see Modify a policy.
For more information about how to ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, see Ship log data across Alibaba Cloud accounts.
For more information about how to use a RAM user to ship log data from a Log Service project to an OSS bucket within the same Alibaba Cloud account, see Use a RAM user to ship log data within the same Alibaba Cloud account.
For more information about how to use a RAM user to ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, see Use a RAM user to ship log data across Alibaba Cloud accounts.
Modify a policy
After you complete authorization on the Cloud Resource Access Authorization page, the AliyunLogRolePolicy policy is attached to the AliyunLogDefaultRole role. Log Service can assume the AliyunLogDefaultRole role to ship log data to OSS buckets. If you want to perform fine-grained access control, you must detach the AliyunLogRolePolicy policy from the AliyunLogDefaultRole role, and attach a custom policy to the AliyunLogDefaultRole role. For more information, see Overview.
Ship log data across Alibaba Cloud accounts
Before you can ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, you must complete authorization in the RAM console. To complete authorization, perform the following steps:
When you create a log shipping task to ship log data to OSS, you can specify an OSS bucket only of one Alibaba Cloud Account. For example, you can create a log shipping task to ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket only of Alibaba Cloud Account B. However, you cannot use the log shipping task to ship log data to OSS buckets of Alibaba Cloud Account B and Alibaba Cloud Account C at the same time. If you need to ship log data from a Log Service project of one Alibaba Cloud account to OSS buckets of two Alibaba Cloud accounts at the same time, you must create two log shipping tasks.
Use Alibaba Cloud Account B to complete the authorization on the Cloud Resource Access Authorization page. The AliyunLogDefaultRole role is created.
Use Alibaba Cloud Account B to log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, click the name of the AliyunLogDefaultRole role in the Role Name column.
On the page that appears, click the Trust Policy Management tab. Then, click Edit Trust Policy.
In the Edit Trust Policy panel, add ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the ID of your Alibaba Cloud account. You can view the ID of your Alibaba Cloud account in the Account Management console. The following policy allows Alibaba Cloud Account A to obtain an STS token to manage the cloud resources of Alibaba Cloud Account B.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ID of Alibaba Cloud Account A@log.aliyuncs.com", "log.aliyuncs.com" ] } } ], "Version": "1" }
Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role.
In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13234:role/logrole.
When you use Alibaba Cloud Account A to configure a log shipping task, enter the ARN in the OSS Write RAM Role field.
Use a RAM user to ship log data across Alibaba Cloud accounts
Before you can use RAM User A1 of Alibaba Cloud Account A to ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, you must use Alibaba Cloud Account A to grant the PassRole permission to RAM User A1.
Complete the configurations for Alibaba Cloud Account B based on Ship log data across Alibaba Cloud accounts.
Use Alibaba Cloud Account A to log on to the RAM console.
Create RAM User A1. For more information, see Create a RAM user.
Attach the AliyunRAMFullAccess policy to RAM User A1.
In the left-side navigation pane, choose .
On the Users page, find RAM User A1 and click Add Permissions in the Actions column.
In the Add Permissions panel, click System Policy in the Select Policy section, select the AliyunRAMFullAccess policy, and then click OK.
After you attach the policy to RAM User A1, RAM User A1 has full access permissions on RAM.
If you want RAM User A1 to have the permissions only on OSS, you must attach a custom policy to RAM User A1. The following sample code provides an example of a custom policy. The value of the Resource element is the ARN of the AliyunLogDefaultRole role of Alibaba Cloud Account B. For more information about how to create a custom policy, see Use a RAM user to ship log data within the same Alibaba Cloud account.
{ "Statement": [ { "Action": "ram:PassRole", "Effect": "Allow", "Resource": "acs:ram::1111111:role/aliyunlogdefaultrole" } ], "Version": "1" }
Obtain the ARN of the RAM role.
In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13234:role/logrole.
When you use RAM User A1 to configure a log shipping task, enter the ARN in the OSS Write RAM Role field.
Use a RAM user to ship log data within the same Alibaba Cloud account
Before you can use a RAM user to create log shipping tasks, you must use your Alibaba Cloud account to grant the required permissions to the RAM user.
Use your Alibaba Cloud account to log on to the RAM console.
Create a policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Custom Policy page, configure the parameters and click OK. The following table describes the parameters of the custom policy.
Parameter
Description
Policy Name
Enter a name for a policy.
Configuration Mode
Select Script.
Policy Document
Replace the content in the editor with the following script.
NoteThe policy must include the PassRole permission.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "log:*", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "*" } ] }
Create a RAM user. For more information, see Create a RAM user.
Grant the required permissions to the RAM user.
In the left-side navigation pane, choose .
On the Users page, find the RAM user to which you want to grant the permissions and click Add Permissions in the Actions column.
In the Add Permissions panel, click Custom Policy in the Select Policy section, select the policy that you created in Step 2, and then click OK.