All Products
Search
Document Center

Simple Log Service:Perform authorization in the RAM console

Last Updated:Dec 08, 2023

If you want to use a RAM user to ship your log data from Log Service to Object Storage Service (OSS) within the same Alibaba Cloud account or across Alibaba Cloud accounts, you must grant the required permissions to the RAM user in the Resource Access Management (RAM) console. This topic describes how to perform authorization in the RAM console.

Prerequisites

Log Service is authorized to connect to the destination OSS bucket. For more information about how to complete the authorization, visit the Cloud Resource Access Authorization page.

After the authorization, Log Service can assume a role to obtain a Security Token Service (STS) token, which provides temporary credentials for access. This way, Log Service can ship log data to the destination OSS bucket.

Overview

Before you can ship log data, you must perform authorization in the RAM console based on your business requirements.

Modify a policy

After you complete authorization on the Cloud Resource Access Authorization page, the AliyunLogRolePolicy policy is attached to the AliyunLogDefaultRole role. Log Service can assume the AliyunLogDefaultRole role to ship log data to OSS buckets. If you want to perform fine-grained access control, you must detach the AliyunLogRolePolicy policy from the AliyunLogDefaultRole role, and attach a custom policy to the AliyunLogDefaultRole role. For more information, see Overview.

Ship log data across Alibaba Cloud accounts

Before you can ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, you must complete authorization in the RAM console. To complete authorization, perform the following steps:

Note

When you create a log shipping task to ship log data to OSS, you can specify an OSS bucket only of one Alibaba Cloud Account. For example, you can create a log shipping task to ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket only of Alibaba Cloud Account B. However, you cannot use the log shipping task to ship log data to OSS buckets of Alibaba Cloud Account B and Alibaba Cloud Account C at the same time. If you need to ship log data from a Log Service project of one Alibaba Cloud account to OSS buckets of two Alibaba Cloud accounts at the same time, you must create two log shipping tasks.

  1. Use Alibaba Cloud Account B to complete the authorization on the Cloud Resource Access Authorization page. The AliyunLogDefaultRole role is created.

  2. Use Alibaba Cloud Account B to log on to the RAM console.

  3. In the left-side navigation pane, choose Identities > Roles.

  4. On the Roles page, click the name of the AliyunLogDefaultRole role in the Role Name column.

  5. On the page that appears, click the Trust Policy Management tab. Then, click Edit Trust Policy.

    In the Edit Trust Policy panel, add ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the ID of your Alibaba Cloud account. You can view the ID of your Alibaba Cloud account in the Account Management console. The following policy allows Alibaba Cloud Account A to obtain an STS token to manage the cloud resources of Alibaba Cloud Account B.

    {
    "Statement": [
     {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "ID of Alibaba Cloud Account A@log.aliyuncs.com",
           "log.aliyuncs.com"
         ]
       }
     }
    ],
    "Version": "1"
    }
  6. Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role.

    In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13234:role/logrole.

    When you use Alibaba Cloud Account A to configure a log shipping task, enter the ARN in the OSS Write RAM Role field.

Use a RAM user to ship log data across Alibaba Cloud accounts

Before you can use RAM User A1 of Alibaba Cloud Account A to ship log data from a Log Service project of Alibaba Cloud Account A to an OSS bucket of Alibaba Cloud Account B, you must use Alibaba Cloud Account A to grant the PassRole permission to RAM User A1.

  1. Complete the configurations for Alibaba Cloud Account B based on Ship log data across Alibaba Cloud accounts.

  2. Use Alibaba Cloud Account A to log on to the RAM console.

  3. Create RAM User A1. For more information, see Create a RAM user.

  4. Attach the AliyunRAMFullAccess policy to RAM User A1.

    1. In the left-side navigation pane, choose Identities > Users.

    2. On the Users page, find RAM User A1 and click Add Permissions in the Actions column.

    3. In the Add Permissions panel, click System Policy in the Select Policy section, select the AliyunRAMFullAccess policy, and then click OK.

      After you attach the policy to RAM User A1, RAM User A1 has full access permissions on RAM.

      If you want RAM User A1 to have the permissions only on OSS, you must attach a custom policy to RAM User A1. The following sample code provides an example of a custom policy. The value of the Resource element is the ARN of the AliyunLogDefaultRole role of Alibaba Cloud Account B. For more information about how to create a custom policy, see Use a RAM user to ship log data within the same Alibaba Cloud account.

      {
      "Statement": [
      {
      "Action": "ram:PassRole",
      "Effect": "Allow",
      "Resource": "acs:ram::1111111:role/aliyunlogdefaultrole"
      }
      ],
      "Version": "1"
      }
  5. Obtain the ARN of the RAM role.

    In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13234:role/logrole.

    When you use RAM User A1 to configure a log shipping task, enter the ARN in the OSS Write RAM Role field.

Use a RAM user to ship log data within the same Alibaba Cloud account

Before you can use a RAM user to create log shipping tasks, you must use your Alibaba Cloud account to grant the required permissions to the RAM user.

  1. Use your Alibaba Cloud account to log on to the RAM console.

  2. Create a policy.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Custom Policy page, configure the parameters and click OK. The following table describes the parameters of the custom policy.

      Parameter

      Description

      Policy Name

      Enter a name for a policy.

      Configuration Mode

      Select Script.

      Policy Document

      Replace the content in the editor with the following script.

      Note

      The policy must include the PassRole permission.

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": "log:*",
            "Resource": "*"
          },
          {
            "Effect": "Allow",
            "Action": "ram:PassRole",
            "Resource": "*"
          }
        ]
      }
  3. Create a RAM user. For more information, see Create a RAM user.

  4. Grant the required permissions to the RAM user.

    1. In the left-side navigation pane, choose Identities > Users.

    2. On the Users page, find the RAM user to which you want to grant the permissions and click Add Permissions in the Actions column.

    3. In the Add Permissions panel, click Custom Policy in the Select Policy section, select the policy that you created in Step 2, and then click OK.