Before you configure the LogShipper feature to ship logs to an OSS bucket, you must authorize Log Service through quick authorization. Then, Log Service has permission to write data to the OSS bucket.

This topic describes how to use RAM to authorize Log Service in different log shipping scenarios.

Modify the policy

After quick authorization, the AliyunLogDefaultRole role is attached the AliyunLogRolePolicy policy by default. Then, Log Service has permission to ship logs to all OSS buckets.

If you want to configure finer-grained access control, detach the AliyunLogRolePolicy policy from the AliyunLogDefaultRole role. Then, create a finer-grained access control policy and attach the policy to the AliyunLogDefaultRole role. For more information, see OSS User Guide .

Ship logs across Alibaba Cloud accounts

If your Log Service project and OSS bucket do not belong to the same Alibaba Cloud account, you must use RAM to configure the policy.

For example, if you want to ship logs from a Log Service project of Alibaba Cloud Account A to the OSS bucket of Alibaba Cloud Account B, follow these steps:

  1. Use Account B to create a role named AliyunLogDefaultRole through quick authorization and authorize the role to write data to OSS.
  2. In the left-side navigation pane of the RAM console, click RAM Roles, find the AliyunLogDefaultRole role, and then click the role name to view the details.

    The Service element in the policy specifies the authorized user of the role. For example, log.aliyuncs.com indicates that Account B can assume this role to obtain the OSS write permission.

  3. In the Service element, enter A_ALIYUN_ID@log.aliyuncs.com. Move the pointer over the profile picture and click User Info. On the page that appears, choose Account Management > Security Settings to view the ID of Account A.
    For example, if the ID of Account A is 165421896534****, modify the policy as follows:
    {
    "Statement": [
     {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "165421896534****@log.aliyuncs.com",
           "log.aliyuncs.com"
         ]
       }
     }
    ],
    "Version": "1"
    }
    This policy indicates that Account A can obtain a temporary STS token to manage the resources of Account B. For more information, see Manage policies.
  4. Use Account A to enable the OSS LogShipper feature in the Log Service console. When you set the task parameters, enter the ARN of the RAM role created by the OSS bucket owner in the RAM Role field. In this example, the ARN is the ARN of the RAM role AliyunLogDefaultRole that you used Account B to create through quick authorization.

    To view the ARN of the RAM role, move the pointer over the profile picture and click Basic Info. The format of the ARN is acs:ram::13234:role/logrole.

Use a RAM user to ship logs in the same Alibaba Cloud account

If you want to authorize a RAM user of your Alibaba Cloud account to enable the OSS LogShipper feature, you must use your Alibaba Cloud account to log on to the RAM console and authorize the RAM user. You must grant the RAM user the permissions to ship logs to OSS. You must also grant the RAM user the PassRole permission. To grant the RAM user the permissions, follow these steps:

  1. Use your Alibaba Cloud account to log on to the RAM console, and then create a custom policy.
    The sample policy is as follows:
    Note The policy must include the PassRole permission.
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "log:*",
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": "ram:PassRole",
          "Resource": "*"
        }
      ]
    }
  2. Attach the custom policy to the RAM user.
    1. In the left-side navigation pane, click Users. On the page that appears, find the RAM user and click Add Permissions in the Actions column.
    2. In the Select Policy section, find the custom policy, add the policy to the Selected section, and then click OK.

Use a RAM user to ship logs across Alibaba Cloud accounts

If you want to use a RAM user (Account A1) of an Alibaba Cloud account (Account A) to ship logs to an OSS bucket of another Alibaba Cloud account (Account B), you must use Account A to grant the PassRole permission to Account A1.

To grant the PassRole permission to Account A1, follow these steps:

  1. Use Account B to create a role named AliyunLogDefaultRole through quick authorization. Then, authorize the role to write data to OSS by modifying the policy. For more information, see Ship logs across Alibaba Cloud accounts.
  2. Use Account A to log on to the RAM console and grant the AliyunRAMFullAccess permission to Account A1.
    1. In the left-side navigation pane, click Users. On the page that appears, find the Account A1, and then click Add Permissions in the Actions column.
    2. In the Select Policy section, find the AliyunRAMFullAccess policy, add the policy to the Selected section, and then click OK.

      After the authorization is complete, Account A1 have all RAM permissions.

      If you want to configure a finer-grained access control on Account A1, you can modify the Action and Resource elements in the policy.

      The sample policy is as follows. When you use the policy, you must replace Resource with the ARN of the AliyunLogDefaultRole role.

      {
      "Statement": [
      {
      "Action": "ram:PassRole",
      "Effect": "Allow",
      "Resource": "acs:ram::1111111:role/aliyunlogdefaultrole"
      }
      ],
      "Version": "1"
      }
    3. Use Account A1 to enable the OSS LogShipper feature in the Log Service console. When you set the task parameters, enter the ARN of the RAM role created by the OSS bucket owner in the RAM Role field. In this example, the ARN is the ARN of the RAM role AliyunLogDefaultRole that you used Account B to create through quick authorization.