This topic describes how to assign a RAM role to a trusted entity. You can grant permissions on Log Service to a Resource Access Management (RAM) role and assign the role to a trusted entity. This allows the trusted entity to manage Log Service. To do so, you must create a RAM role under your Alibaba Cloud account, grant permissions to the RAM role, and then grant the AssumeRole permission to a RAM user of the Alibaba Cloud account. Then, you can assign the role to the RAM user and receive a Security Token Service (STS) token for the role.

Background information

Both RAM rolesand RAM users are identities managed in RAM. A RAM role is a virtual identity that does not have common credential information, such as a password or an AccessKey pair. You can assign RAM roles to trusted entities, such as an Alibaba Cloud account, RAM user, or Alibaba Cloud service. After the trusted entity receives an STS token for the RAM role, the trusted entity can use the STS token to access the resources that the RAM role is authorized to use.

Step 1: Create a RAM role and specify an Alibaba Cloud account for the RAM role

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click RAM Roles.
  3. Click Create RAM Role, select Alibaba Cloud Account, and then click Next.
  4. Specify the RAM Role Name and Note parameters.
  5. In the Select Trusted Alibaba Cloud Account field, select Current Alibaba Cloud Account or Other Alibaba Cloud Account.
    Note
    • The RAM role can be assigned to the RAM users of your Alibaba Cloud account. In this case, you can select Current Alibaba Cloud Account. For example, if a RAM user of your Alibaba Cloud account is a mobile app, to authorize the mobile app to access Log Service resources, you can select Current Alibaba Cloud Account.
    • The RAM role can also be assigned to the RAM users of another Alibaba Cloud account. For example, to authorize another Alibaba Cloud account to access resources of the current Alibaba Cloud account, select Other Alibaba Cloud Account.
  6. Click OK.

Step 2: Grant permissions to the RAM role

After you create a RAM role, this RAM role does not have permissions on Log Service resources. You must grant the RAM role relevant permissions to manage Log Service resources. The Alibaba Cloud account specified in the previous step can assume the RAM role and manage Log Service.
Note You can attach one or more policies to a RAM role, including system policies and custom policies. The following example shows how to grant full access permissions on Log Service to a RAM role.
  1. In the left-side navigation pane, click RAM Roles.
  2. In the RAM Role Name column, find the target RAM role.
  3. Click Add Permissions. On the page that appears, the principle is automatically filled in.
  4. In the Policy Name column, find the AliyunLogFullAccess policy and attach the policy to the RAM role.
  5. Click OK.
  6. Click Finished.

Step 3: Assign the RAM role to a RAM user of the selected Alibaba Cloud account

To use a RAM role, a RAM user must first assume the RAM role. This allows the RAM user to manage resources that the RAM role is authorized to use.

You must grant the AssumeRole permission to a RAM user of the selected Alibaba Cloud account. Then, the RAM user can call the AssumeRole API operation and assume the RAM role created in step 1.

  1. Log on to the RAM console by using the Alibaba Cloud account.
  2. In the left-side navigation pane, click Grants under Permissions.
  3. Click Grant Permission.
  4. Under Principal, enter the username, and click the target RAM user.
  5. In the Policy Name column, find the AliyunSTSAssumeRoleAccess policy and attach the policy to the RAM user.
  6. Click OK.
  7. Click Finished.

Step 4: Obtain an STS token for the RAM role

After you grant the AssumeRole permission to the RAM user, you can use the AccessKey pair of the RAM user to call the STS AssumeRole API operation. Then, you can obtain an STS token for the RAM role.

For more information, see Samples.

After you obtain the AccessKey ID, AccessKey secret, and STS token by using the STS SDK, you can use the Log Service SDK to access Log Service.

The following example shows how to initialize LogClient by using the AccessKey ID, AccessKey secret, and STS token. For more information about the SDK for Java, visit Log Service Java SDK. 
package sdksample;
import java.util.ArrayList;
import java.util.List;
import java.util.Vector;
import java.util.Date;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.common.*;
import com.aliyun.openservices.log.exception.*;
import com.aliyun.openservices.log.request.*;
import com.aliyun.openservices.log.response.*;
import com.aliyun.openservices.log.common.LogGroupData;
import com.aliyun.openservices.log.common.LogItem;
import com.aliyun.openservices.log.common.Logs.Log;
import com.aliyun.openservices.log.common.Logs.Log.Content;
import com.aliyun.openservices.log.common.Logs.LogGroup;
import com.aliyun.openservices.log.common.Consts.CursorMode;
public class sdksample {
    public static void main(String args[]) throws LogException, InterruptedException {
        String endpoint = "<log_service_endpoint>"; // Specifies the endpoint of the project that you want to access.
        String accessKeyId = "<your_access_key_id>"; // Specifies the AccessKey ID of the RAM user.
        String accessKeySecret = "<your_access_key_secret>"; // Specifies the AccessKey secret of the RAM user.
    String securityToken = "<your_security_token>"; // Specifies the STS token of the RAM role.
        String project = "<project_name>"; // Specifies the name of the project that you want to access.
        String logstore = "<logstore_name>"; // Specifies the name of the Logstore that you want to access.
        // Creates a client instance.
        Client client = new Client(endpoint, accessKeyId, accessKeySecret);
    // Sets SecurityToken.
    client.SetSecurityToken(securityToken);
        // Writes log data to Log Service.
        String topic = "";
        String source = "";
        // Sends 10 packets, each of which contains 10 log entries.
        for (int i = 0; i < 10; i++) {
            Vector<LogItem> logGroup = new Vector<LogItem>();
            for (int j = 0; j < 10; j++) {
                LogItem logItem = new LogItem((int) (new Date().getTime() / 1000));
                logItem.PushBack("index"+String.valueOf(j), String.valueOf(i * 10 + j));
                logGroup.add(logItem);
            }
            PutLogsRequest req2 = new PutLogsRequest(project, logstore, topic, source, logGroup);
            client.PutLogs(req2);
    }
    }
}