Rolethe same as Users, is an identity used in Resource Access Management (RAM). Compared with a RAM user, a RAM user role is a virtual user without a fixed authentication AccessKey, and must be assumed by a trusted real user, such as an Alibaba Cloud account, RAM user account, and cloud service account. After assuming a role, the real user receives a temporary security token of this RAM user role. Then, the user can use this security token to access the authorized resources as a RAM user role.

To grant a trusted real user the operation permissions to Log Service and allow RAM roles under the real user to perform operations in Log Service, you must create a RAM user role, specify the trusted Alibaba Cloud account, authorize the RAM user role, grant the AssumeRole permission to RAM users under the trusted account, and obtain the temporary security token of the RAM user role.

For more information, see Users.

Step 1. Create a user role and specify the trusted Alibaba Cloud account

  1. Log on to the RAM console. Click Roles in the left-side navigation pane
  2. and click Create Role in the upper-right corner. The Create Role dialog box appears.
  3. . Select User Role in the Select Role Type step.
  4. Select the trusted Alibaba Cloud account in the Enter Type step.
    Note
    • If the role you create is to be used by the RAM users under your account, such as authorizing a mobile application client to directly perform operations on Log Service resources, select Current Alibaba Cloud Account as the trusted Alibaba Cloud account.
    • If the role you create is to be used by the RAM users under another Alibaba Cloud account, such as resource authorization across accounts, select Other Alibaba Cloud Account and enter the ID of another Alibaba Cloud account in the Trusted Alibaba Cloud Account ID field.
    Figure 1. Create a role


  5. Enter the Role Name and Description in the Configure Basic Information step, and click Create.

Step 2. Authorize the RAM user role

The created user role does not have any permission. You must grant the RAM user role the operation permissions to Log Service. The trusted Alibaba Cloud account specified in the preceding step has the permission to assume the RAM user role to perform operations in Log Service.

Note You can grant one or more authorization policies to the RAM user role, including system authorization policies and custom authorization policies. In this document, grant the RAM user role the permissions to manage Log Service.
  1. In the RAM console, click Roles in the left-side navigation pane.
  2. Click Authorize at the right of the target RAM user role name.
  3. Select the system authorization policy AliyunLogFullAccess, and click OK.

For more information, see Authorization.

Step 3. Authorize the RAM user of the trusted Alibaba Cloud account

A RAM role must be assumed by an authorized real user for normal usage. However, a trusted real user cannot assume a RAM user role using its own identity, but as a RAM user only. that is, a RAM user role must and can only  be assumed by a RAM user identity.

Besides, the trusted Alibaba Cloud account must grant the AssumeRolepermission to its RAM users. A RAM user can represent the trusted Alibaba Cloud account to assume the RAM user role created in step 1 only after being granted the permission to call the Security Token Service (STS) AssumeRole API.

  1. Log on to the RAM console with the trusted Alibaba Cloud account.
  2. On the User management page, click Authorize at the right of the RAM user.

    If you have not created a RAM user before, see the Users RAM users to create one.

  3. Select the system authorization policy AliyunSTSAssumeRoleAccess, and click OK.

Step 4. Obtain the temporary security token of the RAM user role

After a RAM user is granted with the AssumeRole permission, the user can use the access key to call the STS AssumeRole API to obtain an on-demand security token for this role. the temporary security token of a RAM user role.

For how to call the AssumeRole API, see Getting started.

After AccessKeyId, AccessKeySecret, and SecurityToken are obtained using STS SDK, log services can be accessed using log service SDK.

The following example uses AccessKey ID, AccessKey Secret, and SecurityToken to initiate LogClient. For Java SDK usage, see Java SDK.
package sdksample;
import java.util.ArrayList;
import java.util.List;
import java.util.Vector;
import java.util.Date;
import com.aliyun.openservices.log.Client;
import com.aliyun.openservices.log.common.*;
import com.aliyun.openservices.log.exception.*;
import com.aliyun.openservices.log.request.*;
import com.aliyun.openservices.log.response.*;
import com.aliyun.openservices.log.common.LogGroupData;
import com.aliyun.openservices.log.common.LogItem;
import com.aliyun.openservices.log.common.Logs.Log;
import com.aliyun.openservices.log.common.Logs.Log.Content;
import com.aliyun.openservices.log.common.Logs.LogGroup;
import com.aliyun.openservices.log.common.Consts.CursorMode;
public class sdksample {
    public static void main(String args[]) throws LogException, InterruptedException {
        String endpoint = "<log_service_endpoint>"; // Select the endpoint that matches with the region where the project created in the preceding steps resides.
        String accessKeyId = ""<your_access_key_id>"; // Use the AccessKey ID of your Alibaba Cloud account.
        String accessKeySecret = ""<your_access_key_secret>"; // Use the AccessKey Secret of your Alibaba Cloud account.
    String securityToken = ""<your_security_token>"; //Use the SecurityToken of the role.
        String project = ""<project_name>"; // The name of the project created in the preceding steps.
        String logstore = ""<logstore_name>"; // The name of the Logstore created in the preceding steps.
        //Construct a client instance.
        Client client = new Client(endpoint, accessKeyId, accessKeySecret);
    // Set SecurityToken.
    client.SetSecurityToken(securityToken);
        // Write logs.
        String topic = "";
        String source = "";
        // Send 10 packets consecutively, with each packet containing 10 logs
        for (int i = 0; i < 10; i++) {
            Vector<LogItem> logGroup = new Vector<LogItem>();
            for (int j = 0; j < 10; j++) {
                LogItem logItem = new LogItem((int) (new Date().getTime() / 1000));
                logItem.PushBack("index"+String.valueOf(j), String.valueOf(i * 10 + j));
                logGroup.add(logItem);
            }
            PutLogsRequest req2 = new PutLogsRequest(project, logstore, topic, source, logGroup);
            client.PutLogs(req2);
    }
    }
}