Simple Log Service allows you to embed console pages, such as query and analysis pages and dashboard pages, into a self-managed web application. This way, you can share the pages with other users, and the users can view your log data in password-free access mode. The URLs of the shared pages are referred to as logon-free URLs.
How it works
The Single Sign On (SSO) service (signin.aliyun.com) provided by Resource Access Management (RAM) supports the integration of a logon token into a logon URL. When a user accesses a logon-free URL, SSO is first called. If SSO detects a valid logon token, the user is redirected to the specified page. This way, the user can view log data on the page in password-free access mode. The following figure shows the access process.
A user accesses your web application.
The web server accesses Security Token Service (STS) to obtain a security token by using the AccessKey pair of the required RAM user.
STS returns a security token.
The web server accesses SSO to obtain a logon token by using the security token.
SSO returns a logon token.
The web server creates a logon-free URL for a page of the Simple Log Service console and returns the URL to the client. The client uses the logon-free URL to access the page.
Precautions
Before you use the console page embedding feature, take note of the following items:
The feature supports only RAM role-based access.
The STS-generated tokens are temporary credentials. You can use the credentials to access the logon-free URLs of embedded pages only once in your browser. If you use the credentials to repeatedly access the URLs, a SigninToken-related error is reported.
Verification logic is used in the backend. We recommend that you regenerate the logon-free URLs of embedded pages 5 minutes before your SigninToken expires. If you do not regenerate the logon-free URLs in time, your access to the embedded pages becomes invalid after your SigninToken expires, and a SigninToken-related error is reported.
You can embed only complete query and analysis pages, query pages, and dashboard pages. You cannot embed alert pages.
Procedure
Prepare a pending-sharing URL
Obtain the URL of the query and analysis page or dashboard page that you want to share.
NoteYou can embed only complete query and analysis pages, query pages, and dashboard pages. You cannot embed alert pages.
Complete query and analysis page:
https://sls4service.console.aliyun.com/lognext/project/<Project name>/logsearch/<Logstore name>?hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=trueQuery page:
https://sls4service.console.aliyun.com/lognext/project/<Project name>/logsearch/<Logstore name>?isShare=true&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=true
Dashboard page:
https://sls4service.console.aliyun.com/lognext/project/<Project name>/dashboard/<Dashboard ID>?isShare=true&hideTopbar=true&hideSidebar=true&ignoreTabLocalStorage=trueNoteThe preceding Dashboard ID appears only in the URL of a dashboard page. The ID is not the name that appears on the dashboard.
Full-stack Observability page
In this example, the Trace analysis page is used. For more information, see Embed Full-stack Observability pages.
https://sls4service.console.aliyun.com/lognext/app/observability/trace/<Project name>/<ID of a Full-stack Observability instance>?resource=/trace/<ID of a Full-stack Observability instance>/explorer&hideTopbar=true&isShare=true
Replace the host address in the URL with
sls4service.console.aliyun.com.For example, you can share a dashboard page that can be accessed by using the following URL in the Simple Log Service console:
https://sls.console.aliyun.com/lognext/project/project_name/dashboard/dashboard-1651116703628-54041Replace the host address
sls.console.aliyun.comwithsls4service.console.aliyun.comto generate the following pending-sharing URL:https://sls4service.console.aliyun.com/lognext/project/project_name/dashboard/dashboard-1651116703628-54041
Create a RAM user and RAM role
Create a RAM user and grant it the permissions to assume a RAM role. Then, create a RAM role and grant it the permissions to access the pages that you want to share, such as a dashboard page.
Create a RAM user
Create a RAM user. For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service. Select OpenAPI Access when you create the RAM user. After the RAM user is created, record the AccessKey pair of the user.
Grant the RAM user the permissions to assume a RAM role.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }
Create a RAM role.
Create a RAM role that can be assumed by a RAM user or RAM role within the current Alibaba Cloud account. For more information, see Create a RAM role whose trusted entity is an Alibaba Cloud account and authorize the RAM role to access Simple Log Service.
Grant the RAM role the permissions to access the URL of the page that you want to share. For example, you can grant the read-only permissions on Simple Log Service.
{ "Version": "1", "Statement": [ { "Action": [ "log:Get*", "log:List*", "log:Query*" ], "Resource": "*", "Effect": "Allow" } ] }Record the Alibaba Cloud Resource Name (ARN) of the RAM role in the
acs:ram::137******44:role/role-nameformat.
Generate a logon-free URL
Generate the logon-free URL of the console page that you want to share to allow password-free access to the console page. For more information about sample code that is written in programming languages such as Java and Python, see Sample code.
Use the
AccessKeyof the RAM user to access STS and obtain a security token. You can specify the validity period of the token based on your business requirements. Sample code:DefaultProfile.addEndpoint("", "", "Sts", stsHost); IClientProfile profile = DefaultProfile.getProfile("", <AccessKeyId>, <AccessKeySecret>); DefaultAcsClient client = new DefaultAcsClient(profile); AssumeRoleRequest assumeRoleReq = new AssumeRoleRequest(); assumeRoleReq.setRoleArn(roleArn); // The ARN of the RAM role. assumeRoleReq.setRoleSessionName(roleSession); assumeRoleReq.setMethod(MethodType.POST); assumeRoleReq.setDurationSeconds(3600L); AssumeRoleResponse assumeRoleRes = client.getAcsResponse(assumeRoleReq);Access SSO and obtain a logon token. The following example shows the format of the access request. Make sure that the value of
TicketTypeismini.http://signin.aliyun.com/federation?Action=GetSigninToken &AccessKeyId=<The AccessKey ID of the temporary AccessKey pair that is returned by STS> &AccessKeySecret=<The AccessKey secret of the temporary AccessKey pair that is returned by STS> &SecurityToken=<The token that is returned by STS> &TicketType=miniReturned data:
{ "RequestId": "02b47c77c5fd48789d23773af853e9f7_936be_1706585994094_1.229", "SigninToken": "svX6LGcBbWLExKD5hcwdLu6RsLQbv36fWZN36WhxkTXpTcDpmzs2K6X8uFvCqGsBTU4KWJMffYz2rAVbdJXHMECgUfyzS869wh2DBdFEQo3e2fJgZ5YtcMSVnoX7pterS2f7926jFvdBXVFEF54JkUCMrDAutNRv1u7ZReC7v8oQoG5UmjJBbHUyvLTn5UDDvDfNowMVyRskrZRFUKT2qAMZ4Gnc****" }Add the logon token to the pending-sharing URL to generate a logon-free URL.
http://signin.aliyun.com/federation?Action=Login &LoginUrl=<The URL to which you are redirected when your logon fails. We recommend that you specify the URL to which you are redirected when the HTTP status code 302 is returned on your self-managed application. You must use encodeURL to transcode the URL. > &Destination=<The pending-sharing URL of the query and analysis page or dashboard page that you want to share. If parameters are configured, you must use encodeURL to transcode the parameters. > &SigninToken=<The logon token that is obtained. You must use encodeURL to transcode the token. >
Embed the logon-free URL as an iFrame
Embed the logon-free URL into your web page as an iFrame.
The first time you access a logon-free URL in your browser, you can test the URL. After the test is complete, the logon token that is used becomes invalid. You must regenerate a logon-free URL.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Share a console page</title>
</head>
<body>
<iframe width="1280" height="720" src="Logon-free URL"> </iframe>
</body>
</html>Sample code
For more information about the sample code that is written in PHP, Python, and Go, visit the following links:
The following sample code shows the Maven dependencies in Java:
<dependency> <groupId>com.aliyun</groupId> <artifactId>aliyun-java-sdk-sts</artifactId> <version>3.0.0</version> </dependency> <dependency> <groupId>com.aliyun</groupId> <artifactId>aliyun-java-sdk-core</artifactId> <version>3.5.0</version> </dependency> <dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId> <version>4.5.5</version> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.68.noneautotype</version> </dependency>
FAQ
Problem description
When a logon-free URL is embedded into a web page as an iFrame, the following error is reported:
Refused to frame 'https://signin.aliyun.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' *.aliyun.com"Cause
For security reasons, cross-domain iFrames are not supported.
Solution
Modify the Content-Security-Policy (CSP) header.
You can specify an exact domain name or a wildcard domain name in a CSP directive to allow page embedding from the specified website. For example, you can use the following CSP directive to allow page embedding from the
aliyun.comand*.aliyun.comwebsites:Content-Security-Policy: frame-ancestors 'self' aliyun.com *.aliyun.com;You can use the wildcard character (*) in a CSP directive to allow page embedding from all websites. Example:
Content-Security-Policy: frame-ancestors *;If you allow page embedding from all websites, security risks arise. We recommend that you do not allow page embedding from all websites unless required. For more information, visit https://content-security-policy.com/.