You can use an Alibaba Cloud account to create a Resource Access Management (RAM) role with another Alibaba Cloud account as the trusted entity and grant the RAM role specific permissions on Log Service. Then, you can grant the AssumeRole permission to specified RAM users for the other Alibaba Cloud account. This allows the RAM users to assume the RAM role. Afterward, other users can call the corresponding Security Token Service (STS) API operation by using the other Alibaba Cloud account or the specified RAM users to obtain the temporary security credentials. These credentials include the AccessKey ID, AccessKey secret, and security token. This allows these users to call Log Service API operations and access Log Service resources.

Background information

You are the owner of the projects, Logstores, Logtail collection configurations, server groups, and other resources of Log Service for your Alibaba Cloud account. You have full management permissions on the resources that you have created with the Alibaba Cloud account. Therefore, you can manage the resources and authorize the RAM users for your Alibaba Cloud account or other Alibaba Cloud accounts to manage and view specified resources. This topic describes how to use STS to enable cross-account access to Log Service resources

Scenario

To isolate business data or outsource projects, the user of Alibaba Cloud account A wants to grant Alibaba Cloud account B specific permissions on Log Service. This allows the user of Alibaba Cloud B to manage and maintain the specified resources. The following permissions are granted:
  • The user of Alibaba Cloud account B is authorized to write data to Log Service of Alibaba Cloud account A and use consumer groups of Alibaba Cloud account A.
  • The specified RAM users of Alibaba Cloud account B are authorized to write data to Log Service of Alibaba Cloud account A and use consumer groups of Alibaba Cloud account A.
  • The user of Alibaba Cloud account B can obtain the STS temporary security credentials and call the Log Service API operations for Alibaba Cloud account A.

Procedure

  1. The user of Alibaba Cloud account A creates a RAM role with Alibaba Cloud account B as the trusted entity. This allows Alibaba Cloud account B to assume the RAM role.
  2. The user of Alibaba Cloud account A grants a specified permission on Log Service for Alibaba Cloud account A to the RAM role.
  3. The user of Alibaba Cloud account B creates RAM user B1 and assigns the AliyunSTSAssumeRoleAccess policy to RAM user B1. This allows RAM user B1 to call the STS AssumeRole API operation.
  4. RAM user B1 calls the STS AssumeRole API operation to make Log Service API requests. This allows RAM user B1 to manage Log Service resources of Alibaba Cloud account A.

Step 1: The user of Alibaba Cloud account A creates a RAM role for Alibaba Cloud account B

The user of Alibaba Cloud account A creates a RAM role with Alibaba Cloud account B as the trusted entity. This allows Alibaba Cloud account B to assume the RAM role.

The user of Alibaba Cloud account A can use the RAM console or call the RAM CreateRole API operation to create the RAM role. To use the RAM console, follow these steps:

  1. Use Alibaba Cloud account A to log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. Click Create RAM Role, select Alibaba Cloud Account, and then click Next.
  4. Specify the RAM Role Name and Note parameters.
  5. Under Select Trusted Alibaba Cloud Account, select Other Alibaba Cloud Account.
  6. Enter the account ID of Alibaba Cloud account B and click OK.
    Note To view the account ID, move your pointer over the profile picture in the upper-right corner of the console, and click Security Settings.
The following sample describes the RAM role created in the preceding steps:
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::<Account ID of Alibaba Cloud account B>:root"
        ]
      }
    }
  ],
  "Version": "1"
}

Step 2: The user of Alibaba Cloud account A grants a specified permission to the RAM role

The user of Alibaba Cloud account A grants a specified permission to the RAM role. Follow these steps:

  1. In the left-side navigation pane, click Policies under Permissions.
  2. On the page that appears, click Create Policy.
  3. On the Create Custom Policy page, specify the Policy Name and Note parameters.
  4. In the Configuration Mode section, select Script.
  5. Enter a policy and click OK.
    The policy specifies the permission that the user of Alibaba Cloud account A grants to Alibaba Cloud account B.
    The following sample describes the policy of writing data to Log Service:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": "log:PostLogStoreLogs",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    The following sample describes the policy of reading data from the Logstore shards that the consumer library allocates:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
             "log:GetCursorOrData",
             "log:CreateConsumerGroup",
             "log:ListConsumerGroup",
             "log:ConsumerGroupUpdateCheckPoint",
             "log:ConsumerGroupHeartBeat",
             "log:GetConsumerGroupCheckPoint",
             "log:UpdateConsumerGroup"
          ]
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }
    Based on these policies, the permissions on the following project and Logstore are granted to a specified user:
    • Project: acs:log::{projectOwnerAliUid}:project/.
    • Logstore: acs:log::{projectOwnerAliUid}:project/{projectName}/logstore/{logstoreName}/.

    For more information about Log Service resources used in RAM, see Log Service resources used in RAM.

  6. In the left-side navigation pane, click RAM Roles.
  7. In the RAM Role Name column, find the target RAM role.
  8. Click Add Permissions. On the page that appears, the principle is automatically filled in.
  9. In the Policy Name column, select the policy created in the previous step and click OK. This allows you to grant the permission specified in the policy to the RAM role.
  10. Click Finished.

Step 3: Alibaba Cloud account B creates RAM user B1 and grants a permission to RAM user B1

The user of Alibaba Cloud account B creates RAM user B1 and assigns the AliyunSTSAssumeRoleAccess policy to RAM user B1. This allows RAM user B1 to call the STS AssumeRole API operation.

  1. Use Alibaba Cloud account B to log on to the RAM console.
  2. In the left-side navigation pane, click Users under Identities.
  3. Click Create User.
    Note To create multiple RAM users at a time, click Add User.
  4. Enter the basic information of RAM user B1, select Console Password Logon and Programmatic Access, and then click OK.
    Note In this step, the user of Alibaba Cloud account B receives a verification code to verify the authorization.
  5. In the left-side navigation pane, click Users under Identities.
  6. In the User Logon Name/Display Name column, find the target RAM user.
  7. Click Add Permissions. On the page that appears, the principal is automatically filled in.
  8. In the Policy Name column, select the AliyunSTSAssumeRoleAccess policy to grant the permission specified in the policy to RAM user B1, and click OK.
  9. Click Finished.

Step 4: RAM user B1 obtains the STS temporary security credentials to access Log Service resources

  1. Call the STS AssumeRole API operation to obtain the temporary security credentials. These credentials include the AccessKey ID, AccessKey secret, and security token.
    You can call this operation in any of the following ways:
  2. Call the Log Service API operations.
    For more information about the Log Service SDK, see Overview.

Sample code

Based on the SDK for Java, the sample code describes how RAM user B1 of Alibaba Cloud B writes data to the project of Alibaba Cloud A by using STS.

Click here to download the sample code.