When you run an Object Storage Service (OSS) data shipping job of the new version, the job reads data from a Logstore and ships the data to an OSS bucket. You can authorize the job to assume a custom Resource Access Management (RAM) role to access the required data. If the Logstore and OSS bucket belong to different Alibaba Cloud accounts, you can perform the steps that are described in this topic to authorize the job to access data by using a custom RAM role.
Prerequisites
RAM Role A is created in Alibaba Cloud Account A, and RAM Role B is created in Alibaba Cloud Account B. For more information, see Step 1: Create a RAM role.
Step 1: Grant RAM Role A the permissions to read data from a Logstore
After you grant RAM Role A the permissions to read data from a Logstore that belongs to Alibaba Cloud Account A, an OSS data shipping job can assume the role to read data from the Logstore.
Use Alibaba Cloud Account A to log on to the RAM console.
Create a policy that grants the permissions to read data from a Logstore.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the following policy document, and then click Next to edit policy information.
Policy that uses exact match
You can replace the project and Logstore names based on your business requirements.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/Project name/logstore/Logstore name", "acs:log:*:*:project/Project name/logstore/Logstore name/*" ], "Effect":"Allow" } ] }Policy that uses fuzzy match
In this example, fuzzy match is used. The project name can be log-project-dev-a, log-project-dev-b, or log-project-dev-c, and the Logstore name can be website_a_log, website_b_log, or website_c_log. You can replace the project and Logstore names based on your business requirements.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*", "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*/*" ], "Effect":"Allow" } ] }
Configure Name and click OK.
For example, you can specify log-oss-export-source-policy.
Attach the policy to RAM Role A.
In the left-side navigation pane, choose .
Find RAM Role A and click Grant Permission in the Actions column.
In the panel that appears, find Select Policy and click Custom Policy. Then, select the policy that you created in Step 2 and click OK. For this example, select log-oss-export-source-policy.
Confirm the authorization results. Then, click Complete.
Obtain the Alibaba Cloud Resource Name (ARN) of RAM Role A.
You can view the ARN of a RAM role in the Basic Information section of the role details page. Example: acs:ram::13****44:role/logrole. You must record the ARN. If you use a custom RAM role when you create an OSS data shipping job, you must enter the ARN of the role in the Logstore Read RAM Role field.
Step 2: Grant RAM Role B the permissions to write data to an OSS bucket
After you grant RAM Role B the permissions to write data to an OSS bucket that belongs to Alibaba Cloud Account B, an OSS data shipping job can assume the role to write data that is read from the Logstore in Alibaba Cloud Account A to the bucket.
Use Alibaba Cloud Account B to log on to the RAM console.
Create a policy that grants the permissions to write data to an OSS bucket.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the following policy document, and then click Next to edit policy information.
{ "Version": "1", "Statement": [ { "Action": [ "oss:PutObject" ], "Resource": "*", "Effect": "Allow" } ] }If you want to implement finer-grained access control on OSS resources, you can configure the policy based on the instructions provided in RAM policies.
Configure Name and click OK.
For example, you can specify log-oss-export-sink-policy.
Attach the policy to RAM Role B.
In the left-side navigation pane, choose .
Find RAM Role B and click Grant Permission in the Actions column.
In the panel that appears, find Select Policy and click Custom Policy. Then, select the policy that you created in Step 2 and click OK. For this example, select log-oss-export-sink-policy.
Confirm the authorization results. Then, click Complete.
Modify the trust policy of RAM Role B.
On the Roles page, click the name of RAM Role B.
On the Trust Policy tab, click Edit Trust Policy.
Modify the trust policy.
Add ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the actual ID. You can view the ID of your Alibaba Cloud account in the Account Management console.
The following policy allows Alibaba Cloud Account A to obtain a temporary Security Token Service (STS) token to manage the cloud resources of Alibaba Cloud Account B:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com", "ID of Alibaba Cloud Account A@log.aliyuncs.com" ] } } ], "Version": "1" }Click OK.
Obtain the ARN of RAM Role B.
You can view the ARN of a RAM role in the Basic Information section of the role details page. Example: acs:ram::11****55:role/ossrole. You must record the ARN. If you use a custom RAM role when you create an OSS data shipping job, you must enter the ARN of the role in the OSS Write RAM Role field.
