You can assign a custom role to a data transformation task to read data from a source Logstore and write transformed data to one or more destination Logstores. This topic describes how to grant access permissions on Logstores to a custom role.
Prerequisites
A Resource Access Management (RAM) role is created. For more information, see Create a RAM role for a trusted Alibaba Cloud service.Grant the RAM role the permissions to read data from a source Logstore
After you use an Alibaba Cloud account to authorize the RAM role, the RAM role has permissions to read data from the source Logstore. When you create a data transformation task, you can use the RAM role. For more information, see Create a data transformation job.
- Log on to the RAM console by using your Alibaba Cloud account.
- Create a policy. The policy is used to allow the RAM role to read data from a source Logstore.
- Attach the policy to the RAM role.
- Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13234:role/logsource.
Grant the RAM role the permissions to write data to destination Logstores within the same Alibaba Cloud account
If the source and destination Logstores belong to the same Alibaba Cloud account, you can use an Alibaba Cloud account to authorize the RAM role. Then, the RAM role has the permissions to write transformed data to the destination Logstores. When you create a data transformation task, you can use the RAM role. For more information, see Create a data transformation job.
- Log on to the RAM console by using your Alibaba Cloud account.
- Create a policy.
- Attach the policy to the RAM role.
- Obtain the ARN of the RAM role. In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13234:role/logtarget.
Grant the RAM role the permissions to write data to destination Logstores across Alibaba Cloud accounts
If the source and destination Logstores belong to different Alibaba Cloud accounts, perform the following steps to grant permissions to the RAM role. For example, a data transformation task is created to read data from a source Logstore that belongs to Alibaba Cloud Account A and write transformed data to a destination Logstore that belongs to Alibaba Cloud Account B.
- Use Alibaba Cloud Account B to log on to the RAM console.
- In the left-side navigation pane, choose .
- On the Roles page, click the name of the RAM role.
- On the page that appears, click the Trust Policy Management tab. Then, click Edit Trust Policy.
- Modify the policy.
Add ID of Alibaba Cloud Account A to which the source Logstore belongs to the Service element. Replace ID of Alibaba Cloud Account A to which the source Logstore belongs with the ID of your Alibaba Cloud account. You can view the ID of your Alibaba Cloud account in the Account Management console. The following policy allows Alibaba Cloud Account A to obtain a temporary token to manage the cloud resources of Alibaba Cloud Account B.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ID of Alibaba Cloud Account A to which the source Logstore belongs@log.aliyuncs.com" ] } } ], "Version": "1" }
- Obtain the ARN of the RAM role. In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13234:role/logtarget.
What to do next
When you create a data transformation task, specify the ARN of the RAM role. For more information, see Create a data transformation job.- In Section 1, enter the ARN of the RAM role that has permissions to read data from a source Logstore. For more information, see Grant the RAM role the permissions to read data from a source Logstore.
- In Section 2, enter the ARN of the RAM role that has permissions to write data to destination Logstores. For more information, see Grant the RAM role the permissions to write data to destination Logstores within the same Alibaba Cloud account or Grant the RAM role the permissions to write data to destination Logstores across Alibaba Cloud accounts.
