The AliyunLogDefaultRole system role has permissions to read data from Logstores and write the data to Object Storage Service (OSS) buckets. You can assign the AliyunLogDefaultRole role to a data shipping job of the new version to read data from a source Logstore and write the data to a destination OSS bucket.
Ship data within an Alibaba Cloud account
If your Simple Log Service Logstore and OSS bucket belong to the same Alibaba Cloud account, you need to only use the Alibaba Cloud account to authorize Simple Log Service to access cloud resources. You can go to the Cloud Resource Access Authorization page to complete the authorization.
After you complete the authorization, a data shipping job of the new version can assume the AliyunLogDefaultRole role to read data from the source Logstore and write the data to the destination OSS bucket. When you create a data shipping job of the new version, enter the Alibaba Cloud Resource Name (ARN) of the AliyunLogDefaultRole role in the OSS Write RAM Role and Logstore Read RAM Role fields. In this example, acs:ram::10****12:role/aliyunlogdefaultrole is entered. For more information, see Obtain the ARN of the AliyunLogDefaultRole role.
Ship data across Alibaba Cloud accounts
If the source Logstore belongs to Alibaba Cloud Account A and the destination OSS bucket belongs to Alibaba Cloud Account B, you must use the two accounts to complete authorization on the Cloud Resource Access Authorization page. Then, you must complete the following steps:
Use Alibaba Cloud Account B to log on to the Resource Access Management (RAM) console.
In the left-side navigation pane, choose .
Modify the trust policy of the AliyunLogDefaultRole role.
On the Roles page, find the AliyunLogDefaultRole role and click the name of the role.
On the Trust Policy tab, click Edit Trust Policy.
Replace the content in the code editor with the following policy document and click Save trust policy document.
Add ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the actual ID. You can view the ID of your Alibaba Cloud account in the Account Center console.
The following policy allows Alibaba Cloud Account A to obtain a temporary Security Token Service (STS) token to manage the cloud resources of Alibaba Cloud Account B:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ID of Alibaba Cloud Account A@log.aliyuncs.com", "log.aliyuncs.com" ] } } ], "Version": "1" }
After you configure the settings, you can assign the AliyunLogDefaultRole role of Alibaba Cloud Account A to a data shipping job of the new version to read data from the source Logstore. You must also assign the AliyunLogDefaultRole role of Alibaba Cloud Account B to the data shipping job of the new version to write the data to the destination OSS bucket. When you create a data shipping job of the new version, enter the ARN of the AliyunLogDefaultRole role of Alibaba Cloud Account B in the OSS Write RAM Role field. In this example, acs:ram::11****13:role/aliyunlogdefaultrole is entered. Then, enter the ARN of the AliyunLogDefaultRole role of Alibaba Cloud Account A in the Logstore Read RAM Role field. In this example, acs:ram::10****12:role/aliyunlogdefaultrole is entered. For more information, see Obtain the ARN of the AliyunLogDefaultRole role.
Obtain the ARN of the AliyunLogDefaultRole role
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, find the AliyunLogDefaultRole role and click the name of the role.
On the page that appears, obtain the ARN of the role in the Basic Information section.
We recommend that you record the ARN. If you use a default role when you create a data shipping job to ship data to OSS, you must enter the ARN.