This topic describes how to collect container logs from Container Service for Kubernetes (ACK) across Alibaba Cloud accounts.
Background information
For example, an e-commerce enterprise has two e-commerce applications that are deployed on ACK clusters in the China (Hangzhou) region. The enterprise uses two Simple Log Service projects that reside in the China (Hangzhou) region to manage logs.
Application A is deployed on an ACK cluster that belongs to Alibaba Cloud Account A (12****456) and Simple Log Service is activated for the account to manage logs.
Application B is deployed on an ACK cluster that belongs to Alibaba Cloud Account B (17****397) and Simple Log Service is activated for the account to manage logs.
The enterprise wants to use Simple Log Service that is activated for Alibaba Cloud Account A (12****456) to collect the logs of the two applications and store the logs in two Logstores of the same project. In this case, you must create a Logtail configuration, a machine group, and a Logstore to collect and store the logs of Application B. The Logtail configuration, machine group, and Logstore that are configured for Application A remain unchanged. 
Step 1: Configure the ID of an Alibaba Cloud account as a user identifier
Log on to the ACK console with Alibaba Cloud Account B.
Configure the ID of Alibaba Cloud Account A as a user identifier.
In the left-side navigation pane, click Clusters.
On the Clusters page, click the cluster that you want to manage.
In the left-side navigation pane, choose .
Set the Namespace parameter to kube-system. In the ConfigMap list, find alibaba-log-configuration and click Edit in the Actions column.
In the Edit panel, configure the following configuration and click OK.
Add the ID of Alibaba Cloud Account A to the log-ali-uid file, and then obtain the value of the log-machine-group parameter, for example, k8s-group-cc47****54428. When you create a machine group, specify the value for the Custom Identifier parameter.
Separate multiple account IDs with commas (,). Example:
17****397,12****456.
Restart logtail-ds for the settings to take effect.
In the left-side navigation pane, choose .
In the DaemonSets list, find logtail-ds and click Edit in the Actions column.
In the Environment Variable section, click Add.
Add a custom variable and specify an arbitrary key-value pair, for example, random_id: 439157431651471905349.
Click Update.
On the details page of logtail-ds, check whether each container pod is in the Running state and whether the time when each pod is created is the same as the time when you update the settings.
Step 2: Create a machine group
Log on to the Log Service console with Alibaba Cloud Account A.
In the Projects section, click the project that you want to manage.
In the left-side navigation pane, choose .
On the Machine Groups tab, choose
> Create Machine Group. In the Create Machine Group panel, configure the parameters and click OK, as shown in the following figure.
In the Custom Identifier field, enter the machine group identifier that you obtained in Step 1: Configure the ID of an Alibaba Cloud account as a user identifier, for example, k8s-group-cc47****54428. For information about other parameters, see Create a custom identifier-based machine group.
Check whether the heartbeat status of each server in the machine group is OK.
In the Machine Groups list, click the machine group that you created.
On the Machine Group Settings page, view the status of each Elastic Compute Service (ECS) instance.
If the Heartbeat status is OK, the ECS instance is connected to Simple Log Service. If the status is FAIL, see What do I do if a Logtail machine group has no heartbeats?
Step 3: Create a Logtail configuration
Log on to the Log Service console with Alibaba Cloud Account A.
In the Import Data section, click Kubernetes - Object.
Select a project and a Logstore. Then, click Next.
Click Use Existing Machine Groups.
Select the machine group that you created in Step 2: Create a machine group, move the machine group from the Source Server Groups section to the Applied Server Groups, and then click Next.
Configure the parameters for the Logtail configuration and click Next.
For information about the parameters, see Use the Simple Log Service console to collect container text logs in DaemonSet mode.
Important- By default, you can use only one Logtail configuration to collect each log file. The collection process of Logtail in Alibaba Cloud Account B is not stopped. In this case, the Logtail configuration of Alibaba Cloud Account A cannot take effect. To make sure that the Logtail configuration of Alibaba Cloud Account A takes effect, you can use one of the following methods:
- Stop the collection process in Alibaba Cloud Account B. To stop the collection process, log on to the Log Service console with Alibaba Cloud Account B and remove the original Logtail configuration from the machine group. For more information, see Apply Logtail configurations to a machine group.
- Add compulsory collection settings to the Logtail configuration of Alibaba Cloud Account A. For more information, see What do I do if I want to use multiple Logtail configurations to collect logs from a log file?.
- After you create the Logtail configuration, delete the original Logtail configuration of Alibaba Cloud Account B to prevent repeated collection of logs. For more information, see Delete Logtail configurations.
- By default, you can use only one Logtail configuration to collect each log file. The collection process of Logtail in Alibaba Cloud Account B is not stopped. In this case, the Logtail configuration of Alibaba Cloud Account A cannot take effect. To make sure that the Logtail configuration of Alibaba Cloud Account A takes effect, you can use one of the following methods:
Preview data, configure indexes, and then click Next.
By default, Simple Log Service enables full-text indexing. You can configure field indexes based on the logs that are collected in manual mode or automatic mode. For more information, see Create indexes
Related operations
If you want to migrate historical data from Alibaba Cloud Account B to the current Logstore, you can create a data transformation job in the original Logstore, and then replicate the data to the current Logstore. For more information, see Replicate data from a Logstore.
If you create a data transformation job to transform data across Alibaba Cloud accounts, you must use a custom role or an AccessKey pair to grant the required permissions for the job. In this example, a custom role is used.
The first role ARN is used to grant the custom role or AccessKey pair the required permissions to read data from a source Logstore. For information about how to grant the required permissions to a RAM role, see Grant the RAM role the permissions to read data from a source Logstore.
The second role ARN is used to grant the custom role or AccessKey pair the required permissions to write transformation results to a destination Logstore. For information about how to grant the required permissions to a RAM role, see Grant the RAM role the permissions to write data to destination Logstores across Alibaba Cloud accounts.