This topic describes how to create a RAM role whose trusted entity is an Alibaba Cloud account and authorize the RAM role to access Log Service resources. This type of RAM role is used for cross-account access and temporary authorization.

Background information

Roles and users are identities that are used in Resource Access Management (RAM). A RAM role is a virtual identity that does not have a credential, such as a password or an AccessKey pair. If an entity user assumes a RAM role, the entity user can obtain and use the Security Token Service (STS) token of the role to access the corresponding resources. You can assign the RAM role to a trusted entity, such as an Alibaba Cloud account, a RAM user, or an Alibaba Cloud service. For more information, see RAM role overview.

Step 1: Create a RAM role

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Select Role Type step, select Alibaba Cloud Account in the Trusted entity type section and click Next.
  5. In the Configure Role step, set the parameters and click OK. The following table describes the parameters.
    Parameter Description
    RAM Role Name Enter the name of the RAM role, for example, aliyunlogreadrole.
    Note Enter the description of the RAM role.
    Select Trusted Alibaba Cloud Account Select an Alibaba Cloud account as a trusted entity.
    • Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
    • Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to authorize different Alibaba Cloud accounts.
  6. In the Finish step, click Close.

Step 2: Grant permissions to the RAM role

After you create a RAM role, the RAM role does not have permissions. Before the specified Alibaba Cloud account assumes the RAM role to manage Log Service resources, you must attach the required system policies or custom policies to the RAM role. RAM provides the following two system policies for Log Service:
  • AliyunLogFullAccess: the permissions to manage all Log Service resources.
  • AliyunLogReadOnlyAccess: the read-only permissions on all Log Service resources.

If the system policies do not meet your business requirements, you can create a custom policy to implement fine-grained access control. For more information, see Create a custom policy. For information about the examples of policies, see Use custom policies to grant permissions to a RAM user and Overview.

To attach the AliyunLogReadOnlyAccess policy to a RAM role, perform the following steps:

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the RAM role and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, select the AliyunLogReadOnlyAccess policy and click OK.
  5. Confirm the authorization result and click Complete.

Step 3: Assign the RAM role to a RAM user of the specified Alibaba Cloud account

You must use the specified Alibaba Cloud account to grant the AliyunSTSAssumeRoleAccess permission to a RAM user of the account. Then, the RAM user can be used to call the AssumeRole operation of STS and assume the RAM role that is created in Step 1: Create a RAM role.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, click System Policy, select the AliyunSTSAssumeRoleAccess policy, and then click OK.
  5. Confirm the authorization result and click Complete.

Step 4: Obtain an STS token for the RAM role

After you grant the AssumeRole permission to a RAM user, the RAM user calls the AssumeRole operation to obtain a temporary STS token for the RAM role that is created in Step 1: Create a RAM role.

Note
  • For more information about how to call the AssumeRole operation, see STS SDK for Java.
  • After a RAM user obtains the AccessKey ID, AccessKey secret, and STS token, the RAM user can access Log Service by using the SDKs. For more information, see Overview.