All Products
Search

This Product

    Simple Log Service:Grant a RAM role the permissions to access Logstores in the same Alibaba Cloud account

    Document Center

    Simple Log Service:Grant a RAM role the permissions to access Logstores in the same Alibaba Cloud account

    Last Updated:Dec 19, 2023

    When Scheduled SQL jobs run, the jobs execute SQL statements to analyze data in source Logstores, and then save the analysis results to destination Logstores or destination Metricstores. You can assign a Resource Access Management (RAM) role to a Scheduled SQL job to complete the preceding operations. If the source and destination Logstores belong to the same Alibaba Cloud account, perform the steps that are described in this topic to grant permissions to the RAM role. You can specify Logstores or Metricstores when you configure Scheduled SQL jobs. This topic describes how to grant a RAM role the permissions to access Logstores in the same Alibaba Cloud account.

    Prerequisites

    A RAM role is created. For more information, see Step 1: Create a RAM role.

    Step 1: Grant the RAM role the permissions to analyze log data in a source Logstore

    After you grant the RAM role the permissions to analyze log data in a source Logstore, a Scheduled SQL job can assume the RAM role to perform SQL analysis on the log data in the source Logstore.

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. Create a policy that contains the permissions to analyze the log data of a source Logstore.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

      3. On the Create Custom Policy page, set the parameters and click OK. The following table describes the parameters.

        Parameter

        Description

        Policy Name

        The name of the policy. Example: log-scheduled-sql-policy.

        Configuration Mode

        Select Script.

        Policy Document

        The content of the policy. Replace the content in the editor with the following script.

        • Policy that uses exact names to match resources

          In this example, the name of the source project is log-project-prod. The name of the source Logstore is website_log. You can replace the names with the actual names of your projects and Logstores.

          Important

          Logstores that are displayed in a policy can also be Metricstores. If you want to manage Metricstores, the following policy also applies. 

          {
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "log:PostProjectQuery"
            ],
            "Resource":[
                "acs:log:*:*:project/log-project-prod/logstore/website_log",
                "acs:log:*:*:project/log-project-prod/logstore/website_log/*"
            ],
            "Effect":"Allow"
        },
        {
            "Action":[
                "log:GetProjectQuery",
                "log:PutProjectQuery",
                "log:DeleteProjectQuery"
            ],
            "Resource":[
                "acs:log:*:*:project/log-project-prod"
            ],
            "Effect":"Allow"
        }
    ]
}

        • Policy that uses wildcards to match resources

          In this example, the names of the source projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c. The names of the source Logstores are website_a_log, website_b_log, and website_c_log. You can replace the names with the actual names of your projects and Logstores. 

          {
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "log:PostProjectQuery"
            ],
            "Resource":[
                "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log",
                "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log/*"
            ],
            "Effect":"Allow"
        },
        {
            "Action":[
                "log:GetProjectQuery",
                "log:PutProjectQuery",
                "log:DeleteProjectQuery"
            ],
            "Resource":[
                "acs:log:*:*:project/log-project-dev-*"
            ],
            "Effect":"Allow"
        }
    ]
}

    3. Grant permissions to the RAM role.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. Find the RAM role and click Add Permissions in the Actions column.

      3. Click Custom Policy in the Select Policy section and select the policy that you created in Step 2, for example, log-scheduled-sql-policy. Then, click OK.

      4. Confirm the authorization result and click Complete.

    4. Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role.

      In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13****44:role/logrole. We recommend that you record the ARN. If you use a custom role when you create a Scheduled SQL job, you must enter the ARN.

    Step 2: Grant the RAM role the permissions to write data to a destination Logstore

    After you grant the RAM role the permissions to write data to a destination Logstore, a Scheduled SQL job can assume the RAM role to write SQL analysis results to the destination Logstore.

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. Create a policy that contains the permissions to access a destination Logstore.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

      3. On the Create Custom Policy page, set the parameters and click OK. The following table describes the parameters.

        Parameter

        Description

        Policy Name

        The name of the policy. Example: log-sink-write-policy.

        Configuration Mode

        Select Script.

        Policy Document

        The content of the policy. Replace the content in the editor with the following script.

        • Policy that uses exact names to match resources

          In this example, the name of the destination project is log-project-prod. The name of the destination Logstore is website_log_output. You can replace the names with the actual names of your projects and Logstores.

          Important

          Logstores that are displayed in a policy can also be Metricstores. If you want to manage Metricstores, the following policy also applies. 

          {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:Post*",
        "log:BatchPost*"
      ],
       "Resource": "acs:log:*:*:project/log-project-prod/logstore/website_log_output",
      "Effect": "Allow"
    }
  ]
}

        • Policy that uses wildcards to match resources

          In this example, the names of the destination projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c. The names of the destination Logstores are website_a_log_output, website_b_log_output, and website_c_log_output. You can replace the names with the actual names of your projects and Logstores. 

          {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "log:Post*",
        "log:BatchPost*"
      ],
       "Resource": "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log_output",
      "Effect": "Allow"
    }
  ]
}

    3. Grant permissions to the RAM role.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. Find the RAM role and click Add Permissions in the Actions column.

      3. Click Custom Policy in the Select Policy section and select the policy that you created in Step 2, for example, log-sink-write-policy. Then, click OK.

      4. Confirm the authorization result and click Complete.

    4. Obtain the ARN of the RAM role.

      In the Basic Information section of the RAM role, obtain the ARN. Example: acs:ram::13****44:role/logrole. We recommend that you record the ARN. If you use a custom role when you create a Scheduled SQL job, you must enter the ARN.