Securely Ship Logs to OSS Across Accounts via RAM Role - Simple Log Service

If your Simple Log Service resources are in Alibaba Cloud account A and your Object Storage Service (OSS) resources are in Alibaba Cloud account B, you must use custom roles to ship data from a Simple Log Service Logstore to an OSS bucket across accounts. This topic describes how to grant the required permissions.

Step 1: Grant read access to RAM role `role-a`

After you grant the RAM role role-a in account A permission to read Logstore data, an OSS data shipping job can assume this role to read data from the Logstore.

Log in to the RAM console by using Alibaba Cloud account A.
Create a custom policy to grant permission to read data from the Logstore.

You can use either exact match authorization or wildcard match authorization.
Exact match
On the Create Policy page, click the JSON tab and enter the following policy. For more information, see Create a custom policy by using the policy editor.

Important
Replace Project name and Logstore name in the policy document based on your business requirements.
```
{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "log:GetCursorOrData",
                "log:ListShards"
            ],
            "Resource":[
                "acs:log:*:*:project/your-project-name/logstore/your-logstore-name"
            ],
            "Effect":"Allow"
        }
    ]
}
```
Wildcard match
On the Create Policy page, click the JSON tab and enter the following policy. For more information, see Create a custom policy by using the policy editor.
Important

For example, use wildcard match authorization if you have multiple projects and Logstores with similar names, such as log-project-dev-a and log-project-dev-b, or website_a_log and website_b_log.

In the policy, replace log-project-dev-* and website_*_log* to match your project and Logstore names.
```
{
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "log:GetCursorOrData",
                "log:ListShards"
            ],
            "Resource":[
                "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*"
            ],
            "Effect":"Allow"
        }
    ]
}
```
Create a RAM role named role-a. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
Important
- When creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.
- Check the trust policy of the RAM role. Make sure that the Service element contains at least "log.aliyuncs.com".
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "log.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
Attach the custom policy to the role-a RAM role. For more information, see Grant permissions to a RAM role.

Next steps

Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View RAM role details.

When you create an OSS data shipping job, enter this ARN for the RAM Role for Reading Logstore parameter if you select Custom Role. For more information, see Create an OSS data shipping job (new version). ARN

Step 2: Grant write access to RAM role `role-b`

Granting the RAM role role-b in account B permission to write to an OSS bucket allows an OSS data shipping job to assume this role and ship data to the bucket in account B.

Log in to the RAM console by using Alibaba Cloud account B.
Create a custom policy to grant permission to write to an OSS bucket.

On the Create Policy page, click the JSON tab and enter the following policy. For more information, see Create a custom policy by using the policy editor.
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:PutObject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
```
Note
For more granular control over OSS permissions, see RAM policies.
Create a RAM role named role-b. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
Important
- When creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.
- Check the trust policy of the RAM role. Make sure that the Service element contains at least "log.aliyuncs.com".
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "log.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
Modify the trust policy of the RAM role role-b. For more information, see Edit the trust policy of a RAM role.

Important
Add ACCOUNT_A_ID@log.aliyuncs.com to the Service list within the Principal object of the trust policy. Replace ACCOUNT_A_ID with the ID of Alibaba Cloud account A. You can find your account ID in the Account Center.

With this policy, principals in Alibaba Cloud account A can use Simple Log Service to obtain temporary credentials to access resources in Alibaba Cloud account B.
```
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "log.aliyuncs.com",
                    "ACCOUNT_A_ID@log.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}
```
Attach the custom policy to the role-b RAM role. For more information, see Grant permissions to a RAM role.

Next steps

Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View RAM role details.

When you create an OSS data shipping job, enter this ARN for the RAM Role for Writing to OSS parameter if you select Custom Role. For more information, see Create an OSS data shipping job (new version).

ARN

Step 1: Grant read access to RAM role role-a

Exact match

Wildcard match

Next steps

Step 2: Grant write access to RAM role role-b

Next steps

Step 1: Grant read access to RAM role `role-a`

Step 2: Grant write access to RAM role `role-b`