The AliyunLogDefaultRole system role has permissions to read data from a Logstore and ship data to an Object Storage Service (OSS) bucket. You can authorize a data shipping job (new version) to use the AliyunLogDefaultRole role to read data from a source Logstore and ship it to an OSS bucket.
Ship data within an Alibaba Cloud account
If your Simple Log Service Logstore and OSS bucket are in the same Alibaba Cloud account, you only need to complete the cloud resource access authorization. For more information, see cloud resource access authorization.
After the authorization is complete, the data shipping job (new version) uses the AliyunLogDefaultRole role to read data from the source Logstore and ship it to the destination OSS bucket. When you create the data shipping job (new version), enter the ARN of the AliyunLogDefaultRole role (for example, acs:ram::10****12:role/aliyunlogdefaultrole) in the OSS write RAM role and Logstore read RAM role fields. For information about how to obtain the ARN, see Obtain the ARN of AliyunLogDefaultRole.
Ship data across Alibaba Cloud accounts
If the Simple Log Service Logstore and the OSS bucket belong to different Alibaba Cloud accounts, for example, the Logstore belongs to Alibaba Cloud account A and the OSS bucket belongs to account B, you must perform the following configurations after you complete cloud resource access authorization for both accounts. For more information, see Cloud resource access authorization.
Use Alibaba Cloud Account B to log on to the Resource Access Management (RAM) console.
In the left-side navigation pane, choose .
-
Modify the trust policy of the AliyunLogDefaultRole role.
On the Roles page, find the AliyunLogDefaultRole role and click the name of the role.
On the Trust Policy tab, click Edit Trust Policy.
Replace the content in the code editor with the following policy document and click Save trust policy document.
Add ID of Alibaba Cloud Account A@log.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the actual ID. You can view the ID of your Alibaba Cloud account in the Account Center console.
The following policy allows Alibaba Cloud Account A to obtain a temporary Security Token Service (STS) token to manage the cloud resources of Alibaba Cloud Account B:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ID of Alibaba Cloud Account A@log.aliyuncs.com", "log.aliyuncs.com" ] } } ], "Version": "1" }
After the authorization is complete, the data shipping job (new version) uses the
AliyunLogDefaultRolerole from account A to read data from the source Logstore and theAliyunLogDefaultRolerole from account B to ship data to the destination OSS bucket. When you create the data shipping job (new version), enter the ARN of theAliyunLogDefaultRolerole from account B (for example,acs:ram::11****13:role/aliyunlogdefaultrole) in the OSS write RAM role field and the ARN of theAliyunLogDefaultRolerole from account A (for example,acs:ram::10****12:role/aliyunlogdefaultrole) in the Logstore read RAM role field. For information about how to obtain the ARN, see Obtain the ARN of AliyunLogDefaultRole.
Obtain the ARN of the AliyunLogDefaultRole role
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, find the AliyunLogDefaultRole role and click the name of the role.
On the page that appears, obtain the ARN of the role in the Basic Information section.
We recommend that you record the ARN. If you use a default role when you create a data shipping job to ship data to OSS, you must enter the ARN.