Simple Log Service lets you use the default role AliyunLogETLRole or a custom RAM role to create a scheduled SQL job. This topic shows you how to grant permissions to a custom RAM role to analyze logs in a source logstore and write data to a destination logstore.
Grant analysis permissions for the source logstore
-
Log on to the RAM console using the Alibaba Cloud account that contains the source logstore, or as a RAM administrator for that account.
-
Create a RAM role. For example, name the role
QueryLogStoreRole. For more information, see Create a RAM role for a trusted Alibaba Cloud service.ImportantWhen creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.
Check the trust policy of the RAM role. Make sure that the
Serviceelement contains at least"log.aliyuncs.com".{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
-
Create a custom policy, such as
QueryLogStorePolicy, to grant permissions for analyzing logs in the source logstore. For more information, see Create a custom policy in the JSON editor.On the JSON editor tab, replace the content in the policy editor with a policy for either exact match or fuzzy match authorization.
Exact match authorization
Replace
{project-name}and{logstore-name}with your actual project and logstore names.ImportantIn a custom policy, the
logstoreresource type covers both logstores and metricstores, so this policy also applies if the source is a metricstore.{ "Version":"1", "Statement":[ { "Action":[ "log:PostProjectQuery" ], "Resource":[ "acs:log:*:*:project/{project-name}/logstore/{logstore-name}" ], "Effect":"Allow" }, { "Action":[ "log:GetProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery" ], "Resource":[ "acs:log:*:*:project/{project-name}" ], "Effect":"Allow" } ] }Fuzzy match authorization
For example, if your source projects are named
log-project-dev-a,log-project-dev-b, andlog-project-dev-c, and your source logstores are namedwebsite_a_log,website_b_log, andwebsite_c_log, you can use fuzzy match authorization. Replace the project and logstore names in the policy based on your actual scenario.{ "Version":"1", "Statement":[ { "Action":[ "log:PostProjectQuery" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log" ], "Effect":"Allow" }, { "Action":[ "log:GetProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*" ], "Effect":"Allow" } ] } -
Grant the custom policy
QueryLogStorePolicyto the RAM roleQueryLogStoreRole. For more information, see Manage permissions for a RAM role.
Next steps
-
Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View a RAM role.
-
When creating a scheduled SQL job, under SQL Execution Authorization, select Custom Role and enter the ARN of the
QueryLogStoreRoleRAM role. For more information, see Create a scheduled SQL job.
Grant write permissions for the destination logstore
-
Log on to the RAM console using the Alibaba Cloud account that contains the destination logstore, or as a RAM administrator for that account.
-
Create a RAM role. For example, name the role
WriteLogStoreRole. For more information, see Create a RAM role for a trusted Alibaba Cloud service.ImportantWhen creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.
Check the trust policy of the RAM role. Make sure that the
Serviceelement contains at least"log.aliyuncs.com".{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
-
Create a custom policy, such as
WriteLogStorePolicy, to grant permissions for writing data to the destination logstore. For more information, see Create a custom policy in the JSON editor.On the JSON editor tab, replace the content in the policy editor with a policy for either exact match or fuzzy match authorization.
Exact match authorization
Replace
{project-name}and{logstore-name}with your actual project and logstore names.ImportantIn a custom policy, the
logstoreresource type covers both logstores and metricstores, so this policy also applies if the source is a metricstore.{ "Version": "1", "Statement": [ { "Action": [ "log:PostLogStoreLogs", "log:PostProjectQuery" ], "Resource": "acs:log:*:*:project/{project-name}/logstore/{logstore-name}", "Effect": "Allow" } ] }Fuzzy match authorization
For example, to match destination projects like
log-project-dev-a,log-project-dev-b, andlog-project-dev-c, and logstores likewebsite_a_log_output,website_b_log_output, andwebsite_c_log_output, you can use fuzzy match authorization. Modify the project and logstore names in the policy to fit your scenario.{ "Version": "1", "Statement": [ { "Action": [ "log:Post*", "log:BatchPost*" ], "Resource": "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log_output", "Effect": "Allow" } ] } -
Attach the custom policy
WriteLogStorePolicyto the RAM roleWriteLogStoreRole. For more information, see Manage permissions for a RAM role. -
(Optional) If the source logstore and destination logstore belong to different Alibaba Cloud accounts, you must also modify the trust policy for the
WriteLogStoreRoleRAM role.-
In the RAM role list, click the RAM role
WriteLogStoreRole. -
On the Trust Policy tab, click Edit Trust Policy and replace the content in the editor with the following policy.
ImportantReplace
{source-account-id}with the ID of the Alibaba Cloud account where the source logstore resides. You can find the account ID in the Account Center.{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com", "{source-account-id}@log.aliyuncs.com" ] } } ], "Version": "1" }
-
Next steps
-
Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View a RAM role.
-
When creating a scheduled SQL job, under Write Authorization, select Custom Role and enter the ARN of the
WriteLogStoreRoleRAM role. For more information, see Create a scheduled SQL job.