Build a service to upload logs from mobile apps to Simple Log Service - Simple Log Service

Mobile apps are used to upload data based on the rapid development of mobile Internet technologies. You can directly upload the logs of mobile apps to Simple Log Service. In the following sections, this type of upload service is referred to as direct data transfer. This topic describes how to build a direct data transfer service to upload the logs of mobile apps to Simple Log Service.

Background information

If you want to upload logs from a mobile app to Simple Log Service in normal mode, you must enable the AccessKey pair of your Alibaba Cloud account for authentication and tamper proofing. In this mode, you must store the AccessKey pair of your Alibaba Cloud account in the mobile app. This may cause the AccessKey pair to be leaked. If your AccessKey pair is leaked, the security of cloud services within your Alibaba Cloud account is threatened.
You can also use app servers to transfer data. In this case, app servers need to process all mobile data, which increases the load of the app servers.
To avoid the preceding issues, Alibaba Cloud provides a more secure and convenient solution to collect logs from mobile apps. You can use a Resource Access Management (RAM) role to obtain a Security Token Service (STS) token, which is valid for a custom period of time and defines the required access permissions. You can use the STS token to directly upload the logs of a mobile app to a Simple Log Service Logstore.

Solution overview

A mobile app sends a request to obtain an STS token from your app server.
Your app server checks the validity of the request based on actual conditions such as the logon status and the symmetric encryption result. If the request passes the check, your app server uses the AccessKey pair of the RAM user that is created in advanced as the access credential to call the AssumeRole operation of STS and authorize the RAM user to assume the specified RAM role.
STS checks the validity of the AccessKey pair and verifies whether the RAM user has permissions to assume the specified RAM role. If the AccessKey pair passes the check and the RAM user passes the verification, STS returns a token to your app server.
After your app server obtains the STS token, it returns the STS token to the mobile app.
After the mobile app obtains the STS token, it uses the STS token to access Simple Log Service.
Simple Log Service checks the validity of the STS token by using RAM or STS and verifies whether the specified RAM role has the permissions to access the specified Logstore. If the STS token passes the check and the RAM role passes the verification, Simple Log Service processes the upload request from the mobile app and returns the upload result to the mobile app.

Terms

Node	Description
Android or iOS app	The mobile app of the user from which logs are collected.
Simple Log Service	Simple Log Service, which stores the logs uploaded from the mobile app.
RAM/STS	RAM or STS of Alibaba Cloud, which generates STS tokens. You can use RAM and STS to manage user identities and access to resources.
App server	The service that is used to obtain a temporary access credential and provides the metadata for the data that is uploaded from the mobile app.

Step 1: Create a project and a Logstore in Simple Log Service

Log on to the Simple Log Service console.
Create a project. In this example, a project named slstestproject is created.
Create a Logstore. In this example, a Logstore named slstestlogstore is created.

Step 2: Create a RAM user and authorize the RAM user to assume a RAM role

Create a RAM user. In this example, a RAM user named ramslsuser is created. After the RAM user is created, the system automatically generates an AccessKey pair for the RAM user. We recommend that you record the AccessKey pair and keep the AccessKey pair secure.
Authorize the RAM user to call the AssumeRole operation of STS.
a. On the Users page, find the RAM user that you want to manage and click Add Permissions in the Actions column.
b. In the Grant Permission panel, select the AliyunSTSAssumeRoleAccess system policy and click Grant permissions.

Step 3: Create a RAM role and authorize the RAM role to access resources

A RAM role is a virtual identity to which policies can be attached. RAM roles do not have logon passwords or AccessKey pairs. A RAM role must be assumed by a trusted entity. The trust entity can be a RAM user, an Alibaba Cloud service, or an identity provider (IdP). If a trusted entity assumes a RAM role, the trusted entity can obtain and use an STS token of the RAM role to access the resources on which the RAM role has permissions.

Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account. The following table describes the parameters related to a sample RAM role.
Parameter
Description
Principal Type
Select Cloud Account.
Principal Name
Select Current Account (UID).
Role Name
The name of the RAM role. Example: ramslsrole.
After the RAM role is created, find the ramslsrole role on the Roles page and click the name of the RAM role. Then, view and record the Alibaba Cloud Resource Name (ARN) of the RAM role.

Create a custom policy on the JSON tab. For more information, see Create custom policies. The following table describes the parameters related to a sample custom policy.

Parameter	Description
Name	The name of the custom policy. Example: `putlogspolicy`.
Description	The remarks.
Policy Document	`{ "Version": "1", "Statement": [ { "Action": [ "log:PostLogStoreLogs", "log:PutLogs" ], "Resource": "acs:log:::project/slstestproject/*", "Effect": "Allow" } ] }`

Attach the custom policy to the RAM role. On the Roles page, find the ramslsrole role and click Grant Permission in the Actions column.

Step 4: Build an app server

Sample programs in multiple programming languages are provided. You can download the programs at PHP, Java, Ruby, and Node.js.

Configuration file

In the following example, each program package contains a file named config.json. The file contains the configuration information of the app server. You can modify the config.json file to modify configurations.

{
    "AccessKeyID" : "",
    "AccessKeySecret" : "",
    "RoleArn" : "",
    "TokenExpireTime" : "900",
    "PolicyFile": "policy/write_policy.txt"
}

Parameter	Description
AccessKeyID	The AccessKey ID of the RAM user. Do not use the AccessKey ID of your Alibaba Cloud account. For more information about how to create a RAM user, see Create a RAM user and grant permissions to the RAM user.
AccessKeySecret	The AccessKey secret of the RAM user. Do not use the AccessKey secret of your Alibaba Cloud account. For more information about how to create a RAM user, see Create a RAM user and grant permissions to the RAM user.
RoleArn	The ARN of the RAM role. For more information about how to create a RAM role, see Create a RAM role and attach the required policies to the role.
TokenExpireTime	The validity period of the token that is obtained by the mobile app. Minimum value: 900. Unit: seconds. You can retain the default value.
PolicyFile	The file that describes the permissions of the token. You can retain the default value. The following files are most commonly used to describe the permissions of a token. The files are stored in the policy directory. You can also configure a file based on your business requirements. write_policy.txt: A token is granted the write permissions on the projects within an Alibaba Cloud account. When you use the write_policy.txt file, replace the project names in the file based on your business requirements. readonly_policy.txt: A token is granted the read permissions on the projects within an Alibaba Cloud account. The permissions of a token are the intersection of the permissions of the RAM role and the permissions described in the files. If you do not configure a file that describes the permissions of a token, the permissions of the RAM role is used as the permissions of the token.

Sample code
For Java 1.7 or later, create a Java project after you download and decompress a program package. Copy the required dependency, code, and configurations to the project. Then, run the main function. By default, the program listens on port 7080 and waits for HTTP requests. You can perform the preceding operations for programs in a different language.

Step 5: Use direct data transfer to upload logs from a mobile app to Simple Log Service

Obtain an STS token

Initiate an HTTP request to access port 7080 of the app server and obtain an STS token. Sample response:

{
  "StatusCode":"200",
  "AccessKeyId":"STS.3pdgagd****",
  "AccessKeySecret":"rpnwO9wr34tGdrddgsR2Y****",
  "SecurityToken":"CAES+wMIARKAAZhjH0EUOIhJMQBMjR****tZGVtbzI=",
  "Expiration":"2021-11-20T08:23:15Z"
}

Directly upload logs from a mobile app to Simple Log Service

The following code provides an example on how to use an STS token to directly upload logs from a mobile app to Simple Log Service:

const ALY = require("aliyun-sdk");

const sls = new ALY.SLS({
  accessKeyId: "Your temporary accesKeyId",
  secretAccessKey: "Your temporary accessKeySecret",
  securityToken: "Your sts token",
  endpoint: "http://cn-hangzhou.log.aliyuncs.com",
});

// -------------------------------
// put logs
// -------------------------------
const projectName = "your_project_name";
const logStoreName = "your_logstore";

const logGroup = {
  logs: [
    {
      time: Math.floor(new Date().getTime() / 1000),
      contents: [
        {
          key: "a",
          value: "1",
        },
        {
          key: "a",
          value: "2",
        },
        {
          key: "a",
          value: "3",
        },
      ],
    },
  ],
  topic: "vv",
  source: "127.0.0.1",
};

sls.putLogs(
  {
    // The following fields are required.
    projectName: projectName,
    logStoreName: logStoreName,
    logGroup: logGroup,
  },
  function (err, data) {
    if (err) {
      console.log("error:", err);
      return;
    }

    console.log("success:", data);
  }
);

Parameter	Description
Principal Type	Select Cloud Account.
Principal Name	Select Current Account (UID).
Role Name	The name of the RAM role. Example: `ramslsrole`.