When Scheduled SQL jobs run, the jobs execute SQL statements to analyze data in source Logstores, and then save the analysis results to destination Logstores or destination Metricstores. You can assign a Resource Access Management (RAM) role to a Scheduled SQL job to complete the preceding operations. If the source and destination Logstores belong to different Alibaba Cloud accounts, perform the steps that are described in this topic to grant permissions to the RAM role. You can specify Logstores or Metricstores when you configure Scheduled SQL jobs. This topic describes how to grant a RAM role the permissions to access Logstores across Alibaba Cloud accounts.
Prerequisites
RAM Role A is created in Alibaba Cloud Account A and RAM Role B is created in Alibaba Cloud Account B. For more information, see Step 1: Create a RAM role.
Step 1: Grant RAM Role A the permissions to analyze data in a source Logstore
After you grant RAM Role A the permissions to analyze data in a source Logstore that belongs to Alibaba Cloud Account A, a Scheduled SQL job can assume RAM Role A to perform SQL analysis on the data in the source Logstore.
Log on to the RAM console by using Alibaba Cloud Account A.
Create a policy that grants the permissions to analyze data in a source Logstore.
In the left-side navigation pane, choose .
Click Create Policy.
On the Create Policy page, click the JSON tab.
Replace the existing script in the code editor with one of the following policy documents.
Policy that uses exact names to match resources
In this example, the name of the source project is log-project-prod. The name of the source Logstore is website_log. You can replace the names with the actual names of your projects and Logstores.
ImportantWhen you create a policy, you can specify either a Logstore or a Metricstore after the logstore keyword. If you want to manage Metricstores, you can also refer to the following policy document to create a policy.
{ "Version":"1", "Statement":[ { "Action":[ "log:PostProjectQuery" ], "Resource":[ "acs:log:*:*:project/log-project-prod/logstore/website_log", "acs:log:*:*:project/log-project-prod/logstore/website_log/*" ], "Effect":"Allow" }, { "Action":[ "log:GetProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery" ], "Resource":[ "acs:log:*:*:project/log-project-prod" ], "Effect":"Allow" } ] }Policy that uses wildcard characters to match resources
In this example, the names of the source projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c. The names of the source Logstores are website_a_log, website_b_log, and website_c_log. You can replace the names with the actual names of your projects and Logstores.
{ "Version":"1", "Statement":[ { "Action":[ "log:PostProjectQuery" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log", "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log/*" ], "Effect":"Allow" }, { "Action":[ "log:GetProjectQuery", "log:PutProjectQuery", "log:DeleteProjectQuery" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*" ], "Effect":"Allow" } ] }
Click Next to edit policy information, configure the following parameters, and then click OK.
Parameter
Description
Name
Enter a name for the policy. Example: log-scheduled-sql-policy.
Description
Enter a description for the policy.
Grant permissions to RAM Role A.
In the left-side navigation pane, choose .
Find RAM Role A and click Grant Permission in the Actions column.
Click Custom Policy in the Select Policy section and select the policy that you created in Step 2. Then, click OK. In this example, the log-scheduled-sql-policy policy is selected.
Confirm the authorization result. Then, click Complete.
Obtain the Alibaba Cloud Resource Name (ARN) of RAM Role A.
Go to the details page of the RAM role and view the ARN of the role in the Basic Information section. Example: acs:ram::11****27:role/logsource. We recommend that you record the ARN. If you use a custom role when you create a Scheduled SQL job, you must enter the ARN.
Step 2: Grant RAM Role B the permissions to write data to a destination Logstore
After you grant RAM Role B the permissions to write data to a destination Logstore that belongs to Alibaba Cloud Account B, a Scheduled SQL job can assume RAM Role B to write SQL analysis results to the destination Logstore.
Log on to the RAM console by using Alibaba Cloud Account B.
Create a policy that grants the permissions to write data to a destination Logstore.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Replace the existing script in the code editor with one of the following policy documents.
Policy that uses exact names to match resources
In this example, the name of the destination project is log-project-prod. The name of the destination Logstore is website_log_output. You can replace the names with the actual names of your projects and Logstores.
ImportantWhen you create a policy, you can specify either a Logstore or a Metricstore after the logstore keyword. If you want to manage Metricstores, you can also refer to the following policy document to create a policy.
{ "Version": "1", "Statement": [ { "Action": [ "log:Post*", "log:BatchPost*" ], "Resource": "acs:log:*:*:project/log-project-prod/logstore/website_log_output", "Effect": "Allow" } ] }Policy that uses wildcard characters to match resources
In this example, the names of the destination projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c. The names of the destination Logstores are website_a_log_output, website_b_log_output, and website_c_log_output. You can replace the names with the actual names of your projects and Logstores.
{ "Version": "1", "Statement": [ { "Action": [ "log:Post*", "log:BatchPost*" ], "Resource": "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log_output", "Effect": "Allow" } ] }
Click Next to edit policy information, configure the following parameters, and then click OK.
Parameter
Description
Name
Enter a name for the policy. Example: log-sink-write-policy.
Description
Enter a description for the policy.
Grant permissions to RAM Role B.
In the left-side navigation pane, choose .
Find RAM Role B and click Grant Permission in the Actions column.
Click Custom Policy in the Select Policy section and select the policy that you created in Step 2. Then, click OK. In this example, the log-sink-write-policy policy is selected.
Confirm the authorization result. Then, click Complete.
Modify the trust policy of RAM Role B.
On the Roles page, click the name of RAM Role B.
On the Trust Policy tab, click Edit Trust Policy.
Modify the trust policy.
Add ID of Alibaba Cloud Account A to the Service element. Replace the ID based on your business scenario. You can view the ID of your Alibaba Cloud account in the Account Center console.
The following policy allows Alibaba Cloud Account A to obtain a temporary Security Token Service (STS) token to manage the cloud resources of Alibaba Cloud Account B:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com", "ID of Alibaba Cloud Account A@log.aliyuncs.com" ] } } ], "Version": "1" }Click Save trust policy document.
Obtain the ARN of RAM Role B.
Go to the details page of the RAM role and view the ARN of the role in the Basic Information section. Example: acs:ram::13****44:role/logtarget. We recommend that you record the ARN. If you use a custom role when you create a Scheduled SQL job, you must enter the ARN.