Access data using a custom role

更新时间:
复制 MD 格式

Simple Log Service supports default and custom roles for data transformation jobs. To use a custom role, grant it read and write permissions on the relevant logstores.

Prerequisites

A RAM role is created. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

Important
  • When creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.

  • Check the trust policy of the RAM role. Make sure that the Service element contains at least "log.aliyuncs.com".

    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "log.aliyuncs.com"
            ]
          }
        }
      ],
      "Version": "1"
    }

Grant read-only access to the source logstore

Grant the RAM role read access to the source logstore. Specify this role when you Create a data transformation job.

  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

  2. Create a custom policy. In this example, the log-etl-source-reader-policy policy is created. The policy grants the read-only permissions on a source logstore. For more information, see Use the JSON editor.

    On the JSON tab of the Create Policy page, you can use the policy document that uses exact match or fuzzy match for authorization to replace the existing script in the code editor.

    Exact match for authorization

    In this example, the source project name is log-project-prod, and the source logstore name is access_log. Replace the project and logstore names based on your business requirements.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": [
            "acs:log:*:*:project/log-project-prod/logstore/access_log",
            "acs:log:*:*:project/log-project-prod/logstore/access_log/*"
          ],
          "Effect": "Allow"
        }
      ]
    }

    Fuzzy match for authorization

    In this example, the source project names are log-project-dev-a, log-project-dev-b, and log-project-dev-c, and the source logstore names are app_a_log, app_b_log, and app_c_log. Replace the project and logstore names based on your business requirements.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:ListShards",
            "log:GetCursorOrData",
            "log:GetConsumerGroupCheckPoint",
            "log:UpdateConsumerGroup",
            "log:ConsumerGroupHeartBeat",
            "log:ConsumerGroupUpdateCheckPoint",
            "log:ListConsumerGroup",
            "log:CreateConsumerGroup"
          ],
          "Resource": [
            "acs:log:*:*:project/log-project-dev-*/logstore/app_*_log",
        "acs:log:*:*:project/log-project-dev-*/logstore/app_*_log/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
  3. Attach the created custom policy to the RAM role. For more information, see Manage permissions for a RAM role.

Grant write permission to the destination logstore (same account)

If the source and destination logstores belong to the same Alibaba Cloud account, grant the RAM role write access to the destination logstore. Specify this role when you Create a data transformation job.

  1. Create a custom policy. In this example, the log-etl-target-writer-policy policy is created. The policy grants the permissions to write transformation results to a destination logstore. For more information, see Use the JSON editor.

    On the JSON tab of the Create Policy page, you can use the policy document that uses exact match or fuzzy match for authorization to replace the existing script in the code editor.

    Exact match for authorization

    In this example, the destination project name is log-project-prod, and the destination logstore name is access_log_output. Replace the project and logstore names based on your business requirements.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:Post*"
          ],
          "Resource": "acs:log:*:*:project/log-project-prod/logstore/access_log_output",
          "Effect": "Allow"
        }
      ]
    }

    Fuzzy match for authorization

    In this example, the destination project names are log-project-dev-a, log-project-dev-b, and log-project-dev-c, and the destination logstore names are app_a_log_output, app_b_log_output, and app_c_log_output. Replace the project and logstore names based on your business requirements.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:Post*",
            "log:BatchPost*"
          ],
           "Resource": "acs:log:*:*:project/log-project-dev-*/logstore/app_*_log_output",
          "Effect": "Allow"
        }
      ]
    }
  2. Attach the created custom policy to the RAM role. For more information, see Manage permissions for a RAM role.

Grant write permission to the destination logstore (cross-account)

If the source and destination logstores belong to different Alibaba Cloud accounts, modify the trust policy of the destination account's RAM role to allow cross-account access. The following steps use Account A (source) and Account B (destination) as an example.

Important

Before you begin, grant the RAM role in Account B write access to the destination logstore as described in Grant write permission to the destination logstore (same account).

  1. Log on to the RAM console by using your Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. Find and click the target RAM role.

  4. On the Trust Policy tab, click Edit Trust Policy.

    Add the ID of Alibaba Cloud Account A to which the source logstore belongs to the Service field. Replace the ID of Alibaba Cloud Account A to which the source logstore belongs with the actual account ID from Account Management. This policy allows Account A to use a temporary SLS token to operate on Account B's resources.

    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "Alibaba Cloud account ID of Account A@log.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }
  5. Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View a RAM role.

Next steps

Specify the RAM role ARN when you Create a data transformation job.