Author: Yan Fang
Data logging and processing functions and services, the following operation is repeated while a task is running:
- Read source data LogStore
- To do a series of source data obtained by processing the resulting data
- The resulting data is written to the target LogStore
As the first step and the third step involves access to LogStore of:
- You can use the master account AccessKey, no additional configuration privileges process is simple, not described here
- For account security, we strongly recommend the use of sub-account configuration fine-grained permissions, doing detailed below
Please sign in RAM console sub-accounts and permissions configuration.
- Create a sub-account read source LogStore
Source Project belongs to the main operating account:
Save the child account AccessKey ID / Secret Standby:
- Set the source LogStore read permissions
Source Project belongs to the main operating account:
- Example a: exact Authorization
源:Project(log-project-prod), LogStore(access_log)
Content Strategy:
{
"Version": "1",
"Statement": [
{
"Action": [
"log:ListShards",
"log:GetCursorOrData",
"log:GetConsumerGroupCheckPoint",
"log:UpdateConsumerGroup",
"log:ConsumerGroupHeartBeat",
"log:ConsumerGroupUpdateCheckPoint",
"log:ListConsumerGroup",
"log:CreateConsumerGroup"
],
"Resource": [
"acs:log:*:*:project/log-project-prod/logstore/access_log",
"acs:log:*:*:project/log-project-prod/logstore/access_log/*"
],
"Effect": "Allow"
}
]
}
- Example II: fuzzy matching Authorization
源:Project(log-project-dev-a、log-project-dev-b、log-project-dev-c等),LogStore(app_a_log、app_b_log、app_c_log等)
Content Strategy:
{
"Version": "1",
"Statement": [
{
"Action": [
"log:ListShards",
"log:GetCursorOrData",
"log:GetConsumerGroupCheckPoint",
"log:UpdateConsumerGroup",
"log:ConsumerGroupHeartBeat",
"log:ConsumerGroupUpdateCheckPoint",
"log:ListConsumerGroup",
"log:CreateConsumerGroup"
],
"Resource": [
"acs:log:*:*:project/log-project-dev-*/logstore/app_*_log",
"acs:log:*:*:project/log-project-dev-*/logstore/app_*_log/*"
],
"Effect": "Allow"
}
]
}
More scenes authorized refer to the document .
- The source read permissions to read the source sub-account
Source Project belongs to the main operating account:
- Create a write target sub-account LogStore
Project belongs to the main operating target account, the same way as in step 1.
Save the child account AccessKey ID / Secret standby.
- Configuration write access to the target LogStore
Project belongs to the main operating target account, the same way as in step 2.
- Example a: exact Authorization
目标:Project(log-project-prod), LogStore(access_log_output)
Content Strategy:
{
"Version": "1",
"Statement": [
{
"Action": [
"log:Post*"
],
"Resource": "acs:log:*:*:project/log-project-prod/logstore/access_log_output",
"Effect": "Allow"
}
]
}
- Example II: fuzzy matching Authorization
目标:Project(log-project-dev-a、log-project-dev-b、log-project-dev-c等),LogStore(app_a_log_output、app_b_log_output、app_c_log_output等)
Content Strategy:
{
"Version": "1",
"Statement": [
{
"Action": [
"log:Post*"
],
"Resource": "acs:log:*:*:project/log-project-dev-*/logstore/app_*_log_output",
"Effect": "Allow"
}
]
}
More scenes authorized refer to the document .
- The target write permissions to write target sub-account
Project belongs to the main operating target account, the same way as in step 4.
- Using the sub-account data processing AccessKey
Project your source account login log service console operations, steps 1 sub-account AccessKey ID / Secret fill the top box, Step 4 sub-account AccessKey ID / Secret fill in the box below.
With further reference
Welcome scan code to join the official nail group (11,775,223) directly support real-time updates in a timely manner and Ali cloud engineers: