Before you can use the data shipping feature of the new version to ship data to Object Storage Service (OSS), you must obtain the permissions to manage data shipping jobs and access the required data.
If you use an Alibaba Cloud account, you must grant data shipping jobs the permissions to access data.
If you use a RAM user, you must grant the RAM user the permissions to ship data to OSS and grant data shipping jobs the permissions to access data.
ImportantTo ensure the security of your cloud resources, we recommend that you use a RAM user.
Grant the permissions to ship data to OSS
The permissions to ship data to OSS include the permissions to create, delete, modify, and view data shipping jobs.
Alibaba Cloud account: An Alibaba Cloud account has the permissions that are specified by the AliyunLogFullAccess policy to manage all Simple Log Service resources. You do not need to grant your Alibaba Cloud account the permissions to ship data to OSS.
RAM user: Before you can use a RAM user to ship data to OSS, you must use the Alibaba Cloud account to which the RAM user belongs to grant the required permissions to the RAM user. For more information, see Authorize a RAM user to ship data to OSS.
Grant data shipping jobs the permissions to access data
Data access is required when a data shipping job reads data from a source Logstore and writes data to a destination OSS bucket. You can use a default role or a custom role to grant data shipping jobs the permissions to access the required data.
Default role: You can assign the AliyunLogDefaultRole system role to a data shipping job to read data from the source Logstore and write the data to the destination OSS bucket.
The AliyunLogDefaultRole system role has the permissions to read data from Logstores and write the data to OSS buckets. For more information, see Access data by using a default role.
Custom role: You can assign a custom role to a data shipping job to read data from the source Logstore and write the data to the destination OSS bucket.
You must use an Alibaba Cloud account to grant the custom role the permissions to read data from the Logstore and write the data to the OSS bucket. For more information, see Access data within an Alibaba Cloud account by using a custom RAM role and Access data across Alibaba Cloud accounts by using a custom RAM role.