All Products
Search
Document Center

Simple Log Service:Grant a RAM user the permissions to manage a data transformation job

Last Updated:Sep 03, 2024

This topic describes how to grant a RAM user the permissions to manage a data transformation job.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

You can use your Alibaba Cloud account to grant a RAM user the permissions to manage a data transformation job.

  • Create, delete, or modify a data transformation job.

  • Read the data in a source Logstore to preview the results of a data transformation job.

Important

An authorized RAM user can manage a data transformation job in the Simple Log Service console. The permissions that are granted to a RAM user to manage a data transformation job are different from the permissions that are granted to a data transformation job to access the data in a Logstore. The AccessKey pair of the current RAM user may be used to manage a data transformation job and access the data in a Logstore during the runtime of a data transformation job. In this case, you must combine the content of the permission policy in this topic with the content of the permission policy in Access data by using AccessKey pairs.

You can grant a RAM user the permissions to transform data in Simple Log Service by using one of the following modes:

  • Simple mode: You can grant all permissions on Simple Log Service to the RAM user. You do not need to configure parameters.

  • Custom mode: You can create custom policies and attach the policies to the RAM user. This mode allows you to perform fine-grained access control. However, the configurations in this mode are complex.

Simple mode

Log on to the RAM console with an Alibaba Cloud account. Then, attach the AliyunLogFullAccess and AliyunRAMFullAccess policies to the RAM user. This way, the RAM user has all permissions on Simple Log Service. For more information, see Grant permissions to RAM users.

Custom mode

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. Create a policy.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the following policy document, and then click Next to edit policy information.

      Replace Project name with the name of the project in which a data transformation job is created. Replace Logstore name with the name of the related Logstore.

      Note

      If you want to use the AccessKey pair of the current RAM user to read and write Logstore data, you must add the related policy to the following sample script. For more information, see Access data by using AccessKey pairs.

      {
          "Version":"1",
          "Statement":[
              {
                  "Effect":"Allow",
                  "Action":[
                      "log:CreateLogStore",
                      "log:CreateIndex",
                      "log:UpdateIndex",
                      "log:Get*"
                  ],
                  "Resource":"acs:log:*:*:project/Project name/logstore/internal-etl-log"
              },
              {
                  "Action":[
                      "log:List*"
                  ],
                  "Resource":"acs:log:*:*:project/Project name/logstore/*",
                  "Effect":"Allow"
              },
              {
                  "Action":[
                      "log:Get*",
                      "log:List*"
                  ],
                  "Resource":[
                      "acs:log:*:*:project/Project name/logstore/Logstore name"
                  ],
                  "Effect":"Allow"
              },
              {
                  "Effect":"Allow",
                  "Action":[
                      "log:GetDashboard",
                      "log:CreateDashboard",
                      "log:UpdateDashboard"
                  ],
                  "Resource":"acs:log:*:*:project/Project name/dashboard/internal-etl-insight*"
              },
              {
                  "Effect":"Allow",
                  "Action":"log:CreateDashboard",
                  "Resource":"acs:log:*:*:project/Project name/dashboard/*"
              },
              {
                  "Effect":"Allow",
                  "Action":[
                      "log:*"
                  ],
                  "Resource":"acs:log:*:*:project/Project name/job/*"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "ram:PassRole",
                      "ram:GetRole",
                      "ram:ListRoles"
                  ],
                  "Resource": "*"
               }
          ]
      }
    4. Configure the Name parameter and click OK.

      For example, you can set the Name parameter to log-sls-etl-policy.

  3. Grant permissions to the RAM user.

    1. In the left-side navigation pane, choose Identities > Users.

    2. On the Users page, find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.

    3. In the Policy section of the Grant Permission panel, select Custom Policy from the drop-down list, select the policy that you created in Step 2, and then click Grant permission.