All Products
Search

This Product

    Simple Log Service:Authorize a RAM user to ship data to OSS

    Document Center

    Simple Log Service:Authorize a RAM user to ship data to OSS

    Last Updated:Sep 03, 2024

    Before you can use a Resource Access Management (RAM) user to use the data shipping feature of the new version to ship data to Object Storage Service (OSS), you must complete authorization. This topic describes how to authorize a RAM user to ship data to OSS.

    Prerequisites

    A RAM user is created. For more information, see Create a RAM user.

    Procedure

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. Create a policy.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

      3. On the Create Policy page, click the JSON tab, replace the existing script in the code editor with the following policy document, and then click Next to edit policy information.

        Replace ProjectName and LogstoreName in the following script with actual values.

        Important

        If you want to use a RAM user to configure alerts for OSS data shipping jobs, you must authorize the RAM user to manage alerts. For more information, see Authorize a RAM user to manage alerts. 

        {
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "log:GetLogStore",
      "log:GetIndex",
      "log:GetLogStoreHistogram",
      "log:GetLogStoreLogs"
    ],
    "Resource": [
      "acs:log:*:*:project/ProjectName/logstore/LogstoreName",
      "acs:log:*:*:project/ProjectName/logstore/internal-diagnostic_log"
    ]
  },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateJob",
        "log:UpdateJob",
        "log:DeleteJob",
        "log:ListJobs",
        "log:GetJob"
      ],
      "Resource": "acs:log:*:*:project/ProjectName/job/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:ListLogStores",
        "log:ListDashboard",
        "log:ListSavedSearch"
      ],
      "Resource": "acs:log:*:*:project/ProjectName/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:PassRole",
        "ram:GetRole",
        "ram:ListRoles"
      ],
      "Resource": "*"
    }
  ]
}

      4. Configure the Name parameter and click OK.

    3. Grant permissions to the RAM user.

      1. In the left-side navigation pane, choose Identities > Users.

      2. On the Users page, find the RAM user to which you want to attach the custom policy and click Add Permissions in the Actions column.

      3. In the Policy section of the Grant Permission panel, select Custom Policy from the drop-down list, select the policy that you created in Step 2, and then click Grant permission.