This topic describes how to grant a Resource Access Management (RAM) user the permissions to manage a data transformation job.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Background information
You can use your Alibaba Cloud account to grant a RAM user the permissions to manage a data transformation job.
You can create, delete, and modify a data transformation job.
You can read data from a source Logstore to preview the results of a data transformation job.
In this topic, a RAM user is granted only the permissions to manage a data transformation job in the Simple Log Service console. The permissions that are granted to a RAM user to manage a data transformation job are different from the permissions that are granted to the data transformation job to access the data in a Logstore during the runtime of the job. If you want to use the AccessKey pair of a RAM user to manage a data transformation job and access the data in a Logstore during the runtime of the job, you must combine the policy document used in this topic with the policy document used for AccessKey pair-based data access. For more information, see Access data by using AccessKey pairs.
You can use one of the following policies to grant a RAM user the permissions to manage a data transformation job in the Simple Log Service console:
System policy: The permission scope is large. You cannot modify the content of the system policy, but the configuration steps are simple.
Custom policy: The permission scope is more fine-grained. You can modify the content of the custom policy, but the configuration steps are more complex than those of the system policy.
System policy
Log on to the RAM console by using your Alibaba Cloud account or as a RAM administrator.
Grant the RAM user read-only permissions
AliyunLogReadOnlyAccessor management permissionsAliyunLogFullAccesson Simple Log Service. For more information, see Grant permissions to a RAM user.
Custom policy
Log on to the RAM console by using you Alibaba Cloud account or a RAM user who has administrative rights.
Create a custom policy. On the JSON tab, replace the existing contents in the editor with the following script. For more information, see Create a custom policy in script edit mode.
ImportantReplace
ProjectNameandLogstoreNamein the script based on your actual situation.If you want to use the AccessKey pair of a RAM user to read data from and write data to a Logstore during data transformation, you must add the following policy document and the policy document related to data read and write permissions on a Logstore. For more information, see Access data by using AccessKey pairs.
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "log:CreateLogStore", "log:CreateIndex", "log:UpdateIndex", "log:Get*" ], "Resource":"acs:log:*:*:project/ProjectName/logstore/internal-etl-log" }, { "Action":[ "log:List*" ], "Resource":"acs:log:*:*:project/ProjectName/logstore/*", "Effect":"Allow" }, { "Action":[ "log:Get*", "log:List*" ], "Resource":[ "acs:log:*:*:project/ProjectName/logstore/LogstoreName" ], "Effect":"Allow" }, { "Effect":"Allow", "Action":[ "log:GetDashboard", "log:CreateDashboard", "log:UpdateDashboard" ], "Resource":"acs:log:*:*:project/ProjectName/dashboard/internal-etl-insight*" }, { "Effect":"Allow", "Action":"log:CreateDashboard", "Resource":"acs:log:*:*:project/ProjectName/dashboard/*" }, { "Effect":"Allow", "Action":[ "log:*" ], "Resource":"acs:log:*:*:project/ProjectName/job/*" }, { "Effect": "Allow", "Action": [ "ram:PassRole", "ram:GetRole", "ram:ListRoles" ], "Resource": "*" } ] }Add the created custom policy to the RAM user. For more information, see Grant permissions to a RAM user.