When a data shipping job of the new version is running to ship data to MaxCompute, the job must read data from a source Logstore. To meet this requirement, you can assign a custom role to the data shipping job. This topic describes how to grant permissions to a custom role.
Prerequisites
A Resource Access Management (RAM) role named MaxcomputeShipRole is created. For more information, see Create a RAM role.
Note that the RAM role must meet the following requirements:
When you create the RAM role, select Alibaba Cloud Service as the trusted entity.
In the trust policy of the RAM role, the
"Service"field must include"log.aliyuncs.com", as illustrated below.{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
Procedure
After you grant a RAM role the permissions to read data from a Logstore, you can assign the RAM role to a data shipping job to read data from the Logstore.
Log on to the RAM console.
Create a policy that grants the permissions to read data from a Logstore.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the JSON tab of the Create Policy page, replace the policy document in the code editor with one of the following scripts. Then, click Next to edit policy information.
Policy that uses exact match
You can replace the names with the actual names of your projects and Logstores.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/Project name/logstore/Logstore name/*" ], "Effect":"Allow" } ] }Policy that uses fuzzy match
In this example, the names of the projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c. The names of the Logstores are website_a_log, website_b_log, and website_c_log. You can replace the names with the actual names of your projects and Logstores.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*" ], "Effect":"Allow" } ] }
Configure the Name parameter and click OK.
In this example, set the policy name to log-maxcompute-export-source-policy.
Attach the policy to the RAM role.
In the left-side navigation pane, choose .
Find the RAM role and click Grant Permission in the Actions column.
Select the policy that you created in Step 2. In this example, select the log-maxcompute-export-source-policy policy.
Confirm the authorization result. Then, click Grant permissions.
After you configure the settings, you can assign the custom RAM role to a data shipping job of the new version to read data from the source Logstore. When you create the data shipping job of the new version, set the Read Permissions on Simple Log Service parameter to Custom Role and enter the Alibaba Cloud Resource Name (ARN) of the custom RAM role. In this example, enter acs:ram::10****12:role/maxcomputeshiprole. For more information about how to obtain the ARN of a RAM role, see View the information about a RAM role. 