This topic describes how to authorize a RAM user to manage a data transformation task.

Background information

You can use your Alibaba Cloud account to authorize a RAM user to manage a data transformation task.
  • Create, delete, and modify a data transformation task.
  • Read data from the source Logstore to preview transformed data.
Note An authorized RAM user manages a data transformation task by using the Log Service console. The authorization method is different from the authorization method that you use when you create a data transformation task. The latter method uses AccessKey pairs of a RAM to manage a data transformation data. For more information, see Configure AccessKey pairs for RAM users to access source and destination Logstores.
You can authorize a RAM user to transform data in Log Service in one of the following modes:
  • Simple mode: In this mode, you can grant full access permissions on Log Service to the RAM user. You do not need to modify relevant parameters.
  • Custom mode: You can customize the authorization policy to grant only required permissions to the RAM user. This mode requires complex configurations but provides more precise control.

Simple mode

Use your Alibaba Cloud account to log on to the RAM console and attach the AliyunLogFullAccess policy to a RAM user. Then the RAM user has full access permissions on data in Log Service. For more information, see Authorize a RAM user to connect to Log Service.

Custom mode

  1. Log on to the RAM console.
  2. Create a permission policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Custom Policy page, set the parameters, and then click OK. The following table describes the parameters.
      Parameter Description
      Policy Name The name of the policy.
      Configuration Mode Select Script.
      Policy Document The content of the policy. Replace the content in the editor with the following script:
      Replace the project name in <Project name> with the name of the Log Service project. Replace the Logstore name in <Logstore name> with the name of the source Logstore.
      {
          "Version":"1",
          "Statement":[
              {
                  "Effect":"Allow",
                  "Action":[
                      "log:CreateLogStore",
                      "log:CreateIndex",
                      "log:UpdateIndex",
                      "log:Get*"
                  ],
                  "Resource":"acs:log:*:*:project/<Project name>/logstore/internal-etl-log"
              },
              {
                  "Action":[
                      "log:List*"
                  ],
                  "Resource":"acs:log:*:*:project/<Project name>/logstore/*",
                  "Effect":"Allow"
              },
              {
                  "Action":[
                      "log:Get*",
                      "log:List*"
                  ],
                  "Resource":[
                      "acs:log:*:*:project/<Project name>/logstore/<Logstore name>"
                  ],
                  "Effect":"Allow"
              },
              {
                  "Effect":"Allow",
                  "Action":[
                      "log:GetDashboard",
                      "log:CreateDashboard",
                      "log:UpdateDashboard"
                  ],
                  "Resource":"acs:log:*:*:project/<Project name>/dashboard/internal-etl-insight"
              },
              {
                  "Effect":"Allow",
                  "Action":"log:CreateDashboard",
                  "Resource":"acs:log:*:*:project/<Project name>/dashboard/*"
              },
              {
                  "Effect":"Allow",
                  "Action":[
                      "log:*"
                  ],
                  "Resource":"acs:log:*:*:project/<Project name>/job/*"
              },
              {
                  "Effect":"Allow",
                  "Action":[
                      "log:*"
                  ],
                  "Resource":"acs:log:*:*:project/<Project name>/jobschedule/*"
              }
          ]
      }
  3. Create a RAM user. For more information, see Create a RAM user.
  4. Authorize the RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Grants page, find the RAM user, and click Add Permission in the Actions column.
    3. In the Select Policy section, select Custom Policy. In the Authorization Policy Name list, select the policy that you created in step 2, and then click OK.