Before you can use a Resource Access Management (RAM) user to use the data shipping feature of the new version to ship data to Object Storage Service (OSS), you must complete authorization. This topic describes how to grant a RAM user the permissions to ship data to OSS.

Prerequisites

A RAM user is created. For more information, see Step 1: Create a RAM user.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. Create a policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Policy page, click the JSON tab, replace the existing script in the editor with the following script, and then click Next: Edit Basic Information.

      You can replace Project name and Logstore name in the script based on your business scenario.

      Notice If you want to use a RAM user to configure alert rules for data shipping jobs, you must grant the RAM user the permissions to manage alerts. For more information, see Authorize a RAM user to manage alerts.
      {
        "Version": "1",
        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "log:GetLogStore",
            "log:GetIndex",
            "log:GetLogStoreHistogram",
            "log:GetLogStoreLogs"
          ],
          "Resource": [
            "acs:log:*:*:project/Project name/logstore/Logstore name",
            "acs:log:*:*:project/Project name/logstore/internal-diagnostic_log"
          ]
        },
          {
            "Effect": "Allow",
            "Action": [
              "log:CreateJob",
              "log:UpdateJob",
              "log:DeleteJob",
              "log:ListJobs",
              "log:GetJob"
            ],
            "Resource": "acs:log:*:*:project/Project name/job/*"
          },
          {
            "Effect": "Allow",
            "Action": [
              "log:ListLogStores",
              "log:ListDashboard",
              "log:ListSavedSearch"
            ],
            "Resource": "acs:log:*:*:project/Project name/*"
          },
          {
            "Effect": "Allow",
            "Action": [
              "ram:PassRole",
              "ram:GetRole",
              "ram:ListRoles"
            ],
            "Resource": "*"
          },
          {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": "audit.log.aliyuncs.com"
              }
            }
          }
        ]
      }
    4. Configure the Name parameter and click OK.
  3. Attach the policy to the RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find the RAM user to which you want to attach the policy and click Add Permissions in the Actions column.
    3. Click Custom Policy in the Select Policy section, and then select the policy that you created in Step 2.
    4. Click OK.