When a data shipping job of the new version is running to ship data to MaxCompute, the job must read data from a source Logstore. To meet the requirement, you can assign a custom role to the data shipping job. This topic describes how to grant permissions to a custom role.

Prerequisites

A Resource Access Management (RAM) role named MaxcomputeShipRole is created. For more information, see Create a RAM role.

Procedure

After you grant a RAM role the permissions to read data from a Logstore, you can assign the RAM role to a data shipping job to read data from the Logstore.

  1. Log on to the RAM console.
  2. Create a policy that specifies the permissions to read data from a Logstore.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Policy page, click the JSON tab, replace the existing script in the editor with the following script, and then click Next: Edit Basic Information.
      • Policy that uses exact names to match resources
        You can replace the names with the actual names of your projects and Logstores. 
        {
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "log:GetCursorOrData",
                "log:ListShards"
            ],
            "Resource":[
                "acs:log:*:*:project/Project name/logstore/Logstore name/*"
            ],
            "Effect":"Allow"
        }
    ]
}
      • Policy that uses wildcard characters to match resources
        In this example, the names of the projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c. The names of the Logstores are website_a_log, website_b_log, and website_c_log. You can replace the names with the actual names of your projects and Logstores. 
        {
    "Version":"1",
    "Statement":[
        {
            "Action":[
                "log:GetCursorOrData",
                "log:ListShards"
            ],
            "Resource":[
                "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*"
            ],
            "Effect":"Allow"
        }
    ]
}
    4. Configure the Name parameter and click OK.
      For example, set the policy name to log-maxcompute-export-source-policy.
  3. Attach the policy to the RAM role.
    1. In the left-side navigation pane, choose Identities > Roles.
    2. Find the RAM role to which you want to attach the policy and click Add Permissions in the Actions column.
    3. Click Custom Policy in the Select Policy section, select the policy that you created in 2, and then click OK. In this example, the log-maxcompute-export-source-policy policy is selected.
    4. Confirm the authorization result and click Complete.
After you configure the settings, you can assign the custom RAM role to a data shipping job of the new version to read data from the source Logstore. If you create a data shipping job of the new version, set the Authorization of MaxCompute Write Permission parameter to Custom Role and enter the Alibaba Cloud Resource Name (ARN) of the custom RAM role. In this example, acs:ram::10****12:role/maxcomputeshiprole is used. For information about how to obtain the ARN of a RAM role, see View the information about a RAM role. ARN