Write data to MaxCompute by using a default role - Log Service

When a data shipping job of the new version is running to ship data to MaxCompute, the data that is read from a source Logstore must be written to a MaxCompute table. To meet the requirement, you can assign a default role to the data shipping job. This topic describes how to grant permissions to a default role.

Prerequisites

If you are using a RAM user, make sure that the RAM user has the permissions to manage RAM roles.

Ship data within an Alibaba Cloud account

If you manage Log Service and MaxCompute resources by using an Alibaba Cloud account, you must use the account to authorize Log Service to access the required cloud service resources on the Cloud Resource Access Authorization page. Then, you must use the Alibaba Cloud account to add the AliyunLogDefaultRole role as a member to your MaxCompute workspace.

You can use the graphical user interface (GUI) or command-line interface (CLI) to grant permissions to the RAM role.

Use the GUI to grant permissions to the RAM role

Modify the trust policy of the RAM role.
1. Log on to the RAM console.
2. In the left-side navigation pane, choose Identities > Roles.
3. On the Roles page, find the AliyunLogDefaultRole role and click the name.
4. On the Trust Policy Management tab, click Edit Trust Policy.
5. In the Edit Trust Policy panel, replace the existing script in the editor with the following script, and then click OK.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "log.aliyuncs.com",
          "dataworks.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
Add the RAM role as a workspace member.
1. Log on to the MaxCompute console.
2. In the upper-left corner of the page that appears, select a region.
3. On the Project management tab, find the MaxCompute project that you want to manage and click Member management in the Actions column.
4. On the User Management page, click Add Member.
5. In the Add Member dialog box, select the current logon account and the AliyunLogDefaultRole role, and then add the logon account and the AliyunLogDefaultRole role as prompted.
  Select Development in the Batch role setting section. For more information, see Add a workspace member and configure roles.
Grant the AliyunLogDefaultRole role the permissions to manage a MaxCompute table.
1. In the left-side navigation pane, click Maxcompute Management.
2. Set the MaxCompute Project selection parameter to Production Environment. Then, click Custom User Roles.
3. In the Custom User Roles list, find the role_project_admin role and click Manage Members in the Actions column.
4. In the Manage Members dialog box, select the current logon account and the AliyunLogDefaultRole role, and then add the logon account and the AliyunLogDefaultRole role as prompted.
5. In the Custom User Roles list, find the role_project_admin role and click Manage Permissions in the Actions column.
6. On the Table tab of the Role Authorization dialog box, click Add Table. Then, select the MaxCompute table to which you want to ship data and select Describe, Alter, and Update.
Important The preceding authorization takes effect only on the specified MaxCompute table. If you want to grant the AliyunLogDefaultRole role the permissions to manage all tables in the current MaxCompute project, you can grant the permissions of the admin role to the current logon account and the AliyunLogDefaultRole role. In the Custom User Roles list, find the admin role and click Manage Members in the Actions column. In the Manage Members dialog box, select the current logon account and the AliyunLogDefaultRole role, and then add the logon account and the AliyunLogDefaultRole role as prompted.

Use the CLI to grant permissions to the RAM role

Log on to the MaxCompute console.
In the upper-left corner of the page that appears, select a region.
On the Project management tab, find the project that you want to manage and click Data Development in the Actions column.
Create a workflow.
1. On the Scheduled Workflow page, choose Create > Create Workflow.
2. In the Create Workflow dialog box, set the Workflow Name parameter and click Create.
Create a node.
1. On the Scheduled Workflow page, choose Create > Create Node > MaxCompute > ODPS SQL.
2. In the Create Node dialog box, set the Name and Path parameters, and then click Commit.
  You must set the Path parameter to the workflow that you created in Step 4.

In the editor of the node, run the required commands to complete the authorization. The following table describes the commands.


Command	Description
`USE project-name;`	Specifies a MaxCompute project. You must specify the MaxCompute project that you specified when you created a data shipping job of the new version. For more information, see Create a data shipping job of the new version to ship data to MaxCompute.
ADD USER RAM$****.aliyunid.com:`role/aliyunlogdefaultrole`;	Adds the RAM role as a user to the MaxCompute project. ****.aliyunid.com indicates the Alibaba Cloud account to which the MaxCompute project belongs. You can run the `list users;` command to view the corresponding Alibaba Cloud account. aliyunlogdefaultrole indicates the name of the AliyunLogDefaultRole role. The name must be in lowercase.
GRANT DESCRIBE, ALTER, UPDATE ON TABLE table-name TO user RAM$****.aliyunid.com:`role/aliyunlogdefaultrole`;	Grants the RAM role the permissions to view, modify, and update the destination MaxCompute table. Note The authorization procedure applies only to the specified MaxCompute table. If you want to grant the RAM role the permissions to manage all tables in the current MaxCompute project, run the GRANT admin to user RAM$****.aliyunid.com:`role/aliyunlogdefaultrole`; command to complete the authorization.
SHOW GRANTS FOR `RAM$****.aliyunid.com:role/aliyunlogdefaultrole`;	Checks whether the authorization is successful.

If an output that is similar to the following example appears, the authorization is successful:

Authorization Type: ACL
[user/RAM$****.aliyunid.com:role/aliyunlogdefaultrole]
A       projects/default_project_****/tables/****: Describe | Alter | Update

The following errors may occur during the authorization process:

If the FAILED: mismatched input error occurs during the authorization process, the current RAM user does not have the permissions to run commands such as ADD USER.
If the FAILED: ODPS-0130013:Authorization exception - Authorization Failed [4003], You have NO privilege to do the PROJECT SECURITY OPERATION for {acs:odps:*:projects/xxxxxx/authorization/users}. Context ID:1111-11111-1111-1111-11111. error occurs during the authorization process, the current user does not have the permissions to manage MaxCompute projects or grant permissions to other users. For more information, see What do I do if I do not have the required permissions?

After you configure the settings, you can assign the AliyunLogDefaultRole role to a data shipping job of the new version to ship data to the destination MaxCompute table. If you create a data shipping job of the new version, set the Authorization of MaxCompute Write Permission parameter to Default Role. MaxCompute authorization

Ship data across Alibaba Cloud accounts

If Log Service is activated for Alibaba Cloud Account A and MaxCompute is activated for Alibaba Cloud Account B, you must use the two accounts to complete authorization on the Cloud Resource Access Authorization page. Then, you must complete the following steps:

Modify the trust policy of the AliyunLogDefaultRole role that belongs to Alibaba Cloud Account B.
1. Log on to the RAM console by using Alibaba Cloud Account B.
2. In the left-side navigation pane, choose Identities > Roles.
3. On the Roles page, find the AliyunLogDefaultRole role and click the name.
4. On the Trust Policy Management tab, click Edit Trust Policy.
5. In the Edit Trust Policy panel, modify the trust policy and click OK.
  Add ID of Alibaba Cloud Account A @log.aliyuncs.com and dataworks.aliyuncs.com to the Service element. Replace ID of Alibaba Cloud Account A with the actual ID. You can view the ID of your Alibaba Cloud account in the Account Management console.
  
  The following policy allows Alibaba Cloud Account A to obtain a temporary STS token to manage the cloud resources of Alibaba Cloud Account B:
```
{
  "Statement": [
   {
     "Action": "sts:AssumeRole",
     "Effect": "Allow",
     "Principal": {
       "Service": [
         "ID of Alibaba Cloud Account A@log.aliyuncs.com",
         "dataworks.aliyuncs.com",
         "log.aliyuncs.com"
       ]
     }
   }
  ],
  "Version": "1"
}
```
Add the AliyunLogDefaultRole role of Alibaba Cloud Account B as a member to a MaxCompute workspace.
You can use GUIs or CLI to grant permissions to the AliyunLogDefaultRole role. To complete the authorization, log on to the MaxCompute console by using Alibaba Cloud Account B. For more information, see Use the GUI to grant permissions to the RAM role or Use the CLI to grant permissions to the RAM role.

After you configure the settings, you can assign the AliyunLogDefaultRole role of Alibaba Cloud Account B to a data shipping job of the new version to ship data to the destination MaxCompute table. If you create a data shipping job of the new version, set the Authorization of MaxCompute Write Permission parameter to Custom Role and enter the Alibaba Cloud Resource Name (ARN) of the AliyunLogDefaultRole role. In this example, acs:ram::11**13:role/aliyunlogdefaultrole is used. For information about how to obtain the ARN of a RAM role, see View the basic information about a RAM role. MaxCompute authorization