In the new version of data shipping job, data from a logstore must be written to a MaxCompute table. You can authorize the job to assume a custom RAM role for this. This guide explains how to authorize the custom RAM role when both the MaxCompute project and Simple Log Service project belong to the same Alibaba Cloud account.
Prerequisites
If you use a Resource Access Management (RAM) user, make sure that the RAM user has permissions to manage RAM roles.
A MaxCompute project is added to the required DataWorks workspace as the data source. For more information, see Add a MaxCompute data source.
Procedure
After you authorize a RAM role to write data to MaxCompute, a MaxCompute data shipping job can assume the RAM role to write the data of a logstore to a MaxCompute table. To complete the authorization, you must add the RAM role as a workspace member.
Create a RAM role, such as
MaxComputeShipRole.ImportantWhen creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.
Check the trust policy of the RAM role. Make sure that the
Serviceelement contains at least"log.aliyuncs.com".{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
Modify the trust policy of a RAM role.
Replace the original trust policy with the following content.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com", "dataworks.aliyuncs.com" ] } } ], "Version": "1" }Add the RAM role as a workspace member.
Log on to the DataWorks console.
In the upper-left corner of the page that appears, select a region.
In the left-side navigation pane, click Workspace. On the Workspaces page, click Manage in the Actions column of the target workspace.
On the Workspace Settings page, click Workspace Members and Roles, then click Add Members.
In the Add Members dialog box, select the current logon account and the target RAM role, and follow the page instructions to complete the addition.
In this step, set Batch Set Roles to Deploy. For more information, see Grant permissions to a RAM user.
Grant the RAM role the permissions to manage a MaxCompute table.
Log on to the MaxCompute console and select a region in the upper-left corner.
Choose . On the Projects page, click Manage in the Actions column of the target project.
On the MaxCompute project settings page, click Role Permissions.
If the following error occurs, you need to add the current logon RAM account to the target MaxCompute project under the Alibaba Cloud account. First, click Manage Members for the admin role in the role list. Then, in the Manage Members dialog box, select the current logon RAM account and follow the page instructions to complete the addition.
In the role list, click Manage Members corresponding to the role_project_admin role.
In the Member Management dialog box, select the current logon account and the target RAM role account, such as
MaxComputeShipRole, and add them as prompted.In the role list, click Edit Role for the role_project_admin role.
On the Table tab of the Edit Role dialog box, select the target MaxCompute table, and select Describe, Alter, and Update.
ImportantThe preceding authorization procedure applies only to the specified MaxCompute table. If you want to authorize a RAM role to manage all tables in the current MaxCompute project, grant the permissions of the admin role to the current logon account and the RAM role. In the role list, click Manage Members for the admin role. Then, in the Manage Members dialog box, select the current logon account and the RAM role, and follow the page instructions to complete the addition.
Create a MaxCompute data shipping job.
When you create a data shipping job of the new version, set Authorization of MaxCompute Write Permission to Custom Role, then enter the Alibaba Cloud Resource Name (ARN) of the custom RAM role, such as
acs:ram::10**12:role/maxcomputeshiprole. This authorizes the job to assume the custom RAM role to ship data to the MaxCompute table. For more information, see Create a data shipping job of the new version to ship data to MaxCompute.