All Products
Search
Document Center

Simple Log Service:Authorize a custom role to write to MaxCompute (same account)

Last Updated:Jun 21, 2026

When a data shipping job (new version) runs, it ships data from a Logstore to a MaxCompute table. You can authorize the data shipping job to assume a custom RAM role for this operation. This topic describes how to authorize a custom RAM role when your MaxCompute and Simple Log Service projects are in the same Alibaba Cloud account.

Prerequisites

  • If you use a RAM user, ensure that the user has permission to manage RAM roles.

  • Add your MaxCompute project as a MaxCompute data source in DataWorks. For more information, see Bind MaxCompute computing resources.

Procedure

After you grant a RAM role write permissions on MaxCompute, a data shipping job can assume the role to write data from a Logstore to the destination MaxCompute table. You can grant these permissions by adding the RAM role as a workspace member.

  1. Create a RAM role, for example, MaxComputeShipRole. For more information, see Create a RAM role for an Alibaba Cloud service.

    Important
    • When creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.

    • Check the trust policy of the RAM role. Make sure that the Service element contains at least "log.aliyuncs.com".

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "log.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
  2. Modify the trust policy of the RAM role. For more information, see Modify the trust policy of a RAM role.

    Replace the existing trust policy with the following content.

    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "log.aliyuncs.com",
              "dataworks.aliyuncs.com"
            ]
          }
        }
      ],
      "Version": "1"
    }
  3. Add the RAM role as a workspace member.

    1. Log on to the DataWorks console.

    2. In the upper-left corner of the page, select a region.

    3. In the left-side navigation pane, click Workspace. On the Workspaces page, find the target workspace and click Manage in the Actions column.

    4. On the Workspace page, on the Workspace Members and Roles tab, click Add Member.

    5. In the Add Member dialog box, add the current logon account and the target RAM role.

      In the Batch Set Roles section, select Developer. For more information, see Authorize permissions to other users.

    6. Grant the RAM role permissions to manage the MaxCompute table.

      1. Log on to the MaxCompute console and select a region in the upper-left corner.

      2. In the left-side navigation pane, choose Workspace > Project Management. On the Project Management page, click Manage in the Actions column of the target project.image

      3. On the MaxCompute project management page, click Role Permissions.image.png

        If an error occurs, use your Alibaba Cloud account to add the current RAM user to the MaxCompute project. Find the admin role in the role list and click Manage Members. In the Manage Members dialog box, select the current RAM user and follow the on-screen instructions to add the user.image.png

      4. In the role list, find the role_project_admin role and click Manage Members.

      5. In the Member Management dialog box, add the current logon account and the target RAM role, such as MaxComputeShipRole.

      6. In the role list, find the role_project_admin role and click Edit Role.

      7. In the Edit Role dialog box, on the Table tab, select the target MaxCompute table and grant the Describe, Alter, and Update permissions.image.png

    Important

    The preceding steps grant permissions only on the specified MaxCompute table. If you want the RAM role to have permissions on all tables in the current MaxCompute project, you can grant the admin role to the current logon account and the target RAM role. To do this, click Manage Members for the Member Management role in the role list. In the Member Management dialog box, add the current logon account and the target RAM role.

  4. Create a MaxCompute data shipping job.

    After the authorization is complete, you can create a data shipping job (new version). In the configuration settings, set Write Permissions on MaxCompute to Custom Role, and then enter the Alibaba Cloud Resource Name (ARN) of the custom RAM role, such as acs:ram::10**12:role/maxcomputeshiprole. This allows the data shipping job to assume the custom RAM role and ship data to the MaxCompute table. For more information, see Create a MaxCompute data shipping job (new version).

FAQs