When you ship log data from a Simple Log Service logstore to MaxCompute, you must use a default role or custom role to read the log data from the logstore. This topic describes how to authorize a default role or custom role to read log data from a Simple Log Service logstore.
Authorize a default role to read log data
Procedure
Log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account or a Resource Access Management (RAM) user.
Click Resource Access Authorization to complete the authorization.
NoteIf the Alibaba Cloud account does not have the default role
AliyunLogDefaultRole, the role is created the first time the RAM user clicks the link.Simple Log Service assumes the
AliyunLogDefaultRolerole to access your resources in other cloud products.For more information about the access policy of the default role
AliyunLogDefaultRole, see AliyunLogDefaultRole.
What to do next
By default, the AliyunLogDefaultRole role has the permissions to read log data from all logstores within the Alibaba Cloud account.
When you create a MaxCompute data shipping job, set the Read Permissions on Simple Log Service parameter to Default Role. For more information, see Create a MaxCompute data shipping job (new version). 
Authorize a custom role to read log data
Procedure
After you authorize a RAM role to read log data from a logstore, you can assign the RAM role to a MaxCompute data shipping job to allow the job to read log data from the logstore.
Log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account or a Resource Access Management (RAM) user.
Create a RAM role to be assumed by the Alibaba Cloud service. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
ImportantWhen creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.
Check the trust policy of the RAM role. Make sure that the
Serviceelement contains at least"log.aliyuncs.com".{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
Create a custom policy to grant permission to read data from the Logstore.
You can use either exact match authorization or wildcard match authorization.
Exact match
On the Create Policy page, click the JSON Editor tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy.
ImportantReplace
Project nameandLogstore namein the policy document based on your business requirements.{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/your-project-name/logstore/your-logstore-name" ], "Effect":"Allow" } ] }Wildcard match
On the Create Policy page, click the JSON Editor tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy.
ImportantFor example, use wildcard match authorization if you have multiple projects and Logstores with similar names, such as
log-project-dev-aandlog-project-dev-b, orwebsite_a_logandwebsite_b_log.In the policy, replace
log-project-dev-*andwebsite_*_log*to match your project and Logstore names.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*" ], "Effect":"Allow" } ] }Attach the created custom policy to the RAM role. For more information, see Manage a RAM role's permissions.
What to do next
After you authorize a RAM role to read log data from a logstore, you can assign the RAM role to a MaxCompute data shipping job to allow the job to read log data from the logstore. When you create a MaxCompute data shipping job, set the Read Permissions on Simple Log Service parameter to Custom Role. For more information, see Create a MaxCompute data shipping job (new version).
