All Products
Search
Document Center

Simple Log Service:Authorize a RAM role to read log data from a logstore

Last Updated:Apr 02, 2026

When you ship log data from a Simple Log Service logstore to MaxCompute, you must use a default role or custom role to read the log data from the logstore. This topic describes how to authorize a default role or custom role to read log data from a Simple Log Service logstore.

Authorize a default role to read log data

Procedure

  1. Log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account or a Resource Access Management (RAM) user.

  2. Click Resource Access Authorization to complete the authorization.

    Note
    • If the Alibaba Cloud account does not have the default role AliyunLogDefaultRole, the role is created the first time the RAM user clicks the link.

    • Simple Log Service assumes the AliyunLogDefaultRole role to access your resources in other cloud products.

    • For more information about the access policy of the default role AliyunLogDefaultRole, see AliyunLogDefaultRole.

What to do next

By default, the AliyunLogDefaultRole role has the permissions to read log data from all logstores within the Alibaba Cloud account.

When you create a MaxCompute data shipping job, set the Read Permissions on Simple Log Service parameter to Default Role. For more information, see Create a MaxCompute data shipping job (new version). 角色标识

Authorize a custom role to read log data

Procedure

After you authorize a RAM role to read log data from a logstore, you can assign the RAM role to a MaxCompute data shipping job to allow the job to read log data from the logstore.

  1. Log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account or a Resource Access Management (RAM) user.

  2. Create a RAM role to be assumed by the Alibaba Cloud service. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

    Important
    • When creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.

    • Check the trust policy of the RAM role. Make sure that the Service element contains at least "log.aliyuncs.com".

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "log.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
  3. Create a custom policy to grant permission to read data from the Logstore.

    You can use either exact match authorization or wildcard match authorization.

    Exact match

    On the Create Policy page, click the JSON Editor tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy.

    Important

    Replace Project name and Logstore name in the policy document based on your business requirements.

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "log:GetCursorOrData",
                    "log:ListShards"
                ],
                "Resource":[
                    "acs:log:*:*:project/your-project-name/logstore/your-logstore-name"
                ],
                "Effect":"Allow"
            }
        ]
    }

    Wildcard match

    On the Create Policy page, click the JSON Editor tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy.

    Important
    • For example, use wildcard match authorization if you have multiple projects and Logstores with similar names, such as log-project-dev-a and log-project-dev-b, or website_a_log and website_b_log.

    • In the policy, replace log-project-dev-* and website_*_log* to match your project and Logstore names.

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "log:GetCursorOrData",
                    "log:ListShards"
                ],
                "Resource":[
                    "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*"
                ],
                "Effect":"Allow"
            }
        ]
    }
  4. Attach the created custom policy to the RAM role. For more information, see Manage a RAM role's permissions.

What to do next

After you authorize a RAM role to read log data from a logstore, you can assign the RAM role to a MaxCompute data shipping job to allow the job to read log data from the logstore. When you create a MaxCompute data shipping job, set the Read Permissions on Simple Log Service parameter to Custom Role. For more information, see Create a MaxCompute data shipping job (new version).

image