All Products
Search
Document Center

Simple Log Service:Authorize a RAM user to manage MaxCompute delivery tasks

Last Updated:Jun 16, 2026

Before a RAM user or RAM role can use the MaxCompute delivery feature (new version), you must grant the required permissions to manage delivery tasks.

Prerequisites

A RAM user has been created. For more information, see Create a RAM user.

Procedure

  1. Create a custom policy in the RAM console. For more information, see Create a custom policy in the script editor.

    On the Script Editor tab, replace the content in the editor with the following script.

    Important

    Replace ProjectName and LogstoreName in the script with your actual project and Logstore names.

    If you want to use a RAM user to configure alerts for MaxCompute delivery tasks, you must also grant the RAM user permissions to manage alerts. For more information, see Authorize a RAM user to manage alerts.

    {
        "Version": "1",
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "log:GetLogStore",
                    "log:GetIndex",
                    "log:GetLogStoreHistogram",
                    "log:GetLogStoreLogs"
                ],
                "Resource": [
                    "acs:log:*:*:project/ProjectName/logstore/LogstoreName",
                    "acs:log:*:*:project/ProjectName/logstore/internal-diagnostic_log"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "log:CreateJob",
                    "log:UpdateJob",
                    "log:DeleteJob",
                    "log:ListJobs",
                    "log:GetJob"
                ],
                "Resource": "acs:log:*:*:project/ProjectName/job/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "log:ListLogStores",
                    "log:ListDashboard",
                    "log:ListSavedSearch"
                ],
                "Resource": "acs:log:*:*:project/ProjectName/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ram:PassRole",
                    "ram:GetRole",
                    "ram:ListRoles"
                ],
                "Resource": "*"
            }
        ]
    }
  2. Attach the custom policy to the RAM user. For more information, see Manage RAM user permissions.