In the new version of data shipping job, data from a logstore must be written to a MaxCompute table. You can authorize the job to assume a default role for this. This guide explains how to authorize the default role when both the MaxCompute project and Simple Log Service project belong to the same Alibaba Cloud account.
Prerequisites
If you use a Resource Access Management (RAM) user, make sure that the RAM user has permissions to manage RAM roles.
A MaxCompute project is added to the required DataWorks workspace as the data source. For more information, see Add a MaxCompute data source.
Procedure
If your Simple Log Service and MaxCompute belong to the same Alibaba Cloud account, click Cloud Resource Access Authorization to create the AliyunLogDefaultRole under the account. After the role is created, add the role as a workspace member.
Modify the trust policy of a RAM role.
Replace the original trust policy with the following content.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com", "dataworks.aliyuncs.com" ] } } ], "Version": "1" }Add the RAM role as a workspace member.
Log on to the DataWorks console.
In the upper-left corner of the page that appears, select a region.
In the left-side navigation pane, click Workspace.
On the Workspaces page, click Manage in the Actions column of the target workspace.
On the Workspace Settings page, click Workspace Members and Roles. Then, on the Workspace Members tab, click Add Members.
In the Add Members dialog box, select the current logon account and AliyunLogDefaultRole, and follow the page instructions to complete the addition.
In this step, set Batch Set Roles to Deploy. For more information, see Grant permissions to a RAM user.
Grant the AliyunLogDefaultRole role the permissions to manage MaxCompute tables.
Log on to the MaxCompute console and select a region in the upper-left corner.
Choose . On the Projects page, click Manage in the Actions column of the target project.
On the MaxCompute project settings page, click Role Permissions.
If the following error occurs, you need to add the current logon RAM account to the target MaxCompute project under the Alibaba Cloud account. First, click Manage Members for the admin role in the role list. Then, in the Manage Members dialog box, select the current logon RAM account and follow the page instructions to complete the addition.
In the role list, click Manage Members corresponding to the role_project_admin role.
In the Manage Members dialog box, select the current logon account and AliyunLogDefaultRole, and follow the page instructions to complete the addition.
In the role list, click Edit Role for the role_project_admin role.
On the Table tab of the Edit Role dialog box, select the target MaxCompute table, and select Describe, Alter, and Update.
ImportantThe preceding authorization procedure takes effect only on the specified MaxCompute table. If you want to authorize the AliyunLogDefaultRole to manage all tables in the current MaxCompute project, grant the permissions of the admin role to the current logon account and the AliyunLogDefaultRole. In the role list, click Manage Members for the admin role. Then, in the Manage Members dialog box, select the current logon account and the AliyunLogDefaultRole, and follow the page instructions to complete the addition.
Create a MaxCompute data shipping job.
When you create a data shipping job of the new version, set Authorization of MaxCompute Write Permission to Default Role. This authorizes the job to assume the AliyunLogDefaultRole to ship data to the MaxCompute table. For more information, see Create a data shipping job of the new version to ship data to MaxCompute.
