When you ship log data from a Simple Log Service logstore to MaxCompute, you must use a default role or custom role to read the log data from the logstore. This topic describes how to authorize a default role or custom role to read log data from a Simple Log Service logstore.
Authorize a default role to read log data
Procedure
Log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account or a Resource Access Management (RAM) user.
Click Cloud Resource Access Authorization to complete the authorization.
NoteIf the Alibaba Cloud account does not have the
AliyunLogDefaultRoledefault role, the role is created the first time you click the link after the logon. Simple Log Service assumes theAliyunLogDefaultRoledefault role to access resources in other cloud services. For more information about the permissions of theAliyunLogDefaultRoledefault role, see AliyunLogDefaultRole.
What to do next
By default, the AliyunLogDefaultRole role has the permissions to read log data from all logstores within the Alibaba Cloud account.
When you create a MaxCompute data shipping job, set the Read Permissions on Simple Log Service parameter to Default Role. For more information, see Create a data shipping job of the new version to ship data to MaxCompute. 
Authorize a custom role to read log data
Procedure
After you authorize a RAM role to read log data from a logstore, you can assign the RAM role to a MaxCompute data shipping job to allow the job to read log data from the logstore.
Log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account or a Resource Access Management (RAM) user.
Create a RAM role to be assumed by the Alibaba Cloud service. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
ImportantWhen you create a RAM role, you must set the Select Trusted Entity parameter to Alibaba Cloud Service and the Select Trusted Service parameter to Log Service.
Check the trust policy of the RAM role. Make sure that the
Serviceelement contains at least"log.aliyuncs.com".{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "log.aliyuncs.com" ] } } ], "Version": "1" }
Create a custom policy that grants the permissions to read data from a Logstore.
You can use a policy document that uses exact match or fuzzy match for authorization.
Exact match for authorization
On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.
ImportantReplace
Project nameandLogstore namein the policy document based on your business requirements.{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/Project name/logstore/Logstore name" ], "Effect":"Allow" } ] }Fuzzy match for authorization
On the Create Policy page, click the JSON tab. Replace the existing contents in the editor with the following script. For more information, see Create a custom policy on the JSON tab.
ImportantIn this example, the names of the projects are log-project-dev-a, log-project-dev-b, and log-project-dev-c, and the names of the Logstores are website_a_log, website_b_log, and website_c_log.
Replace
log-project-dev-*andwebsite_*_log*in the policy document based on your business requirements.
{ "Version":"1", "Statement":[ { "Action":[ "log:GetCursorOrData", "log:ListShards" ], "Resource":[ "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log*" ], "Effect":"Allow" } ] }Attach the created custom policy to the RAM role. For more information, see Grant permissions to a RAM role.
What to do next
After you authorize a RAM role to read log data from a logstore, you can assign the RAM role to a MaxCompute data shipping job to allow the job to read log data from the logstore. When you create a MaxCompute data shipping job, set the Read Permissions on Simple Log Service parameter to Custom Role. For more information, see Create a data shipping job of the new version to ship data to MaxCompute.
