Before you can use a Resource Access Management (RAM) user to use the data shipping feature of the new version to ship data to Object Storage Service (OSS), you must complete authorization. This topic describes how to authorize a RAM user to ship data to OSS.

Prerequisites

A RAM user is created. For more information, see Step 1: Create a RAM user.

Procedure

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. Create a policy.
    1. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy.
    3. On the Create Policy page, click the JSON tab, replace the existing script in the editor with the following script, and then click Next to edit policy information.

      Enter the actual project name and Logstore name in the script.

      Important If you want to use a RAM user to configure alerts for OSS data shipping jobs, you must authorize the RAM user to manage alerts. For more information, see Authorize a RAM user to manage alerts. 
      {
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "log:GetLogStore",
      "log:GetIndex",
      "log:GetLogStoreHistogram",
      "log:GetLogStoreLogs"
    ],
    "Resource": [
      "acs:log:*:*:project/Project name/logstore/Logstore name",
      "acs:log:*:*:project/Project name/logstore/internal-diagnostic_log"
    ]
  },
    {
      "Effect": "Allow",
      "Action": [
        "log:CreateJob",
        "log:UpdateJob",
        "log:DeleteJob",
        "log:ListJobs",
        "log:GetJob"
      ],
      "Resource": "acs:log:*:*:project/Project name/job/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:ListLogStores",
        "log:ListDashboard",
        "log:ListSavedSearch"
      ],
      "Resource": "acs:log:*:*:project/Project name/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:PassRole",
        "ram:GetRole",
        "ram:ListRoles"
      ],
      "Resource": "*"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "audit.log.aliyuncs.com"
        }
      }
    }
  ]
}
    4. Configure the Name parameter and click OK.
  3. Attach the policy to the RAM user.
    1. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find the RAM user to which you want to attach the policy and click Add Permissions in the Actions column.
    3. In the Select Policy section of the Add Permissions panel, click Custom Policy. Then, select the policy that you created in Step 2 Click OK.
    4. Verify that the policy is attached to the RAM user and click Complete.