Resource Access Management (RAM) is a permission management system provided by Alibaba Cloud. It is used to control account permissions. After you create RAM users within the scope of permissions under an Alibaba Cloud account, you can grant different permissions to these RAM users to allow or deny their access to cloud resources. A DLA child account is created by using the DLA root account (an Alibaba Cloud account for DLA). The DLA child account can read data from and write data into related databases and tables after the DLA root account grants relevant permissions to the DLA child account. This topic describes how to bind a DLA child account with a RAM user.

Background information

DLA child accounts are used to control functions of the serverless SQL engine, whereas RAM users are used to control functions of the serverless Spark engine. After you bind a RAM user with a DLA child account, the DLA serverless SQL engine and serverless Spark engine can access databases and tables stored on each other.


You have performed the following operations to ensure that DLA can obtain RAM information to check the validity of RAM users:
  1. Create a RAM role named AliyunOpenAnalyticsAccessingRAMRole. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
  2. Grant permissions to this role and select AliyunRAMReadOnlyAccess as the system permission policy. For more information, see Grant permissions to a RAM role.
  3. On the RAM Roles page, click AliyunOpenAnalyticsAccessingRAMRole.
  4. On the page that appears, click the Trust Policy Management tab. On this tab, click Edit Trust Policy and modify the default policy. The following script shows the policy information after modification.
        "Statement": [
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
        "Version": "1"
  5. After the modification, DLA can read the relevant API permissions of the RAM user.


  • Bind a RAM user with a new DLA child account
    1. Log on to the Data Lake Analytics console.
    2. In the left-side navigation pane, click Account. Click Create Child
    3. In the Create Child Account pane, select the required RAM user from the Bind RAM account drop-down list, and click
  • Bind a RAM user with an existing DLA child account
    1. Log on to the Data Lake Analytics console.
    2. In the left-side navigation pane, click Account.
    3. Find your DLA child account, click Bind RAM account in the Actions column, and then select the RAM user you want to bind.
  • If the RAM user you want to select is not displayed, you can create a RAM user.
  • A RAM user can be bound with only one DLA child account.
  • If a DLA child account has been bound with a RAM user, they cannot be bound again after being unbound. You must delete the DLA child account before you bind them again.
  • By default, the UID of the DLA root account identifies the RAM user bound with this account. When you create a DLA root account, a RAM user is automatically bound to this account. Manual binding is not required.