This topic describes how to use the RAM authorization mode to configure a connection to an Object Storage Service (OSS) bucket, so as to improve the security of data on Alibaba Cloud.
Prerequisites
- Log on to the RAM console by using your Alibaba Cloud account.
- In the left-side navigation pane, click Users.
- In the Actions column of the RAM user to which you want to grant permissions, click
Add Permissions.
- In the Add Permissions dialog box, set Authorization to Alibaba Cloud account all resources. In the Select Policy section, click AliyunDataWorksFullAccess and AliyunRAMFullAccess.
- Click OK.
Background information
- AccessKey mode
The AccessKey mode provides lower security when compared with the RAM authorization mode. The AccessKey mode involves AccessKey IDs and AccessKey secrets. You need to enter only the AccessKey pair of your Alibaba Cloud account or RAM user to configure connections to data stores.
To configure a connection to an OSS bucket, enter the AccessKey pair of an account that is granted the permission to connect to the OSS bucket in the Add OSS data source dialog box. Then, the connection to the OSS bucket is configured.
When a sync node is run or scheduled, DataWorks uses the AccessKey pair to connect to OSS and read or write data.Note In AccessKey mode, the leak of AccessKey pairs will result in the leak of OSS data. - RAM authorization mode
The RAM authorization mode provides higher security when compared with the AccessKey mode. In RAM authorization mode, no AccessKey pairs are used. This avoids leak of AccessKey pairs.
In RAM authorization mode, you can authorize the DataWorks service account to assume a RAM role to connect to OSS without using AccessKey pairs.
You can assign permissions on different data stores to different roles to realize professional permission management for enterprise users.
Workflow
The following workflow describes how to configure a connection to a data store in RAM authorization mode, create a sync node based on the connection, and run the sync node. In this workflow, a RAM user must be granted relevant permissions before it can function in the same way as an Alibaba Cloud account.