This topic describes how to use the RAM role-based authorization mode to add a data source to improve the security of data in the cloud. In this topic, an Object Storage Service (OSS) data source is used.
Prerequisites
Background information
- AccessKey pair-based authorization mode
The AccessKey pair-based authorization mode provides lower security than the RAM role-based authorization mode. In AccessKey pair-based authorization mode, you need to specify the AccessKey pair of your Alibaba Cloud account or RAM user when you add a data source.
The following figure shows the parameters that are required to use the AccessKey pair-based authorization mode to add an OSS data source. In the Add OSS data source dialog box, you must set the AccessKey ID and AccessKey Secret parameters to the AccessKey ID and AccessKey secret that can be used to access an OSS bucket.When a synchronization node for the OSS data source runs or is scheduled, DataWorks uses the AccessKey pair to access the data source and read data from or write data to the data source.Note In AccessKey pair-based authorization mode, OSS data may be leaked if your AccessKey pair is leaked. - RAM role-based authorization mode
The RAM role-based authorization mode provides higher security than the AccessKey pair-based authorization mode. In RAM role-based authorization mode, AccessKey pairs are not required. This prevents your AccessKey pair from being leaked.
In RAM role-based authorization mode, you can authorize the DataWorks service account to assume a RAM role to access OSS without using AccessKey pairs.
In addition, you can create different roles for different data sources based on your business requirements. This allows you to manage permissions in a fine-grained manner.
Process
- Use your Alibaba Cloud account or a RAM user to which the AliyunDataWorksFullAccess policy is attached to log on to the DataWorks console. Then, go to the Data Integration page and enable the RAM role-based authorization mode.
- Use your Alibaba Cloud account or a RAM user to which the AliyunRAMFullAccess policy is attached to log on to the RAM console. Then, create a role to be assumed
and a policy to be attached.
- Role to be assumed: You must create a custom role to be assumed by the DataWorks service account. After the DataWorks service account assumes the role, you can use the DataWorks service account to access OSS based on the permissions that are granted to the role.
- Policy to be attached: You must create a policy that contains the PassRole permission and attach the policy to a RAM user. This way, the RAM user can use the custom role to add a data source or run a synchronization node for the data source.
- Use your Alibaba Cloud account or a RAM user to which the AliyunRAMFullAccess policy is attached to log on to the RAM console. Then, grant permissions to the RAM
users that you want to use in Steps 4 and 6.
Note In RAM role-based authorization mode, if you use an unauthorized RAM user to add a data source, all synchronization nodes for the data source fail to run.
- Log on to the DataWorks console by using the Alibaba Cloud account or RAM user that
you want to use to add a data source. Then, go to the Data Integration page and use
the RAM role-based authorization mode to add a data source. When the synchronization node for the data source runs, the
system can use the DataWorks service account that assumes the created RAM role to
access the data source.
Note The Alibaba Cloud account or RAM user can be used to perform operations in this step only after the Alibaba Cloud account or RAM user is granted the required permissions in Step 3.
- Go to the DataStudio page by using the Alibaba Cloud account or RAM user that you want to use to create a data synchronization node. Then, create a synchronization node for the data source that you added.
- On the DataStudio or Operation Center page, run the data synchronization node by using
the Alibaba Cloud account or RAM user that you want to use to run the node.
Note The Alibaba Cloud account or RAM user can be used to perform operations in this step only after the Alibaba Cloud account or RAM user is granted the required permissions in Step 3.