All Products
Search
Document Center

MaxCompute:Prepare a RAM user

Last Updated:May 25, 2023

To ensure the security of project data, we recommend that you create Resource Access Management (RAM) users and assign the credentials of the RAM users to other members who participate in MaxCompute projects. This helps strictly control the permissions of personnel who participate in MaxCompute projects. This topic describes how to create a RAM user.

Prerequisites

An Alibaba Cloud account is created.

For more information about how to create an Alibaba Cloud account, see Create an Alibaba Cloud account.

Precautions

  • RAM users belong to your Alibaba Cloud account. They do not own resources and are not separately charged.

  • All the fees incurred by the RAM users must be paid by your Alibaba Cloud account.

Procedure

  1. Step 1: Create a RAM user

    Create a RAM user by using your Alibaba Cloud account. For more information, see RAM.

  2. Step 2: Create an AccessKey pair

    Create an AccessKey pair for the RAM user by using your Alibaba Cloud account. This ensures that the jobs submitted by the RAM user can run normally.

  3. Step 3 (Optional): Grant permissions to the RAM user

    • To allow the RAM user to create projects in DataWorks, you must attach the AliyunDataWorksFullAccess policy to the RAM user by using your Alibaba Cloud account.

    • To allow the RAM user to manage projects and quotas in the MaxCompute V2.0 console, you must attach the AliyunMaxComputeFullAccess policy or custom RAM policies to the RAM user by using your Alibaba Cloud account. For more information, see RAM permissions.

  4. Step 4: Assign the credentials of the RAM user to another user

    Assign the credentials of the created RAM user to other users.

Step 1: Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the following parameters:
    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
    • Display Name: The display name can be up to 128 characters in length.
    • Optional:Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select Console Access.

    • Console Access: If you select this option, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).

    • Open API Access: If you select Open API Access, the system automatically generates an AccessKey pair for the RAM user. The RAM user can then call API operations or use other development tools to access Alibaba Cloud resources.

  6. Click OK.
  7. On the Create User page, click Download CSV File or find an existing RAM user and click Copy in the Actions column to save the logon username and password of the RAM user.

Step 2: Create an AccessKey pair

Note
  • If you grant the RAM user the permission to manage AccessKey pairs, the RAM user can create AccessKey pairs in the RAM console. For more information about how to create an AccessKey pair, see Manage security settings for RAM users.

  • You can create a maximum of two AccessKey pairs for a RAM user.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click the username of a specific RAM user.
  4. In the User AccessKeys section, click Create AccessKey.
  5. In the View Secret dialog box, view the AccessKey ID and AccessKey secret.

    You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.

    Note
    • An AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.
    • If an AccessKey pair is leaked or lost, you must create another AccessKey pair. You can create a maximum of two AccessKey pairs for each RAM user.
  6. Click OK.

Step 3 (Optional): Grant permissions to the RAM user

  1. In the left-side navigation pane, choose Identities > Users.
  2. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  3. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  4. Click the AliyunDataWorksFullAccess policy in the Authorization Policy Name column to add this permission to the list of selected permissions.

    Note

    If the RAM user needs to activate MaxCompute later, the Alibaba Cloud account must attach the AliyunBSSOrderAccess policy to the RAM user.

  5. Click OK.
  6. Click Complete.

Step 4: Assign the credentials of the RAM user to another user

To assign the credentials of the RAM user to another user, you must provide the following information of the RAM user to the user:

  • The account information of the RAM user.

    • The account and password of the RAM user, which are the logon username and password of the RAM user saved in Step 1.

    • The AccessKey ID and AccessKey secret of the RAM user, which is the AccessKey pair created in Step 2.

  • The logon method and logon URL of the RAM user.

    A RAM user can log on to the Alibaba Cloud Management Console by entering the account information in the common logon URL or logon portal for a RAM user. You can provide the logon URL to other RAM users based on your business requirements. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

  • Domain name of the Alibaba Cloud account to which the RAM user belongs

    Log on to the RAM console. In the left-side navigation pane, choose Identities > Settings. On the Settings page, click the Advanced tab. Then, you can view Default Domain and Domain Alias.

What to do next

After you prepare the RAM user, you can activate MaxCompute. For more information, see Activate MaxCompute and DataWorks.