This topic describes how to use a RAM user to access OSS resources owned by other accounts and submit a Spark job.

Prerequisites

  • Two Alibaba Cloud accounts are created. For example, you use account A to submit a Spark job and use account A to access OSS resources owned by account B. To simplify your operations, we recommend that you use two browsers at the same time. One is used to log on as account A, and the other is used to log on as account B.
  • A RAM user of account A can access all resources owned by account A. For more information, see Grant permissions to a RAM user (simplified version) or Grant permissions to a RAM user.

Procedure

  1. Use account B to log on to the RAM console and create a RAM role.
    1. Log on to the RAM console. In the left-side navigation pane, click RAM Roles.
    2. On the RAM Roles page, click Create RAM Role.
    3. In the Create RAM Role panel, select Alibaba Cloud Service for Trusted entity type, and click Next.Create RAM Role
    4. In the Configure Role step of the Create RAM Role panel, select Normal Service Role for Role Type, enter test-dla-accross-account in the RAM Role Name field, and then select Data Lake Analytics from the Select Trusted Service drop-down list. Click OK.Create RAM Role
  2. Use account B to log on to the RAM console, modify the policy of the test-dla-accross-account role, and then grant the role the permission to access OSS.
    1. Log on to the RAM console. In the left-side navigation pane, click RAM Roles.
    2. On the RAM Roles page, find the test-dla-accross-account role in the RAM Role Name column, and click this role.RAM Roles
    3. On the Trust Policy Management tab, click Edit Trust Policy.Trust Policy Management
      Note In the preceding figure, the value of ARN of account B is generated after the RAM role is created. This parameter is used in Step 3.
    4. In the Edit Trust Policy panel, modify the policy, as shown in the following figure.
      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "<UID of account A>@openanalytics.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
    5. On the Permissions tab, click Add Permissions.Add Permissions
    6. In the Add Permissions panel, select Alibaba Cloud account all resources for Authorization. In Select Policy, click the System Policy tab, add AliyunOSSFullAccess to the Selected area on the right, and then click OK.Add Permissions
  3. Use account A to log on to the RAM console and create a custom policy.
    1. Log on to the RAM console. In the left-side navigation pane, choose Permissions > Policies.
    2. On the Policies page, click Create Policy. On the Create Custom Policy page, enter test-dla-accross-b-oss in the Policy Name field, select Script for Configuration Mode, and enter the policy content shown in the following figure in the code editor. Click OK.Create Custom Policy
      Policy content:
      {
          "Statement": [
              {
                  "Action": "ram:PassRole",
                  "Resource": "<ARN of account B created in Step 2>",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "acs:Service": "openanalytics.aliyuncs.com"
                      }
                  }
              }
          ],
          "Version": "1"
      }
  4. Use account A to log on to the RAM console, and add the policy created in Step 3 to the RAM user of account A.
    1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Users.
    2. On the Users page, find the RAM user to which you want to add the policy in the User Logon Name/Display Name column and click the name of the RAM user.
    3. On the page that appears, click the Permissions tab.Permission Management page
    4. On the Permissions tab, click Add Permissions.
    5. In the Add Permissions panel, select Alibaba Cloud account all resources for Authorization. In Select Policy, click the Custom Policy tab, add the test-dla-accross-b-oss policy to the Selected area on the right. Click OK.Add Permissions

Verify the configurations

When you submit a Spark job as a RAM user of account A, you must add the value of spark.dla.roleArn to the conf parameter. The value of spark.dla.roleArn is the ARN of account B in Step 2. Example:
{
    "name": "<The name of the job>",
    "file": "<oss://path/to/your/jar>",
    "className": "<mainclass>",
    "args": [
        "Job parameter 1",
        "Job parameter 2"
    ],
    "conf": {
        "spark.dla.roleArn": "acs:ram::xxxxxx:role/test-dla-accross-account"
        "spark.driver.resourceSpec": "small",
        "spark.executor.instances": 2,
        "spark.executor.resourceSpec": "small"
    }
}