This topic describes how to use a RAM user to access OSS resources owned by other accounts and submit a Spark job.
Prerequisites
- Two Alibaba Cloud accounts are created. For example, you use account A to submit a Spark job and use account A to access OSS resources owned by account B. To simplify your operations, we recommend that you use two browsers at the same time. One is used to log on as account A, and the other is used to log on as account B.
- A RAM user of account A can access all resources owned by account A. For more information, see Grant permissions to a RAM user (simplified version) or Grant permissions to a RAM user.
Procedure
- Use account B to log on to the RAM console and create a RAM role.
- Log on to the RAM console. In the left-side navigation pane, click RAM Roles.
- On the RAM Roles page, click Create RAM Role.
- In the Create RAM Role panel, select Alibaba Cloud Service for Trusted entity type, and click Next.
- In the Configure Role step of the Create RAM Role panel, select Normal Service Role for Role Type, enter test-dla-accross-account in the RAM Role Name field, and then select Data Lake Analytics from the Select Trusted Service drop-down list. Click OK.
- Use account B to log on to the RAM console, modify the policy of the test-dla-accross-account role, and then grant the role
the permission to access OSS.
- Use account A to log on to the RAM console and create a custom policy.
- Use account A to log on to the RAM console, and add the policy created in Step 3 to the RAM user of account A.
- Log on to the RAM console. In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to add the policy in the User Logon Name/Display Name column and click the name of the RAM user.
- On the page that appears, click the Permissions tab.
- On the Permissions tab, click Add Permissions.
- In the Add Permissions panel, select Alibaba Cloud account all resources for Authorization. In Select Policy, click the Custom Policy tab, add the test-dla-accross-b-oss policy to the Selected area on the right. Click OK.
Verify the configurations
When you submit a Spark job as a RAM user of account A, you must add the value of
spark.dla.roleArn to the conf parameter. The value of spark.dla.roleArn is the ARN of account B in Step 2. Example:
{
"name": "<The name of the job>",
"file": "<oss://path/to/your/jar>",
"className": "<mainclass>",
"args": [
"Job parameter 1",
"Job parameter 2"
],
"conf": {
"spark.dla.roleArn": "acs:ram::xxxxxx:role/test-dla-accross-account"
"spark.driver.resourceSpec": "small",
"spark.executor.instances": 2,
"spark.executor.resourceSpec": "small"
}
}