All Products
Search
Document Center

MaxCompute:User authentication

Last Updated:Feb 04, 2024

MaxCompute allows you to access a MaxCompute project by using an Alibaba Cloud account, a Resource Access Management (RAM) user, or a RAM role. This topic describes three access methods.

Background information

MaxCompute allows you to use an Alibaba Cloud account, a RAM user, or a RAM role for identity authentication. You can access MaxCompute only if your identity is valid.

  • Use an Alibaba Cloud account to access MaxCompute

    The owner of the Alibaba Cloud account has full operational control over all the resources that belong to this account.

  • Use a RAM user to access MaxCompute

    If you want to invite other users to use MaxCompute, you can create a RAM user and grant required permissions to the RAM user.

  • Use a RAM role to access MaxCompute

    A RAM role is a virtual RAM identity that you can create within your Alibaba Cloud account. A RAM role does not have a specific logon password or AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity.

Use an Alibaba Cloud account to access MaxCompute

To access MaxCompute with an Alibaba Cloud account, perform the following steps:

  1. Optional:Create an Alibaba Cloud account, complete account verification, and create an AccessKey pair. For more information, see Create an Alibaba Cloud account.

    Note
    • An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to retrieve the AccessKey, whereas the AccessKey secret is used to calculate the signature of a request. You must keep your AccessKey pair confidential for further use. To update an AccessKey pair, you must create another pair and disable the existing one.

    • It requires about 15 minutes for you to enable or disable an AccessKey pair.

  2. Use the Alibaba Cloud account or AccessKey pair that you created to access MaxCompute.

    Note

    Keep the AccessKey pair strictly confidential. The leak of the AccessKey pair may jeopardize all the cloud resources that belong to your account. Therefore, we recommend that you do not directly use your Alibaba Cloud account to perform routine MaxCompute operations.

Use a RAM user to access MaxCompute

By default, MaxCompute projects recognize only the Alibaba Cloud account system. You can manually add support for the RAM account system. To access MaxCompute by using the credentials of a RAM user, perform the following steps:

  1. Optional:View the account systems that are supported by a MaxCompute project and add support for the RAM account system.

    1. Log on to the MaxCompute client (odpscmd) and run the add accountprovider ram; command to add support for the RAM account system.

    2. Run the list accountproviders; command to check whether the RAM account system is added for the MaxCompute project.

  2. Create a RAM user for your Alibaba Cloud account and add the RAM user to the MaxCompute project. For more information, see Prepare a RAM user and Add workspace members and assign roles to them.

    Note

    MaxCompute projects recognize only the RAM account system. If you add a RAM user to a MaxCompute project, the MaxCompute project does not recognize the original permissions of the RAM user that were configured in RAM. In this case, MaxCompute authenticates the RAM user but does not consider the permission definitions in RAM.

Use a RAM role to access MaxCompute

A RAM role does not represent a specific individual. A RAM role can be assumed by other users. In addition, a RAM role does not have an account, a password, or an AccessKey pair for identity authentication. You must use a temporary security token (STS) for identity authentication.

You can use a RAM role to access MaxCompute in the following scenarios:

  • Role-based SSO: If Alibaba Cloud and the identity management system of an enterprise work together to implement role-based SSO, Alibaba Cloud is the service provider (SP) and the identity management system is the identity provider (IdP). Role-based SSO allows the enterprise to manage users in the local IdP without the need to synchronize users from the IdP to Alibaba Cloud. In addition, employees of the enterprise can log on to Alibaba Cloud by using a specific RAM role.

  • Cross-service access: Create a RAM role for a trusted Alibaba Cloud service. This way, the trusted Alibaba Cloud service can use this RAM role to access another service. MaxCompute allows you to add the RAM role to a MaxCompute project in a similar way MaxCompute adds a common RAM user. MaxCompute manages the permissions of the RAM role just like MaxCompute manages the permissions of a common RAM user, such as granting the permissions to create data objects, execute jobs, write data, and read data. Other services can assume this RAM role to access MaxCompute projects for data management, data analysis, and data exchange.

  1. Create a RAM role and define the trust policy of the RAM role. For more information about how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted IdP, or Create a RAM role for a trusted Alibaba Cloud service. For more information about how to define the trust policy of a RAM role, see Edit the trust policy of a RAM role.

  2. Add the RAM role to a MaxCompute project. For more information, see Add a RAM role (project-level).

  3. Use the RAM role to access the MaxCompute project. For more information, see Overview.