MaxCompute allows you to access a MaxCompute project by using an Alibaba Cloud account, a RAM user, or a RAM role. This topic describes these three access methods.

Background information

MaxCompute allows you to use an Alibaba Cloud account, a RAM user, or a RAM role for identity authentication. You can access MaxCompute only if your identity is valid.

Use an Alibaba Cloud account to access MaxCompute

To access MaxCompute with an Alibaba Cloud account, perform the following steps:

  1. Optional:Create an Alibaba Cloud account, complete real-name verification, and create an AccessKey pair. For more information, see Create an Alibaba Cloud account.
    Note
    • An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to retrieve the AccessKey, whereas the AccessKey secret is used to calculate the signature of a request. You must keep your AccessKey pair confidential for further use. To update an AccessKey pair, you must create another pair and disable the existing one.
    • It requires about 15 minutes for you to enable or disable an AccessKey pair.
  2. Use the Alibaba Cloud account or AccessKey pair you created to access MaxCompute.
    Note Keep the AccessKey pair strictly confidential. The leak of the AccessKey pair may jeopardize all the cloud resources that belong to your account. Therefore, we recommend that you do not use your Alibaba Cloud account to perform routine MaxCompute operations.

Use a RAM user to access MaxCompute

By default, MaxCompute projects recognize only the Alibaba Cloud account system. You can manually add support for the RAM account system. To access MaxCompute with a RAM user, perform the following steps:

  1. Optional:View the account systems supported by a MaxCompute project and add support for the RAM account system.
    1. Log on to the MaxCompute client (odpscmd) and run the add accountprovider ram; command to add support for the RAM account system.
    2. Run the list accountproviders; command to check whether the RAM account system is added for the MaxCompute project.
  2. Create a RAM user for your Alibaba Cloud account and add the RAM user to the MaxCompute project. For more information, see Create RAM users and Add workspace members.
    Note MaxCompute projects recognize only the RAM account system. When you add a RAM user to a MaxCompute project, the MaxCompute project does not recognize the original permissions of the RAM user that were configured in RAM. That is, MaxCompute authenticates the RAM user but does not consider the permission definitions in RAM.

Use a RAM role to access MaxCompute

A RAM role does not represent a specific individual. It can be assumed by other users. In addition, a RAM role does not have an account, a password, or an AccessKey pair for identity authentication. You must use a temporary security token (STS) for identity authentication.

You can use a RAM role to access MaxCompute in the following scenarios:
  • Role-based SSO: If Alibaba Cloud and the identity management system of an enterprise work together to implement role-based SSO, Alibaba Cloud is the service provider (SP) and the identity management system is the identity provider (IdP). Role-based SSO allows the enterprise to manage users in the local IdP without the need to synchronize users from the IdP to Alibaba Cloud. In addition, employees of the enterprise can log on to Alibaba Cloud by using a specific RAM role.
  • Cross-service access: Create a RAM role for a trusted Alibaba Cloud service. This way, the trusted Alibaba Cloud service can use this RAM role to access another service. MaxCompute can add the RAM role to a MaxCompute project in a similar way it adds a common RAM user. MaxCompute manages the permissions of the RAM role just like it manages the permissions of a common RAM user, such as granting the permissions to create data objects, execute jobs, write data, and read data. Other services can assume this RAM role to access MaxCompute projects for data management, data analysis, and data exchange.
  1. Create a RAM role and define the trust policy of the RAM role. For more information about how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted IdP, or Create a RAM role for a trusted Alibaba Cloud service. For more information about how to define the trust policy of a RAM role, see Edit the trust policy of a RAM role.
  2. Add the RAM role to a MaxCompute project. For more information, see Add a RAM role.
  3. Use the RAM role to access the MaxCompute project. For more information, see Overview of role-based SSO.