All Products
Document Center

Allow MaxCompute to access Table Store across accounts

Last Updated: Jul 31, 2019

This article describes how Table Store and MaxCompute on different accounts be seamlessly connected. For information about enabling communication between Table Store and MaxCompute within the same account, see Allow MaxCompute to access Table Store using one account.


Grant the account owner of MaxCompute (account B) access permissions to table data owned by the Table Store account owner (account A). An example scenario is as follows:

Note: The following information is for reference only.

Item Table Store MaxCompute
Primary Account Name Account A Account B
UserId 12345 56789

Preparation for enabling MaxCompute to access Table Store owned by a different account:

  1. Log on as account B, activate the MaxCompute service and then create a MaxCompute project.

  2. Create an AccessKey for Account A and for Account B.

  3. Use Account A to log on to the RAM console, and create a user role on the Roles page.

    In this example, the created role is named AliyunODPSRoleForOtherUser.

  4. Click the role name to enter Role Details page.

  5. Click Edit basic information on the Role Details page to set the policy content.

    The policy content is specified as follows.

    1. {
    2. "Statement": [
    3. {
    4. "Action": "sts:AssumeRole",
    5. "Effect": "Allow",
    6. "Principal": {
    7. "Service": [
    8. ""
    9. ]
    10. }
    11. }
    12. ],
    13. "Version": "1"
    14. }

    Note: Replace 1xxxx with your UID in the preceding policy content.

  6. On the Role Details page, view the role Arn.

    role details

  7. Create an authorization policy in Policies page.

    In this example, the authorization policy is named AliyunODPSRolePolicyForOtherUser.

    Create an authorization policy

    The policy content is specified as follows.

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Action": [
    6. "ots:ListTable",
    7. "ots:DescribeTable",
    8. "ots:GetRow",
    9. "ots:PutRow",
    10. "ots:UpdateRow",
    11. "ots:DeleteRow",
    12. "ots:GetRange",
    13. "ots:BatchGetRow",
    14. "ots:BatchWriteRow",
    15. "ots:ComputeSplitPointsBySize"
    16. ],
    17. "Resource": "*",
    18. "Effect": "Allow"
    19. }
    20. ]
    21. }

    Note: You can also specify other permissions, such as CreateTable.

  8. Grant the permission AliyunODPSRolePolicyForOtherUser to the role AliyunODPSRoleForOtherUser in Roles page.


  9. Create an instance and create a table in the Table Store console.

    In this example, the Table Store instance and the table are created as follows:

    • Instance name: cap1
    • Data table name: vehicle_track
    • Primary key information: vid (integer), gt (integer)
    • Endpoint:

      Note: We recommend that you use the Table Store intranet address when accessing Table Store using MaxCompute.

    • Set the network type of the instance to Any Network.

      Network type

Allow MaxCompute to Access Table Store across accounts

Repeat the steps described in Allow MaxCompute to access Table Store under the same account. You must specify a roleArn when creating an external table for cross-account access.

Log on as account B and create an external table in MaxCompute. When creating the external table, specify the role Arn that you created in the preceding Preparation step.

For detailed steps, see Allow MaxCompute to access Table Store using one account. Use the following code when creating the external table in Step 2:

  1. CREATE EXTERNAL TABLE ads_log_ots_pt_external
  2. (
  3. vid bigint,
  4. gt bigint,
  5. longitude double,
  6. latitude double,
  7. distance double ,
  8. speed double,
  9. oil_consumption double
  10. )
  11. STORED BY 'com.aliyun.odps.TableStoreStorageHandler'
  13. 'tablestore.columns.mapping'=':vid, :gt, longitude, latitude, distance, speed, oil_consumption',
  14. ''='vehicle_track',
  15. ''='acs:ram::12345:role/aliyunodpsroleforotheruser'
  16. )
  17. LOCATION 'tablestore://'
  18. USING 'odps-udf-example.jar'