This topic describes how to authorize MaxCompute to access Object Storage Service (OSS) and Tablestore by using one-click authorization or by customizing a Resource Access Management (RAM) role. MaxCompute uses RAM and Security Token Service (STS) of Alibaba Cloud to secure data access.

STS authorization for OSS

To access OSS data by using MaxCompute external tables, you must grant OSS access permissions to the Alibaba Cloud account that is used to run MaxCompute jobs. You can use one of the following methods to grant OSS access permissions:
  • Method 1: If MaxCompute and OSS are within the same Alibaba Cloud account, log on to the RAM console and perform one-click authorization. We recommend that you use this method.
  • Method 2: If MaxCompute and OSS are not within the same Alibaba Cloud account, you can customize a role and grant permissions to the role.
    1. Create a RAM role.

      Log on to the RAM console by using your OSS account and create a role on the RAM Roles page in the RAM console. For example, you can create the oss-admin role.

      For more information about how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account.

    2. Modify the policy of the RAM role.

      On the RAM Roles page in the RAM console, click the name of the created RAM role in the RAM Role Name column. On the page that appears, click the Trust Policy Management tab and click Edit Trust Policy to modify the policy.

      For more information about how to modify a policy, see Edit the trust policy of a RAM role. The following sample code shows the content of a policy.

      -- If MaxCompute and OSS are not within the same Alibaba Cloud account, execute the following statements to allow MaxCompute to access OSS. 
      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "ID of the Alibaba Cloud account that owns the MaxCompute project@odps.aliyuncs.com"
         ]
       }
      }
      ],
      "Version": "1"
      }

      ID of the Alibaba Cloud account that owns the MaxCompute project is the account that is used to access OSS.

    3. Create a policy.

      On the Policies page in the RAM console, create a policy, such as AliyunODPSRolePolicy. The following sample code describes the policy content. You can also customize policies.

      {
      "Version": "1",
      "Statement": [
      {
       "Action": [
         "oss:ListBuckets",
         "oss:GetObject",
         "oss:ListObjects",
         "oss:PutObject",
         "oss:DeleteObject",
         "oss:AbortMultipartUpload",
         "oss:ListParts"
       ],
       "Resource": "*",
       "Effect": "Allow"
      }
      ]
      }
    4. Attach the created policy AliyunODPSRolePolicy to the RAM role.

      For more information about authorization, see Grant permissions to a RAM role.

STS authorization for Tablestore

To access Tablestore data by using MaxCompute external tables, you must grant Tablestore access permissions to the Alibaba Cloud account that is used to run MaxCompute jobs. You can use one of the following methods to grant permissions to the account:
  • Method 1: If MaxCompute and OSS are within the same Alibaba Cloud account, log on to the RAM console and perform one-click authorization. We recommend that you use this method.
  • Method 2: If MaxCompute and Tablestore are not within the same Alibaba Cloud account, you can customize a role and grant permissions to the role.
    1. Create a RAM role.

      Log on to the RAM console by using your Tablestore account and create a role on the RAM Roles page in the RAM console. For example, you can create the oss-adminots role.

      For more information how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account.

    2. Modify the policy of the RAM role.

      On the RAM Roles page in the RAM console, click the name of the created RAM role in the RAM Role Name column. On the page that appears, click the Trust Policy Management tab and click Edit Trust Policy to modify the policy.

      -- If MaxCompute and Tablestore are not within the same Alibaba Cloud account, execute the following statements to allow MaxCompute to access Tablestore. 
      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "UID of the Alibaba Cloud account that owns the MaxCompute project@odps.aliyuncs.com"
         ]
       }
      }
      ],
      "Version": "1"
      }

      ID of the Alibaba Cloud account that owns the MaxCompute project is the account that is used to access Tablestore.

    3. Create a policy.

      On the Policies page in the RAM console, create a policy, such as AliyunODPSRolePolicy. The following sample code shows the policy content. You can also customize policies.

      {
      "Version": "1",
      "Statement": [
      {
       "Action": [
         "ots:ListTable",
         "ots:DescribeTable",
         "ots:GetRow",
         "ots:PutRow",
         "ots:UpdateRow",
         "ots:DeleteRow",
         "ots:GetRange",
         "ots:BatchGetRow",
         "ots:BatchWriteRow",
         "ots:ComputeSplitPointsBySize"
       ],
       "Resource": "*",
       "Effect": "Allow"
      }
      ]
      }
    4. Attach the created policy AliyunODPSRolePolicy to the RAM role.

      For more information about authorization, see Grant permissions to a RAM role.