This topic describes how to customize the permissions of MaxCompute to access Object Storage Service (OSS) and Tablestore in the Resource Access Management (RAM) console. MaxCompute uses RAM and Security Token Service (STS) of Alibaba Cloud to secure data access.

STS authorization for OSS

You must authorize the account used to run MaxCompute jobs to access OSS data. You can grant permissions in the following methods:
  • If MaxCompute and OSS are under the same Alibaba Cloud account, log on to the RAM console and click here to perform one-click authorization.
  • Customize authorization.
    1. Create a role. Log on to the RAM console. In the left-side navigation pane, click RAM Roles and create a role such as AliyunODPSDefaultRole or AliyunODPSRoleForOtherUser. If MaxCompute and OSS are not under the same account, log on with the OSS account for authorization.
    2. Modify the policy content of a role.
      -- If MaxCompute and OSS are under the same account, configure as follows:
      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "odps.aliyuncs.com"
         ]
       }
      }
      ],
      "Version": "1"
      }
      -- If MaxCompute and OSS are not under the same account, configure as follows:
      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "ID of the Alibaba Cloud account that owns MaxCompute@odps.aliyuncs.com"
         ]
       }
      }
      ],
      "Version": "1"
      }
    3. Create the AliyunODPSRolePolicy authorization policy that contains the permissions required for accessing OSS. You can also customize other permissions.
      {
      "Version": "1",
      "Statement": [
      {
       "Action": [
         "oss:ListBuckets",
         "oss:GetObject",
         "oss:ListObjects",
         "oss:PutObject",
         "oss:DeleteObject",
         "oss:AbortMultipartUpload",
         "oss:ListParts"
       ],
       "Resource": "*",
       "Effect": "Allow"
      }
      ]
      }
    4. Grant the permissions in the AliyunODPSRolePolicy authorization policy to the role.

STS authorization for Tablestore

You must authorize the account used to run MaxCompute jobs to access Tablestore data. You can grant permissions in the following methods:
  • If MaxCompute and Tablestore are under the same Alibaba Cloud account, log on to the RAM console and click here to perform one-click authorization.
  • Customize authorization.
    1. Create a role.

      Log on to the RAM console. In the left-side navigation pane, click RAM Roles and create a role such as AliyunODPSDefaultRole or AliyunODPSRoleForOtherUser. If MaxCompute and Tablestore are not under the same account, log on with the Tablestore account for authorization.

    2. Modify the policy content of a role.
      -- If MaxCompute and Tablestore are under the same account, configure as follows:
      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "odps.aliyuncs.com"
         ]
       }
      }
      ],
      "Version": "1"
      }
      -- If MaxCompute and Tablestore are not under the same account, configure as follows:
      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "UID of the Alibaba Cloud account that owns MaxCompute@odps.aliyuncs.com"
         ]
       }
      }
      ],
      "Version": "1"
      }
      Note You can click the avatar in the upper-right corner to go to the Account Management page. On the page that appears, view the UID of your Alibaba cloud account.
    3. Edit the AliyunODPSRolePolicy authorization policy for the role.
      {
      "Version": "1",
      "Statement": [
      {
       "Action": [
         "ots:ListTable",
         "ots:DescribeTable",
         "ots:GetRow",
         "ots:PutRow",
         "ots:UpdateRow",
         "ots:DeleteRow",
         "ots:GetRange",
         "ots:BatchGetRow",
         "ots:BatchWriteRow",
         "ots:ComputeSplitPointsBySize"
       ],
       "Resource": "*",
       "Effect": "Allow"
      }
      ]
      }
      -- You can also customize other permissions.
    4. Grant the permissions in the AliyunODPSRolePolicy authorization policy to the role.