This topic describes how to assign a Resource Access Management (RAM) role to an account that uses Realtime Compute for Apache Flink in exclusive mode.

Assign a RAM role to an account

You must assign a RAM role to your Alibaba Cloud account before you use Realtime Compute for Apache Flink.

  1. Click Authorize to go to the authorization page.
    Note If you do not assign the default RAM role to your Alibaba Cloud account, the preceding message appears when you use Realtime Compute for Apache Flink.
  2. Click AliyunStreamDefaultRole and click Authorize.
    Note After your account is assigned the RAM role, refresh the page in the Realtime Compute for Apache Flink console. Then, you can perform operations in the console.

View the authorization information about the current role

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles. On the page that appears, click AliyunStreamDefaultRole in the RAM Role Name column.
  3. On the AliyunStreamDefaultRole page, click AliyunStreamRolePolicy in the Policy column on the Permissions tab.
  4. On the Policy Document tab, view the current policy information of Realtime Compute for Apache Flink.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ots:List*",
            "ots:DescribeTable",
            "ots:Get*",
            "ots:*Row"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "dhs:Create*",
            "dhs:List*",
            "dhs:Get*",
            "dhs:PutRecords",
            "dhs:DeleteTopic"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*",
            "log:Get*",
            "log:Post*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "mns:List*",
            "mns:Get*",
            "mns:Send*",
            "mns:Publish*",
            "mns:Subscribe"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "drds:DescribeDrdsInstance",
            "drds:ModifyDrdsIpWhiteList"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "rds:Describe*",
            "rds:ModifySecurityIps*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:CreateSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:CreateNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:AttachNetworkInterface",
            "ecs:DescribeNetworkInterfacePermissions",
            "ecs:CreateNetworkInterfacePermission"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "oss:*",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }

Attach a policy to a RAM role

After you create a RAM role, you can attach a specific policy to the RAM role.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. Click Create Policy.
  4. On the page that appears, specify Policy Name and Note. In this example, AliyunStreamDefaultRolePolicy is used as the policy name.
  5. Set Configuration Mode to Visualized or Script.
    • If you set Configuration Mode to Visualized, click Add Statement. In the Add Statement panel, configure the Permission Effect, Actions, and Resources parameters.
    • If you set Configuration Mode to Script, edit the policy script by following the instructions provided in Policy structure and syntax.
  6. In the code editor below Policy Document, enter the following code and click OK:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:CreateSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:CreateNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:AttachNetworkInterface",
            "ecs:DescribeNetworkInterfacePermissions",
            "ecs:CreateNetworkInterfacePermission"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }                    
    Note You can delete the following permissions after you create a cluster:
    • ecs:CreateSecurityGroup
    • ecs:AuthorizeSecurityGroup
  7. In the left-side navigation pane, click RAM Roles. On the page that appears, find AliyunStreamDefaultRole in the RAM role list and click Add Permissions in the Actions column.
  8. In the Add Permissions panel, click Custom Policy in the Select Policy section, and enter AliyunOSSFullAccess in the search box below Custom Policy.
  9. Click AliyunOSSFullAccess in the Authorization Policy Name column.
  10. In the Select Policy section, click Custom Policy.
  11. In the search box below Custom Policy of the Select Policy section, enter AliyunStreamDefaultRolePolicy.
  12. Click AliyunStreamDefaultRolePolicy in the Authorization Policy Name column.
  13. Click OK.