Before you access cloud resources within an Alibaba Cloud account or across Alibaba Cloud accounts as a Resource Access Management (RAM) user, you must perform authorization based on different scenarios. To access cloud resources within an Alibaba Cloud account, you must grant the AliyunADBSparkProcessingDataRole permission to the RAM user. To access cloud resources across Alibaba Cloud accounts, you must grant permissions to other Alibaba Cloud accounts. This topic describes how to perform authorization within an Alibaba Cloud account and across Alibaba Cloud accounts.
Prerequisites
An AnalyticDB for MySQL Data Lakehouse Edition (V3.0) cluster is created. For more information, see Create a cluster.
Permissions that are required for Spark jobs
When you submit a Spark job, you must have the following permissions:
AliyunADBFullAccess: allows RAM users to manage AnalyticDB for MySQL clusters. For more information, see the "Grant permissions to a RAM user" section of the Manage RAM users and permissions topic.
Permissions to read and write AnalyticDB for MySQL databases and tables: By default, AnalyticDB for MySQL uses database accounts to manage databases and tables. When you submit a Spark job that needs to read or write data as a RAM user, you must associate a standard database account with the RAM user. For more information, see Associate or disassociate a database account with or from a RAM user.
AliyunADBSparkProcessingDataRole: allows AnalyticDB for MySQL Spark to access other cloud resources such as Object Storage Service (OSS) and Tablestore. For more information, see the "Perform authorization within an Alibaba Cloud account" section of this topic.
Perform authorization within an Alibaba Cloud account
Before you perform authorization within an Alibaba Cloud account, you must create a RAM user. For more information, see Create a RAM user.
Go to the authorization page.
In the lower-left corner of the page, click Agree to Authorization to grant the AliyunADBSparkProcessingDataRole permission to the RAM role.
After you grant the permission to the RAM role, a service role named AliyunADBSparkProcessingDataRole is automatically created to allow AnalyticDB for MySQL to access other cloud resources.
Only Alibaba Cloud accounts are allowed to grant the preceding permission to RAM users.
Perform authorization across Alibaba Cloud accounts
In this example, Alibaba Cloud account A (ID: testAccountID) wants to access data of Alibaba Cloud account B (ID: testAccountID1).
Step 1: Create a RAM role for Alibaba Cloud account B and grant permissions to the role
Create a RAM role and allow Alibaba Cloud account A to assume the RAM role.
NoteIf you already created a RAM role and allowed Alibaba Cloud account A to assume the role, you can skip this step.
Use Alibaba Cloud account B or the RAM administrator to log on to the RAM console.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.
Configure the RAM role.
Specify a name for the RAM role in the Role Name field. In this example,
admin-ossis specified.(Optional) Enter a description in the Note field.
Select Other Alibaba Cloud Account for the Select Trusted Alibaba Cloud Account parameter and enter the ID of Alibaba Cloud account A (
testAccountID).
Click Finished.
Grant permissions to the RAM role.
Find the RAM role and click Input and Attach in the Actions column.
In the Precise Permission panel, set the Type parameter to System Policy or Custom Policy and enter a policy name.
Click OK.
Click Close.
Modify the trust policy to allow a RAM user that belongs to Alibaba Cloud account A to assume the RAM role.
On the Roles page, click the name of the RAM role.
On the Basic Information page of the RAM role, click the Trust Policy Management tab.
Click Edit Trust Policy. Copy and paste the following code to the code editor:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::testAccountID:root" ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "testAccoun***@ads.aliyuncs.com" ] } } ], "Version": "1" }
Step 2: Create a RAM user for Alibaba Cloud account A and allow the RAM user to assume the RAM role
Create a RAM user.
Use Alibaba Cloud account A or the RAM administrator to log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
Display Name: The display name can be up to 128 characters in length.
Tag: Click the
icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
NoteYou can click Add User to create multiple RAM users at a time.
In the Access Mode section, select Console Password Logon and configure the logon security settings. The settings specify whether to use a system-generated or custom logon password, reset the password upon the next logon, and enable multi-factor authentication (MFA). For more information, see the "Console Access" section of the Create a RAM user topic.
Click ok.
Create a policy that allows the RAM user to assume any role.
In the left-side navigation pane, choose Permissions > Policies. On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab and enter the following code:
{ "Version": "1", "Statement": [ { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow" } ] }Click Next to edit policy information. On the page that appears, configure the Name and Description parameters for the policy.
Click OK.
Attach the policy to the RAM user.
On the Users page, find the required RAM user and click Add Permissions in the Actions column.
In the Add Permissions panel, add the created policy to the Selected section.
Click OK.
Click Complete.