All Products
Search

This Product

    AnalyticDB:Grant permissions to a RAM user

    Document Center

    AnalyticDB:Grant permissions to a RAM user

    Last Updated:May 22, 2025

    If you want to access other cloud resources as a Resource Access Management (RAM) user, you must grant the required permissions to the RAM user based on the specific scenario (within an Alibaba Cloud account or across Alibaba Cloud accounts). This topic describes how to grant permissions within an Alibaba Cloud account and across Alibaba Cloud accounts.

    Prerequisites

    An AnalyticDB for MySQL Enterprise Edition, Basic Edition, or Data Lakehouse Edition cluster is created.

    Permissions required for Spark jobs

    When you submit a Spark job, you must have the following permissions:

    • AliyunADBFullAccess: allows RAM users to manage AnalyticDB for MySQL clusters. For more information, see the "Grant permissions to a RAM user" section of the RAM users and permissions topic.

    • Permissions to read and write AnalyticDB for MySQL databases and tables: By default, AnalyticDB for MySQL uses database accounts to manage databases and tables. When you submit a Spark job that needs to read or write data as a RAM user, you must associate a standard database account with the RAM user. For more information, see Associate or disassociate a database account with or from a RAM user.

    • AliyunADBSparkProcessingDataRole: allows AnalyticDB for MySQL Spark to access other cloud resources, such as Object Storage Service (OSS) and Tablestore. For more information, see the "Grant permissions within an Alibaba Cloud account" section of this topic.

    Grant permissions within an Alibaba Cloud account

    Prerequisites

    A RAM user is created.

    Procedure

    Grant permissions in the RAM console (recommended)

    Step 1: Create a RAM role and grant permissions to the role

    1. Create a RAM role.

      Note

      If you have created a RAM role with the Principal Type parameter being Cloud Service and the Principal Name parameter being AnalyticDB for MySQL, skip this step.

      1. Log on to the RAM console as a RAM user who has administrative rights.

      2. In the left-side navigation pane, choose Identities > Roles.

      3. On the Roles page, click Create Role.

        image

      4. On the Create Role page, set the Principal Type parameter to Cloud Service, select AnalyticDB for MySQL from the Principal Name drop-down list, and then click OK.

      5. In the Create Role dialog box, configure the Role Name parameter and click OK.

    2. Grant permissions to the RAM role.

      1. On the Permissions tab, click Precise Permission.

      2. In the Precise Permission dialog box, set Policy Type to System Policy or Custom Policy and enter a policy name.

        If you want to access only specific resources, you must create a custom policy. For information about how to create a custom policy, see Create custom policies.

      3. Click OK.

    Step 2: Submit a Spark job

    After you create a RAM role and grant permissions to the role in the RAM console, specify the spark.adb.roleArn parameter when you submit a Spark job to ensure that the Spark job runs normally. Example:

    {
  "comments": [
    "-- Here is just an example of using LakeCache. Modify the content and run your spark program."
  ],
  "args": ["oss://testBucketName/data/readme.txt"],
  "name": "spark-oss-test",
  "file": "oss://testBucketName/data/example.py",
  "conf": {
    "spark.adb.lakecache.enabled": "true";
    "spark.adb.roleArn": "acs:ram::testAccountID:role/adbtest";
  }
}

    Perform quick authorization

    Warning

    After you perform authorization within an Alibaba Cloud account, the AliyunADBSparkProcessingDataRolePolicy policy is attached to the AliyunADBSparkProcessingDataRole role. The policy has permissions to access cloud resources, such as OSS, Tablestore, and Data Management (DMS). In this case, excessive permissions may be granted. We recommend that you revoke the permissions of AliyunADBSparkProcessingDataRolePolicy after authorization and grant permissions of only the cloud resources required for your business to the AliyunADBSparkProcessingDataRole role.

    1. Go to the quick authorization page.

    2. In the lower-left corner of the page, click Authorize.

      After you grant the permission to the RAM role, a service role named AliyunADBSparkProcessingDataRole is automatically created to allow AnalyticDB for MySQL to access other cloud resources.

    Grant permissions across Alibaba Cloud accounts

    AnalyticDB for MySQL Spark allows you to access all cloud resources of other Alibaba Cloud accounts. This section describes how to authorize a RAM user that belongs to Alibaba Cloud account A (ID: testAccountID) to access data of Alibaba Cloud account B (ID: testAccountID1).

    Step 1: Create a RAM role for Alibaba Cloud account B and grant permissions to the role

    1. Create a RAM role and allow Alibaba Cloud account A to assume the RAM role.

      Note

      If you already created a RAM role and allowed Alibaba Cloud account A to assume the role, you can skip this step.

      1. Use Alibaba Cloud account B or the RAM administrator to log on to the RAM console.

      2. In the left-side navigation pane, choose Identities > Roles.

      3. On the Roles page, click Create Role.

      4. On the Create Role page, set the Principal Type parameter to Cloud Account, specify an Alibaba Cloud account, and then click OK.

      5. In the Create Role dialog box, configure the Role Name parameter and click OK.

      6. Click OK.

    2. Grant permissions to the RAM role.

      1. On the Permissions tab, click Precise Permission.

      2. In the Precise Permission dialog box, set Policy Type to System Policy or Custom Policy and enter a policy name.

        If you want to access a resource in a specific virtual private cloud (VPC), you must create a custom policy and use the Resource parameter to specify the security group to which the resource belongs and the vSwitch to which the resource is connected. For information about how to create a custom policy, see Create custom policies.

        In this example, a custom policy named eni_policy that allows you to access only an ApsaraDB RDS for MySQL instance in a specific VPC is created.

        Note

        You must add the ApsaraDB RDS for MySQL instance to a security group and configure inbound and outbound security group rules that allow requests from the port of the ApsaraDB RDS for MySQL instance. 

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": "acs:ecs:*:*:securitygroup/<ID of the security group to which the ApsaraDB RDS for MySQL instance belongs>"
        },
        {
            "Effect": "Allow",
            "Action": "vpc:*",
            "Resource": "acs:vpc:*:*:vswitch/<ID of the vSwitch to which the ApsaraDB RDS for MySQL instance is connected>"
        }
    ]
}

      3. Click OK.

      4. Click Close.

    3. Modify the trust policy to allow a RAM user that belongs to Alibaba Cloud account A to assume the RAM role.

      1. In the left-side navigation pane, choose Identities > Roles.

      2. On the Roles page, click the name of the RAM role that you created.

      3. On the Trust Policy tab, click Edit Trust Policy.

      4. In the code editor, modify the content of the trust policy and click OK.

        {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::testAccountID:root"
        ]
      }
    },
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "testAccountID@ads.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

    Step 2: Create a RAM user for Alibaba Cloud account A and allow the RAM user to assume the RAM role

    1. Create a RAM user.

      1. Use Alibaba Cloud account A or the RAM administrator to log on to the RAM console.

      2. In the left-side navigation pane, choose Identities > Users.

      3. On the Users page, click Create User. image

      4. In the User Account Information section of the Create User page, configure the following parameters:

        • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

        • Display Name: The display name can be up to 128 characters in length.

        • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

        Note

        You can click Add User to create multiple RAM users at a time.

      5. In the Access Mode section, select Console Access and configure the logon security settings. The settings specify whether to use a system-generated or custom logon password, reset the password upon the next logon, and enable multi-factor authentication (MFA). For more information, see the "Console Access" section of the Create a RAM user topic.

      6. Click OK.

    2. Create a policy that allows the RAM user to assume any role.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

      3. On the Create Policy page, click the JSON tab.

      4. Enter the policy content in the code editor and click OK. 

        {
    "Version": "1",
    "Statement": [
        {
            "Action": "ram:PassRole",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

      5. In the Create Policy dialog box, configure the Name and Description parameters and click OK.

    3. Attach the policy to the RAM user.

      1. In the left-side navigation pane, choose Identities > Users

      2. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

      3. In the Add Permissions panel, select the policy that you created.

      4. Click Grant permissions.

      5. Click Close.

    References