Access MaxCompute or Hologres resources owned by another Alibaba Cloud account by adding them as data sources in DataWorks. Cross-account access uses a Resource Access Management (RAM) role: Account B (the resource owner) grants the role access to its project or database, and Account A (the DataWorks operator) uses that role to connect.
Workflow overview:
| Step | Who acts | What happens |
|---|---|---|
| Step 1 | Account B | Creates a RAM role, establishes a trust relationship with Account A, and grants the role access to the target resource (MaxCompute or Hologres) |
| Step 2 | Account A | Adds the cross-account data source in DataWorks using the RAM role from Account B |
Limitations
Cross-account data sources cannot be used for data development or scheduling. To perform data development, create a data source within your own account. For MaxCompute, see Add a MaxCompute compute engine. For Hologres, see Add a Hologres compute engine.
Cross-account access requires a RAM role. No other access method is supported.
Prerequisites
Before you begin, make sure that you have:
Two Alibaba Cloud accounts: Account A (the DataWorks operator who adds the data source) and Account B (the resource owner who provides access)
The target resource created in Account B:
For MaxCompute access: a MaxCompute project. See Create a MaxCompute project
For Hologres access: a Hologres instance and a database within that instance
Step 1: Create and authorize a RAM role in Account B
Account B completes this step entirely. Log in to the RAM console using Account B.
Create a RAM role and configure the trust policy
Create a RAM role with Account A as the trusted Alibaba Cloud account. For detailed steps, see Create a RAM role for a trusted Alibaba Cloud account. Key parameters: To get Account A's UID: log in to the console using Account A and move the pointer over the profile picture in the top menu bar.
NoteAccount A assumes this RAM role to access resources in Account B. If the RAM role also needs to access DataWorks in Account A, redefine the role policy. See Define a policy for a RAM role.
Parameter Value Principal type Alibaba Cloud Account Principal name Select Other Alibaba Cloud Account, then enter the UID of Account A Role name testRole(or any name you choose)
Update the trust policy to allow the DataWorks service of Account A to assume this role. On the role details page, go to the Policy Document tab and click Edit Policy Document. Replace the content with the following, substituting
<Account-A-UID>with Account A's actual UID:{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<Account-A-UID>@engine.dataworks.aliyuncs.com" ] } } ], "Version": "1" }For more information, see Modify the trust policy of a RAM role.
Grant the RAM role access to the target resource
Select the tab that matches the resource type you want to share.
For MaxCompute
In Account B, connect to the target MaxCompute project. Use the SQL analysis feature in the MaxCompute console, or another supported connection tool. For a full list of options, see Select a connection tool.
Add the RAM role as a user in the MaxCompute project and grant it the necessary permissions. In the SQL statements below,
<Account-B-name>is the name of Account B, and<role-name>is the RAM role name (for example,testRole):-- Add the RAM role to the MaxCompute project add user `RAM$<Account-B-name>:role/<role-name>`; -- View all users in the project list users; -- Check the permissions granted to the role show grants for `RAM$<Account-B-name>:role/<role-name>`;After adding the role, grant it the permissions that match how Account A will use the data source. For example, grant SELECT permission if Account A needs to query tables. For authorization steps, see Authorization operations.
For Hologres
In Account B's RAM console, create a custom policy with the following content and attach it to the RAM role. This policy grants the permissions required to access the Hologres instance:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "hologram:GetInstance", "hologram:DescribeInstance", "hologram:ListDatabases", "hologram:ListWarehouses", "hologram:ListInstances" ], "Resource": "*" } ] }To create the policy, see Create a custom policy. To attach it to the RAM role, see Manage permissions for a RAM role.
Add the RAM role as a database user in Hologres. Log in to the Hologres management console using Account B and open the HoloWeb interface for the target instance. For more information, see Quick start for RAM user authorization.
In Security Center, go to User Management and add the RAM role as a database user.
If the role is a regular user, go to Database Authorization in Security Center to grant database-level permissions.
Step 2: Add the cross-account data source in Account A
Account A completes this step. Log in to the DataWorks console using Account A.
Go to the Data Sources page. In the top navigation bar, select the target region. In the left-side navigation pane, choose More > Management Center. Select the target workspace and click Go to Management Center. In the left-side navigation pane of the SettingCenter page, click Data Sources.
Click Add Data Source and select MaxCompute or Hologres as the data source type.
Configure the following key parameters:
Parameter Value Alibaba Cloud Account Another Alibaba Cloud Account Region The region where the MaxCompute project or Hologres instance resides UID Of Alibaba Cloud Account The UID of Account B MaxCompute Project Name / Hologres Instance The name or ID of the target resource in Account B RAM Role The name of the RAM role created in Account B (for example, testRole)Select a resource group and test the connectivity. For network configuration details, see Connect to a data source that belongs to a different Alibaba Cloud account.
Click Complete Creation.
What's next
After creating the cross-account data source, you can:
Synchronize data from this source using Data Integration. See Data Integration.
View data source details in DataWorks Data Map. See Data Map.