To manage Data Lake Formation (DLF) permissions in DataWorks, you must first grant DataWorks permissions to access DLF resources. After you grant the permissions, the system automatically creates a service-linked role named AliyunServiceRoleForDataWorksAccessDLF. This topic describes the service-linked role that is created when you authorize DataWorks to access DLF.
Use cases
The AliyunServiceRoleForDataWorksAccessDLF service-linked role is used in the following scenarios:
Authorize DataWorks to access DLF resources, such as catalogs, databases, tables, and fields.
Allow DataWorks to grant permissions on your DLF resources.
Allow DataWorks to revoke permissions on your DLF resources.
The AliyunServiceRoleForDataWorksAccessDLF role
Role name: AliyunServiceRoleForDataWorksAccessDLF
Policy: AliyunServiceRolePolicyForDataWorksAccessDLF
Description: DataWorks uses this role by default to access your DLF resources.
{
"Version": "1",
"Statement": [
{
"Action": [
"dlf:GetCatalog",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:GetTable",
"dlf:GetRole",
"dlf:ListCatalogs",
"dlf:ListDatabases",
"dlf:ListFunctionNames",
"dlf:ListFunctions",
"dlf:ListTableNames",
"dlf:ListTables",
"dlf:ListRoles",
"dlf:ListRoleUsers",
"dlf:CheckPermissions",
"dlf:BatchGrantPermissions",
"dlf:BatchRevokePermissions",
"dlf:GrantPermissions",
"dlf:RevokePermissions",
"dlf:UpdatePermissions",
"dlf:ListPermissions",
"dlf-dss:GetCatalog",
"dlf-dss:GetDatabase",
"dlf-dss:GetFunction",
"dlf-dss:GetTable",
"dlf-dss:ListCatalogs",
"dlf-dss:ListDatabases",
"dlf-dss:ListFunctionNames",
"dlf-dss:ListFunctions",
"dlf-dss:ListTableNames",
"dlf-dss:ListTables",
"dlf-dss:ListRoleUsers",
"dlf-dss:ListRoles",
"dlf-dss:CheckPermissions",
"dlf-dss:GrantPermissions",
"dlf-dss:RevokePermissions",
"dlf-dss:UpdatePermissions",
"dlf-dss:ListPermissions",
"dlf-dss:BatchGrantPermissions",
"dlf-dss:BatchRevokePermissions",
"dlf-dss:CreateTable",
"dlf-dss:AlterTable",
"dlf-dss:DropTable",
"dlf-dss:DescribeTable",
"dlf-dss:SelectTable",
"dlf-dss:UpdateTable",
"dlf-dss:DescribeDatabase",
"dlf-dss:CreateDatabase",
"dlf-dss:AlterDatabase",
"dlf-dss:DropDatabase",
"dlf-dss:DescribeFunction",
"dlf-dss:AlterFunction",
"dlf-dss:CreateFunction",
"dlf-dss:DropFunction",
"dlf-dss:ExecuteFunction"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dlf.dataworks.aliyuncs.com"
}
}
}
]
}Create a service-linked role
When you request access to Data Lake Formation (DLF) in access control, the system prompts you to authorize DataWorks to access DLF. After you grant the authorization, the system automatically creates the AliyunServiceRoleForDataWorksAccessDLF service-linked role in the Resource Access Management (RAM) console. For more information, see Manage permissions on DLF.
Delete the service-linked role
You can delete the service-linked role in the Resource Access Management (RAM) console. After the role is deleted, you cannot manage DLF permissions in DataWorks. For more information, see Delete a RAM role.
Permissions required for a RAM user to create the service-linked role
To allow a RAM user to create the AliyunServiceRoleForDataWorksAccessDLF service-linked role, attach the AliyunDataWorksFullAccess policy or the following policy to the RAM user.
{
"Version": "1",
"Statement": [
{
"Action": "dataworks:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dlf.dataworks.aliyuncs.com"
}
}
}
]
}