In DataWorks, a RAM user can assume a RAM role to log in and perform development tasks. This topic describes how to use role-based SSO to log in to and use DataWorks.
Background information
You can log in to DataWorks in one of the following ways:
-
Log in by using an Alibaba Cloud account
You can log in to the Alibaba Cloud Management Console by using an Alibaba Cloud account or a RAM user and then access DataWorks. This account becomes a workspace member with the necessary permissions.
-
Log in by using a role
As enterprise security and compliance requirements become stricter, some organizations prefer to use role-based SSO to log in to and use DataWorks. With this method, a Resource Access Management (RAM) role is added as a member to a DataWorks workspace. A user who assumes this role has permissions similar to those of an Alibaba Cloud account member. For more information about roles, see RAM role overview and Overview of SAML-based role SSO.
Precautions
-
In DataWorks, only the MaxCompute and Hologres data sources support operations using a RAM role.
-
To perform the following authorization operations with a RAM user or role, you must attach the AliyunRAMFullAccess policy to the RAM user or role. For more information about how to grant permissions, see Grant permissions to a RAM user.
Step 1: Create a RAM role
-
Log on to the RAM console.
-
In the left-side navigation pane, choose .
-
Create a role.
On the Role page, click Create Role.
-
To assume the role by switching your identity in the Alibaba Cloud Management Console, select Alibaba Cloud Account as the role type. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
-
To assume the role by logging in to Alibaba Cloud by using an account from your identity provider (IdP), select Identity Provider as the role type. For more information, see Create a RAM role for a trusted IdP.
-
Step 2: Configure the trust policy
On the page, click the name of the role. On the Trust Policy tab, define the trust policy for the RAM role. The policy must allow the role to be assumed by both your intended users (RAM users or IdP users) and the DataWorks service. Select a policy below that matches your scenario.
In the following policies, replace UID with the UID of your Alibaba Cloud account and replace IDP with the name of your identity provider (IdP).
Scenario 1: RAM user assumes role
To allow a RAM user to assume a RAM role to access DataWorks, modify the trust policy of the RAM role as follows:
The following policy allows two principals, a specified RAM user and the DataWorks service, to obtain temporary credentials to assume the role. For more information about AssumeRole, see AssumeRole - Obtains temporary security credentials for a RAM role.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::UID:root"
]
}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"dataworks.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Scenario 2: IdP user assumes role
To allow a user from an IdP to assume a RAM role for DataWorks access, modify the trust policy of the RAM role as follows:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"saml:recipient": "https://signin.aliyun.com/saml-role/sso"
}
},
"Effect": "Allow",
"Principal": {
"Federated": [
"acs:ram::UID:saml-provider/IDP"
]
}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"dataworks.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Step 3: Attach the AliyunSTSAssumeRoleAccess policy
If you use a RAM user instead of a user from an IdP to assume the RAM role, attach the AliyunSTSAssumeRoleAccess policy to the RAM user. This policy allows the user to call the Security Token Service (STS) AssumeRole operation to obtain the role's temporary credentials. For more information about how to attach a policy, see Grant permissions to a RAM user.
If you use a user from an IdP to assume the RAM role, skip this step.
Step 4: Log in as the RAM role
This section describes how a RAM user can assume a RAM role to log in to and use DataWorks. For more information about role-based SSO, see Overview of SAML-based role SSO.
-
Log in to the DataWorks console as a RAM user.
-
Switch your identity.
After you enter the DataWorks console, hover over your profile picture in the upper-right corner and click Switch Identity to log in by using the RAM role.
Next steps
After you create a workspace, you can perform the following operations:
-
Add the RAM role to a DataWorks workspace for data development
A workspace administrator can add the RAM role as a workspace member. For more information, see Add workspace members and manage their roles and permissions.
-
Use the RAM role as the production scheduling identity in MaxCompute
When you bind a MaxCompute compute engine, configure this RAM role as the production scheduling identity. After you configure the role as the scheduling identity, do not use it for other purposes. You must also ensure that all tasks run using an exclusive scheduling resource group.