All Products
Search
Document Center

DataWorks:Log in to DataWorks with a RAM role (Advanced)

Last Updated:Jun 20, 2026

In DataWorks, a RAM user can assume a RAM role to log in and perform development tasks. This topic describes how to use role-based SSO to log in to and use DataWorks.

Background information

You can log in to DataWorks in one of the following ways:

  • Log in by using an Alibaba Cloud account

    You can log in to the Alibaba Cloud Management Console by using an Alibaba Cloud account or a RAM user and then access DataWorks. This account becomes a workspace member with the necessary permissions.

  • Log in by using a role

    As enterprise security and compliance requirements become stricter, some organizations prefer to use role-based SSO to log in to and use DataWorks. With this method, a Resource Access Management (RAM) role is added as a member to a DataWorks workspace. A user who assumes this role has permissions similar to those of an Alibaba Cloud account member. For more information about roles, see RAM role overview and Overview of SAML-based role SSO.

Precautions

  • In DataWorks, only the MaxCompute and Hologres data sources support operations using a RAM role.

  • To perform the following authorization operations with a RAM user or role, you must attach the AliyunRAMFullAccess policy to the RAM user or role. For more information about how to grant permissions, see Grant permissions to a RAM user.

Step 1: Create a RAM role

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. Create a role.

    On the Role page, click Create Role.

Step 2: Configure the trust policy

On the Identity Management > Role page, click the name of the role. On the Trust Policy tab, define the trust policy for the RAM role. The policy must allow the role to be assumed by both your intended users (RAM users or IdP users) and the DataWorks service. Select a policy below that matches your scenario.

Note

In the following policies, replace UID with the UID of your Alibaba Cloud account and replace IDP with the name of your identity provider (IdP).

Scenario 1: RAM user assumes role

To allow a RAM user to assume a RAM role to access DataWorks, modify the trust policy of the RAM role as follows:

Note

The following policy allows two principals, a specified RAM user and the DataWorks service, to obtain temporary credentials to assume the role. For more information about AssumeRole, see AssumeRole - Obtains temporary security credentials for a RAM role.

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::UID:root"
                ]
            }
        },
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dataworks.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

Scenario 2: IdP user assumes role

To allow a user from an IdP to assume a RAM role for DataWorks access, modify the trust policy of the RAM role as follows:

{
   "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "saml:recipient": "https://signin.aliyun.com/saml-role/sso"
                }
            },
            "Effect": "Allow",
            "Principal": {
                "Federated": [
                    "acs:ram::UID:saml-provider/IDP"
                ]
            }
        },
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dataworks.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

Step 3: Attach the AliyunSTSAssumeRoleAccess policy

If you use a RAM user instead of a user from an IdP to assume the RAM role, attach the AliyunSTSAssumeRoleAccess policy to the RAM user. This policy allows the user to call the Security Token Service (STS) AssumeRole operation to obtain the role's temporary credentials. For more information about how to attach a policy, see Grant permissions to a RAM user.

Note

If you use a user from an IdP to assume the RAM role, skip this step.

Step 4: Log in as the RAM role

This section describes how a RAM user can assume a RAM role to log in to and use DataWorks. For more information about role-based SSO, see Overview of SAML-based role SSO.

  1. Log in to the DataWorks console as a RAM user.

  2. Switch your identity.

    After you enter the DataWorks console, hover over your profile picture in the upper-right corner and click Switch Identity to log in by using the RAM role.

Next steps

After you create a workspace, you can perform the following operations:

  • Add the RAM role to a DataWorks workspace for data development

    A workspace administrator can add the RAM role as a workspace member. For more information, see Add workspace members and manage their roles and permissions.

  • Use the RAM role as the production scheduling identity in MaxCompute

    When you bind a MaxCompute compute engine, configure this RAM role as the production scheduling identity. After you configure the role as the scheduling identity, do not use it for other purposes. You must also ensure that all tasks run using an exclusive scheduling resource group.