All Products
Search

This Product

    MaxCompute:Data lake connections (CONNECTION)

    Document Center

    MaxCompute:Data lake connections (CONNECTION)

    Last Updated:Mar 26, 2026

    This topic describes how to create, modify, and delete a data lake connection (CONNECTION). It also describes how to grant other users permissions to use a connection.

    Important

    This feature is available for invitational preview. To enable this feature, submit a ticket.

    Embedding AccessKey pairs in job configurations or queries creates a security risk and makes credential rotation difficult. A data lake connection (CONNECTION) hosts access credentials for Alibaba Cloud services. Credentials are encrypted and stored in the global meta service. You can delegate a CONNECTION to authorize access to external storage in scenarios such as data discovery and foreign table computing — no plaintext AccessKey pairs required.

    Use cases

    • Run OSS data discovery tasks without embedding credentials in the task configuration.

    • Create and query OSS foreign tables using a CONNECTION as the authorization source.

    Limitations

    • Supported regions: China (Beijing) and China (Shenzhen) only.

    • Permission requirements: Only an Alibaba Cloud account or a user with the tenant-level Connection_Admin role can create and manage CONNECTIONs.

    Role Permissions
    Connection_Admin List, view, create, update, delete, and use connections. Grant the Connection_User role to other users.
    Connection_User View and use connections.

    Prerequisites

    Before you begin, make sure you have:

    • An Alibaba Cloud account or a RAM user with the tenant-level Connection_Admin role

    • A RAM role with OSS access permissions — see STS mode authorization to create one

    Grant the Connection_Admin role

    If a RAM user needs to create or manage CONNECTIONs, grant them the tenant-level Connection_Admin role. Only an Alibaba Cloud account or a user with the Super_Administrator or Admin role can perform this grant. For background on tenant-level roles, see Tenant-level role authorization.

    1. Log on to the MaxCompute console and select a region in the upper-left corner.

    2. In the left navigation pane, choose Manage Configurations > Tenants.

    3. On the Tenants page, click the Roles tab.

    4. Select Connection_Admin, then click New Authorization in the Actions column.

    5. In the Newly Added Authorization dialog box, add the users to authorize and click OK.

    Create a CONNECTION

    1. Log on to the MaxCompute console and select a region in the upper-left corner.

    2. In the left navigation pane, choose MaxLake > Data Lake Connection.

    3. On the Data Lake Connection (CONNECTION) page, click Establish a connection.

    4. In the Create Data Lake Connection dialog box, set the following parameters and click OK.

      Parameter Description Example
      Data Connection Name The name of the connection. Must be unique within the tenant. my-oss-connection
      RAMRoleARN The ARN of the RAM role that has OSS access permissions. To create a custom role, see STS mode authorization. acs:ram::123456789012345678:role/MaxComputeOSSRole
      Data Connection Description An optional description for the connection. Connects to production OSS bucket

    Grant permissions on a CONNECTION

    To let other users use a CONNECTION, grant them the Connection_User role on that connection.

    1. Log on to the MaxCompute console and select a region in the upper-left corner.

    2. In the left navigation pane, choose MaxLake > Data Lake Connection.

    3. On the Data Lake Connection (CONNECTION) page, find the target connection and click Newly Added Authorization in the Operation column.

    4. In the Data Connection Authorization dialog box, add the users to authorize and click OK.

    View CONNECTIONs

    1. Log on to the MaxCompute console and select a region in the upper-left corner.

    2. In the left navigation pane, choose MaxLake > Data Lake Connection.

    3. On the Data Lake Connection (CONNECTION) page, view the list of all connections in the current tenant.

    Delete a CONNECTION

    Important

    Deleting a CONNECTION invalidates all authorizations that depend on it. Any foreign tables or external storage access that relies on the connection will fail immediately. Evaluate the impact before proceeding.

    1. Log on to the MaxCompute console and select a region in the upper-left corner.

    2. In the left navigation pane, choose MaxLake > Data Lake Connection.

    3. On the Data Lake Connection (CONNECTION) page, find the connection to delete and click Delete in the Operation column.

    4. In the confirmation dialog box, click Confirm Delete.