Configure RAM User Permissions for EMR Serverless StarRocks - E-MapReduce

Grant RAM users access to the EMR Serverless StarRocks console by attaching system policies through the RAM console.

When to use RAM

RAM is useful in EMR Serverless StarRocks for two scenarios:

Multiple users: When O&M staff, developers, or data analysts all need access to your EMR Serverless StarRocks instances, attach a policy to each RAM user rather than sharing a single AccessKey.
User groups: Create user groups and attach different policies to manage permissions in batches. Granting permissions to a user group follows the same procedure as granting them to an individual RAM user.

Policies and roles

System policies

Policy name	Description
`AliyunEMRStarRocksFullAccess`	Grants administrator permissions for EMR Serverless StarRocks, including all operations and features.
`AliyunEMRStarRocksReadOnlyAccess`	Grants read-only permissions. Allows viewing the instance list and querying instance details, but not creating, updating, or modifying instances.
`AliyunBSSOrderAccess`	Grants permissions to view, pay for, and cancel orders in the User Center. Required to upgrade or downgrade instance configurations and renew instances in the console.
`AliyunSLBFullAccess`	Grants permissions to manage Server Load Balancer (SLB). Required when configuring public or internal whitelists for StarRocks.

System roles

Role name	Description
`AliyunEMRStarRocksAccessingOSSRole`	Used by EMR Serverless StarRocks to access your data in Object Storage Service (OSS).

Custom policies

If you are familiar with Alibaba Cloud service APIs and need fine-grained access control beyond system policies, create a custom policy. Design the policy script carefully to avoid unintended permission gaps. For more information, see Policy structure and syntax.

Grant permissions to a RAM user

Before you begin, make sure that you have:

A RAM administrator account with permission to manage RAM users
The RAM user accounts that need access to EMR Serverless StarRocks

Log on to the RAM console as a RAM administrator.
Log on to the RAM console as a RAM administrator.
In the navigation pane, choose Identities > Users.
On the Users page, find the target RAM user and click Add Permissions in the Actions column. To grant the same permissions to multiple RAM users at once, select them and click Add Permissions at the bottom of the page.

In the Add Permissions panel, configure the following settings.

Parameter	Description
Resource Scope	Account: Permissions take effect across the entire Alibaba Cloud account. ResourceGroup: Permissions take effect within a specific resource group only.
Principal	The RAM user to grant permissions to.
Policy	Under System Policy, search for `StarRocks` to find the relevant policies. Click the policy you want to assign and select the permission. For policy descriptions, see Policies and roles.

Click Grant permissions.

Permissions take effect immediately. The RAM user can now log on to the EMR Serverless console and access the features covered by the attached policies.

FAQ

Why can't I view the instance list after logging in as a RAM user?

This usually means the AliyunEMRStarRocksReadOnlyAccess policy is attached at the ResourceGroup level, but the current authentication logic requires it at the Account level. Even if the RAM user has the AliyunServiceRoleForEMRStarRocks role and the access policy has not changed, that role's permissions do not cover the account-level ram:GetRole API call that the instance list page requires.

To fix this, change the existing policy scope from ResourceGroup to Account in the RAM console.

If you cannot change the scope of the existing policy, attach an additional account-level custom policy with the following content:

{
  "Action": ["ram:GetRole"],
  "Resource": "acs:ram:*:*:role/AliyunServiceRoleForEMRStarRocks",
  "Effect": "Allow"
}