Realtime Compute for Apache Flink allows you to log on to the Realtime Compute for Apache Flink console and perform draft development and deployment O&M by using an Alibaba Cloud account, a RAM user, a RAM role, or a member in a resource directory. The principals (identities or accounts) that must be granted permissions to log on to the Realtime Compute for Apache Flink console may vary based on the logon methods. This topic describes the principals that need to be authorized to access the Realtime Compute for Apache Flink console in different logon methods.
Background information
If you use your Alibaba Cloud account to log on to the Realtime Compute for Apache Flink console and access resources that belong to the account, no authorization is required. If you use other methods to log on to the Realtime Compute for Apache Flink console, you must be granted the required permissions to use related features. For more information, see Permission management.
If you want to view a workspace and perform operations such as purchasing a workspace or reconfiguring resources in a workspace in the Realtime Compute for Apache Flink console as a RAM user or a RAM role, you must grant permissions to the RAM user or the RAM role.
If you want to perform operations such as draft development and deployment O&M in the console of fully managed Flink, you must authorize the account to access a specific namespace.
If you need to perform only draft-related and deployment-related operations, such as draft development and deployment O&M, and you do not need to perform operations such as workspace purchase, you can only authorize the account to access a specific namespace. After the authorization, you can use the URL of the namespace to log on to the console of fully managed Flink.
Logon by using an Alibaba Cloud account
Logon method | Example | Principal | Authorization method | |
Realtime Compute for Apache Flink console (RAM-based authorization) | Console of fully managed Flink (Authorization for operations in a namespace) | |||
Logon by using an Alibaba Cloud account | 14188867953***** | No authorization is required for Alibaba Cloud accounts. | ID of the Alibaba Cloud account (When an Alibaba Cloud account is used to access its own resources, no authorization is required.) | |
Logon as a RAM user
Logon method | Example | Principal | Authorization method | |
Realtime Compute for Apache Flink console (RAM-based authorization) | Console of fully managed Flink (Authorization for operations in a namespace) | |||
Logon as a RAM user | RAM user flinktest | RAM user flinktest | ID of the RAM user flinktest | |
Logon by using a RAM role
If you want to log on to the Realtime Compute for Apache Flink console by using a RAM role, you must attach the AliyunSTSAssumeRoleAccess policy to a RAM user. This way, the RAM user assumes the RAM role.
Logon method | Example | Principal | Authorization method | |
Realtime Compute for Apache Flink console (RAM-based authorization) | Console of fully managed Flink (Authorization for operations in a namespace) | |||
Logon by using a RAM user of Alibaba Cloud Account A to assume a RAM role of Alibaba Cloud Account A | The RAM user flinktest of Alibaba Cloud Account A assumes the RAM role flinkrole of Alibaba Cloud Account A to log on to the console. | RAM role flinkrole | ID of the RAM role flinkrole | |
Logon by using a RAM user of Alibaba Cloud Account B to assume a RAM role of Alibaba Cloud Account A | The RAM user flinktestB of Alibaba Cloud Account B assumes the RAM role flinkrole of Alibaba Cloud Account A to log on to the console. | RAM role flinkrole | ID of the RAM role flinkrole | |
Logon by using a member in a resource directory
Logon method | Example | Principal | Authorization method | |
Realtime Compute for Apache Flink console (RAM-based authorization) | Console of fully managed Flink (Authorization for operations in a namespace) | |||
Logon by using a RAM user of the management account of a resource directory to assume the RAM role of a member in the resource directory | The RAM user flinktest of the management account in a resource directory assumes the RAM role of Member Z in the resource directory to log on to the console. | In most cases, no authorization is required. | ID of the account of Member Z in a resource directory (In most cases, no authorization is required.) | |
Logon as a RAM user created for a member of a resource directory | The RAM user rd-flinktest-ram that is created for a member in a resource directory logs on to the console. | RAM user rd-flinktest-ram | ID of the RAM user rd-flinktest-ram | |
Logon by using an Alibaba Cloud account (root user) (not recommended) | Alibaba Cloud Account Y (root user) logs on to the console. | In most cases, no authorization is required. | ID of Alibaba Cloud Account Y (In most cases, no authorization is required.) | |
Logon by using a CloudSSO user to assume a RAM role | CloudSSO user user1 assumes a RAM role to access the resources of the member rd-flink-test in a resource directory. | Create access configurations in the CloudSSO console and grant permissions to an account in a resource directory. | ID of the RAM role that is used to log on to the console | |
Logon by using a RAM user that has the same username as a CloudSSO user | CloudSSO user user1 accesses the resources of the member rd-flink-test as a RAM user. | RAM user user1 that has the same username as a CloudSSO user | ID of RAM user user1 that has the same username as a CloudSSO user | |
References
For more information about how to view the ID of an Alibaba Cloud account, the ID of a RAM user, and the ID of a RAM role, see View the ID of an Alibaba Cloud account, a RAM user, or a RAM role.