A service-linked role (SLR) is a RAM role whose trusted entity is an Alibaba Cloud service. SLRs enable cross-service authorization — when Hologres needs to access MaxCompute or Data Lake Formation (DLF) on your behalf, it uses the AliyunServiceRoleForHologresIdentityMgmt role to do so without requiring you to configure permissions manually.
This topic describes how to create, view, and delete the AliyunServiceRoleForHologresIdentityMgmt role.
For background on service-linked roles, see Service-linked roles.
AliyunServiceRoleForHologresIdentityMgmt overview
| Attribute | Value |
|---|---|
| Service name | identity.hologres.aliyuncs.com |
| Role name | AliyunServiceRoleForHologresIdentityMgmt |
| Purpose | Allows Hologres to access your MaxCompute resources |
Create and authorize the role
How you create the role depends on whether you are purchasing a new Hologres instance or working with an existing one.
To create this role as a RAM user, the RAM user must have the CreateServiceLinkedRole permission. For details, see Permissions required to create a service-linked role.New instance
On the Hologres instance purchase page, click Create Service-linked Role.
Existing instance
For existing instances, use either the RAM console or the OpenAPI.
RAM console
Log on to the Hologres Management Console, then click Authorize Service-linked Role to complete authorization.
OpenAPI
Go to the CreateServiceLinkedRole API page.
In Parameter Settings, set ServiceName to identity.hologres.aliyuncs.com.
Click Invoke.
After the call succeeds, the role appears in the RAM console.
View the role
The access policy attached to AliyunServiceRoleForHologresIdentityMgmt is read-only — you can view it but cannot modify it.
Log on to the Resource Access Management (RAM) console using your Alibaba Cloud account (root account) or as a RAM administrator.
In the navigation pane, choose Identity Management > Role.
Search for AliyunServiceRoleForHologresIdentityMgmt and click the role name.
On the Access Control tab, click the attached access policy.
On the Policy Content tab, review the permissions.
Delete the role
Deleting AliyunServiceRoleForHologresIdentityMgmt stops Hologres from accessing MaxCompute and revokes all permissions granted by the role. This may interrupt workflows that depend on cross-service access. Delete the role only when you no longer need Hologres to access these services.
To delete the role, follow the steps in Delete a RAM role in the RAM console.
To delete this role as a RAM user, the RAM user must have the DeleteServiceLinkedRole permission. For details, see Permissions required to delete a service-linked role.FAQ
I clicked Create Service-linked Role on the purchase page and got a "does not have permission" error.
If you see the message "The current logged-on user does not have permission to create a service-linked role. Contact the root account or permission administrator to grant permissions to the current user," grant the CreateServiceLinkedRole permission to the RAM user using your Alibaba Cloud account (root account). For details, see Service-linked roles.
I got an error when accessing a MaxCompute foreign table in Hologres.
The two most common errors are:
ERROR: Fail to access foreign data as user 1063806044629636, AliyunServiceRoleForHologresIdentityMgmt does not existErrorMessage=ODPS-0420095: Access Denied - Authorization Failed [4111], You have NO privilege 'odps:ActOnBehalfOfAnotherUser' on {acs:odps:regions_id:xxxxxx:users/default/aliyun/xxxxxx. Not pass by ram permission check
Both errors indicate that AliyunServiceRoleForHologresIdentityMgmt is missing or unauthorized. Re-authorize the role by following the RAM console or OpenAPI steps under Create and authorize the role.