A service-linked role (SLR) is a RAM role whose trusted entity is an Alibaba Cloud service. SLRs can implement authorized access across Alibaba Cloud services. If you want to use Hologres to access MaxCompute, you must create the SLR AliyunServiceRoleForHologresIdentityMgmt. This topic describes how to create the SLR AliyunServiceRoleForHologresIdentityMgmt and grant permissions to this role. This topic also describes how to view and delete this role.
For more information, see Service-linked roles.
Introduction to AliyunServiceRoleForHologresIdentityMgmt
Description
Service name: identity.hologres.aliyuncs.com.
Role name: AliyunServiceRoleForHologresIdentityMgmt.
Role description: You can use this role in Hologres to access your resources in MaxCompute.
Create the SLR AliyunServiceRoleForHologresIdentityMgmt and grant permissions to the role
You can use one of the following methods to create the role and grant permissions to the role:
New instances
On the Hologres buy page, click Create Service-linked Role and grant permissions to the role.
Existing instances
Use the Hologres console or an API operation to create the SLR and grant permissions to the role.
Use the Hologres console
Log on to the Hologres console.
In the left-side navigation pane, click Create a Service-Linked Role.
On the RAM Quick Authorization page, click Authorize.
If Completed is displayed, the SLR is created and authorized
Use an API operation
Log on to OpenAPI Portal.
On the Parameters tab, set ServiceName to identity.hologres.aliyuncs.com.
Click Initiate Call.
After the call is successful, you can view the role in the RAM console.
View permissions
You can perform the following steps to view the permissions of the created SLR AliyunServiceRoleForHologresIdentityMgmt.
Log on to the RAM console by using your Alibaba Cloud account or as a RAM user that has administrative permissions.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, search for AliyunServiceRoleForHologresIdentityMgmt and click the name of the role.
On the Permissions tab, click the policy that is displayed.
On the Policy Document tab, view details of the policy.
NoteYou can only view the policy for the SLR AliyunServiceRoleForHologresIdentityMgmt. You cannot modify the policy.
Delete the SLR
To prohibit Hologres from accessing MaxCompute, you can delete the AliyunServiceRoleForHologresIdentityMgmt role in the RAM console. For more information, see Delete a RAM role.
When you delete the AliyunServiceRoleForHologresIdentityMgmt role, the related permissions are also revoked.
FAQ
Question 1: When I click Create Service-linked Role on the Hologres buy page, the following message is displayed: The user does not have the permissions to create service-linked roles. Contact the Alibaba Cloud account or the permission administrator to authorize the user. What do I do?
Solution: Use your Alibaba Cloud account to grant permissions to the RAM user. For more information, see Service-linked roles.
Question 2: When I access MaxCompute foreign tables in Hologres, one of the following error messages is displayed. What do I do?
Error message 1:
cannot deal with ram role, AliyunServiceRoleForHologresUserMgmt does not exist.Error message 2:
ErrorMessage=ODPS-0420095: Access Denied - Authorization Failed [4111], You have NO privilege \'odps:ActOnBehalfOfAnotherUser\' on {acs:odps:regions_id:xxxxxx:users/default/aliyun/xxxxxx. Not pass by ram permission check.
Solution: Grant permissions to the SLR AliyunServiceRoleForHologresIdentityMgmt again. For more information, see Use the Hologres console in this topic.