MaxCompute:Prepare a RAM user

Precautions

• RAM users belong to your Alibaba Cloud account. They do not own resources and are not separately charged.

• All the fees incurred by the RAM users must be paid by your Alibaba Cloud account.

Procedure

1. Step 1: Create a RAM user

   Create a RAM user by using your Alibaba Cloud account. For more information, see RAM.

2. Step 2: Create an AccessKey pair

   Create an AccessKey pair for the RAM user by using your Alibaba Cloud account. This ensures that the jobs submitted by the RAM user can run normally.

3. Step 3 (Optional): Grant permissions to the RAM user

   • To allow the RAM user to create projects in DataWorks, you must attach the AliyunDataWorksFullAccess policy to the RAM user by using your Alibaba Cloud account.

   • To allow the RAM user to manage projects and quotas in the MaxCompute V2.0 console, you must attach the AliyunMaxComputeFullAccess policy or custom RAM policies to the RAM user by using your Alibaba Cloud account. For more information, see RAM permissions.

4. Step 4: Assign the credentials of the RAM user to another user

   Assign the credentials of the created RAM user to other users.

Step 1: Create a RAM user

1. Log on to the RAM console by using your Alibaba Cloud account.

2. In the left-side navigation pane, choose Identities > Users.

3. On the Users page, click Create User.

4. In the User Account Information section of the Create User page, configure the following parameters:

   • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

   • Display Name: The display name can be up to 128 characters in length.

   • Tag: Click the icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

   Note

   You can click Add User to create multiple RAM users at a time.

5. In the Access Mode section, select Console Access.

   • Console Access: If you select this option, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).

   • Using permanent AccessKey to access: If you select this option, the system automatically generates an AccessKey pair for the RAM user. The RAM user can then call API operations or use other development tools to access Alibaba Cloud resources.

6. Click OK.

7. On the Create User page, click Download CSV File or find an existing RAM user and click Copy in the Actions column to save the logon username and password of the RAM user.

Step 2: Create an AccessKey pair

1. Log on to the RAM console.

2. In the left-side navigation pane, choose Identities > Users.

3. On the Users page, click the username of the RAM user that you want to manage.

4. In the AccessKey section of the Authentication tab, click Create AccessKey.

   

5. Read the suggestion for each scenario and select a credential solution based on your business requirements. If you must create an AccessKey pair, select a scenario, select I confirm that it is necessary to create an AccessKey, and then click Continue. The created AccessKey pair can be used in all scenarios.

   

6. In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, and click OK.

   

Step 3 (Optional): Grant permissions to the RAM user

1. In the left-side navigation pane, choose Identities > Users.

2. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

   

   You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

3. In the Grant Permission panel, grant permissions to the RAM user.

   1. Configure the Resource Scope parameter.

      • Account: The authorization takes effect on the current Alibaba Cloud account.

      • ResourceGroup: The authorization takes effect on a specific resource group.

        Important

        If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.

   2. Configure the Principal parameter.

      The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.

   3. Configure the Policy parameter.

      A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

        Note

        The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

   4. Click Grant permissions.

4. Click the AliyunDataWorksFullAccess policy in the Authorization Policy Name column to add this permission to the list of selected permissions.

   Note

   If the RAM user needs to activate MaxCompute later, the Alibaba Cloud account must attach the AliyunBSSOrderAccess policy to the RAM user.

5. Click OK.

6. Click Close.

Step 4: Assign the credentials of the RAM user to another user