Only authorized RAM users in MaxCompute projects can access Data Lake Formation (DLF) or Object Storage Service (OSS). You can add trust policies and custom policies to authorize RAM users to access DLF and OSS. This topic describes how to authorize RAM users in MaxCompute projects to access DLF.

Background information

If you use MaxCompute, DLF, and OSS to implement the lakehouse solution, only authorized RAM users in MaxCompute projects can access DLF.
  • If the same RAM user is used to create a MaxCompute project and deploy DLF, you must set service to odps.aliyuncs.com when you add a trust policy to the RAM user.
  • If the RAM user that is used to create a MaxCompute project is different from the RAM user that is used to deploy DLF, you must set service to <ID of the Alibaba Cloud account to which the MaxCompute project belongs>@odps.aliyuncs.com when you add a trust policy to the RAM user. You can obtain the ID of the Alibaba Cloud account to which the MaxCompute project belongs on the Personal Information page.

Procedure

  1. Log on to the Resource Access Management (RAM) console to create a RAM role whose trusted entity type is Alibaba Cloud Account.
  2. Modify the trust policy of the created RAM role in the RAM console.
    For more information, see Edit the trust policy of a RAM role. The following code shows the trust policy after modification.
    -- If the same account is used to create a MaxCompute project and deploy DLF, the trust policy contains the following content: 
    {
    "Statement": [
    {
     "Action": "sts:AssumeRole",
     "Effect": "Allow",
     "Principal": {
       "Service": [
         "odps.aliyuncs.com"
       ]
     }
    }
    ],
    "Version": "1"
    }
    -- If the account that is used to create a MaxCompute project is different from the account that is used to deploy DLF, the trust policy contains the following content: 
    {
    "Statement": [
    {
     "Action": "sts:AssumeRole",
     "Effect": "Allow",
     "Principal": {
       "Service": [
         "<ID of the Alibaba Cloud account to which the MaxCompute project belongs>@odps.aliyuncs.com"  
       ]
     }
    }
    ],
    "Version": "1"
    }
  3. Create a custom policy for the created RAM role in the RAM console.
    For more information, see Create a custom policy. The custom policy contains the following content:
    {
    "Version": "1",
    "Statement": [
    {
     "Action": [
       "oss:ListBuckets",
       "oss:GetObject",
       "oss:ListObjects",
       "oss:PutObject",
       "oss:DeleteObject",
       "oss:AbortMultipartUpload",
       "oss:ListParts"
     ],
     "Resource": "*",
     "Effect": "Allow"
    },
    {
     "Action": [
     "dlf:CreateFunction",
    "dlf:BatchGetPartitions",
    "dlf:ListDatabases",
    "dlf:CreateLock",
    "dlf:UpdateFunction",
    "dlf:BatchUpdateTables",
    "dlf:DeleteTableVersion",
    "dlf:UpdatePartitionColumnStatistics",
    "dlf:ListPartitions",
    "dlf:DeletePartitionColumnStatistics",
    "dlf:BatchUpdatePartitions",
    "dlf:GetPartition",
    "dlf:BatchDeleteTableVersions",
    "dlf:ListFunctions",
    "dlf:DeleteTable",
    "dlf:GetTableVersion",
    "dlf:AbortLock",
    "dlf:GetTable",
    "dlf:BatchDeleteTables",
    "dlf:RenameTable",
    "dlf:RefreshLock",
    "dlf:DeletePartition",
    "dlf:UnLock",
    "dlf:GetLock",
    "dlf:GetDatabase",
    "dlf:GetFunction",
    "dlf:BatchCreatePartitions",
    "dlf:ListPartitionNames",
    "dlf:RenamePartition",
    "dlf:CreateTable",
    "dlf:BatchCreateTables",
    "dlf:UpdateTableColumnStatistics",
    "dlf:ListTableNames",
    "dlf:UpdateDatabase",
    "dlf:GetTableColumnStatistics",
    "dlf:ListFunctionNames",
    "dlf:ListPartitionsByFilter",
    "dlf:GetPartitionColumnStatistics",
    "dlf:CreatePartition",
    "dlf:CreateDatabase",
    "dlf:DeleteTableColumnStatistics",
    "dlf:ListTableVersions",
    "dlf:BatchDeletePartitions",
    "dlf:ListCatalogs",
    "dlf:UpdateTable",
    "dlf:ListTables",
    "dlf:DeleteDatabase",
    "dlf:BatchGetTables",
    "dlf:DeleteFunction"
     ],
     "Resource": "*",
     "Effect": "Allow"
    }
    ]
    }
  4. Attach the custom policy to the created RAM role.
    For more information, see Grant permissions to a RAM role.