This topic describes how to authorize MaxCompute to access Object Storage Service (OSS) and Tablestore by using one-click authorization or by customizing a RAM role. MaxCompute uses Resource Access Management (RAM) and Security Token Service (STS) of Alibaba Cloud to secure data access.

STS authorization for OSS

To access OSS data by using the external table feature of MaxCompute, you must grant OSS access permissions to the Alibaba Cloud account that is used to run MaxCompute jobs. You can use one of the following methods to grant OSS access permissions:
  • Method 1: If your MaxCompute project and the OSS bucket you want to access belong to the same Alibaba Cloud account, log on to the RAM console and perform one-click authorization. We recommend that you use this method.
  • Method 2: If your MaxCompute project and the OSS bucket you want to access do not belong to the same Alibaba Cloud account, you can customize a RAM role and grant permissions to the RAM role.
    1. Create a RAM role.
      Log on to the RAM console by using the Alibaba Cloud account to which the OSS bucket belongs and create a RAM role on the Roles page in the RAM console. For example, you can create a RAM role named oss-admin. Create Role
      Note For more information about how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account.
    2. Modify the policy of the RAM role.
      On the Roles page in the RAM console, click the name of the RAM role in the Role Name column. On the page that appears, click the Trust Policy Management tab and click Edit Trust Policy. In the Edit Trust Policy panel, modify the policy. Replace the document of the policy with the following code to allow your MaxCompute project to access the OSS bucket:
      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "ID of the Alibaba Cloud account to which the MaxCompute project belongs@odps.aliyuncs.com"
         ]
       }
      }
      ],
      "Version": "1"
      }
      Note

      ID of the Alibaba Cloud account to which the MaxCompute project belongs indicates the account that is used to access the OSS bucket.

      For more information about how to modify a policy, see Edit the trust policy of a RAM role.

    3. Create a policy.

      On the Policies page in the RAM console, create a policy. In this example, a policy named AliyunODPSRolePolicy is created. The following code provides the policy document. You can specify permissions in the policy based on your business requirements.

      {
      "Version": "1",
      "Statement": [
      {
       "Action": [
         "oss:ListBuckets",
         "oss:GetObject",
         "oss:ListObjects",
         "oss:PutObject",
         "oss:DeleteObject",
         "oss:AbortMultipartUpload",
         "oss:ListParts"
       ],
       "Resource": "*",
       "Effect": "Allow"
      }
      ]
      }
    4. Attach the policy AliyunODPSRolePolicy to the RAM role.

      For more information, see Grant permissions to a RAM role.

STS authorization for Tablestore

To access Tablestore data by using the external table feature of MaxCompute, you must grant Tablestore access permissions to the Alibaba Cloud account that is used to run MaxCompute jobs. You can use one of the following methods to grant permissions to the account:
  • Method 1: If your MaxCompute project and the Tablestore instance you want to access belong to the same Alibaba Cloud account, log on to the RAM console and perform one-click authorization. We recommend that you use this method.
  • Method 2: If your MaxCompute project and the Tablestore instance you want to access do not belong to the same Alibaba Cloud account, you can customize a RAM role and grant permissions to the RAM role.
    1. Create a RAM role.

      Log on to the RAM console by using the Alibaba Cloud account to which the Tablestore instance belongs and create a RAM role on the Roles page in the RAM console. For example, you can create a RAM role named oss-adminots.

      For more information about how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account.

    2. Modify the policy of the RAM role.

      On the Roles page in the RAM console, click the name of the RAM role in the Role Name column. On the page that appears, click the Trust Policy Management tab and click Edit Trust Policy. In the Edit Trust Policy panel, modify the policy. Replace the document of the policy with the following code to allow your MaxCompute project to access the Tablestore instance:

      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "Service": [
           "ID of the Alibaba Cloud account to which the MaxCompute project belongs@odps.aliyuncs.com"
         ]
       }
      }
      ],
      "Version": "1"
      }

      ID of the Alibaba Cloud account to which the MaxCompute project belongs is the account that is used to access Tablestore.

    3. Create a policy.

      On the Policies page in the RAM console, create a policy. In this example, a policy named AliyunODPSRolePolicy is created. The following code provides the policy document. You can specify permissions in the policy based on your business requirements.

      {
      "Version": "1",
      "Statement": [
      {
       "Action": [
         "ots:ListTable",
         "ots:DescribeTable",
         "ots:GetRow",
         "ots:PutRow",
         "ots:UpdateRow",
         "ots:DeleteRow",
         "ots:GetRange",
         "ots:BatchGetRow",
         "ots:BatchWriteRow",
         "ots:ComputeSplitPointsBySize"
       ],
       "Resource": "*",
       "Effect": "Allow"
      }
      ]
      }
    4. Attach the policy AliyunODPSRolePolicy to the RAM role.

      For more information, see Grant permissions to a RAM role.