A service-linked role is a RAM role whose trusted entity is an Alibaba Cloud service and is used to authorize access across Alibaba Cloud services. If MaxCompute needs to access other big data computing services such as Hologres, you need to create the service-linked role AliyunServiceRoleForMaxComputeIdentityMgmt for MaxCompute.
Required permissions for a RAM user to use a service-linked role
If you want to use a RAM user to create or delete a service-linked role, you must make sure that the AliyunMaxComputeFullAccess policy is attached to the RAM user or the required permission is added to the Action element of a custom policy for the RAM user.
Permission to create a service-linked role:
ram:CreateServiceLinkedRolePermission to delete a service-linked role:
ram:DeleteServiceLinkedRole
For more information, see Permissions required to create and delete a service-linked role.
Create a service-linked role
The following descriptions provide the details of the service-linked role for MaxCompute:
Role name: AliyunServiceRoleForMaxComputeIdentityMgmt
Role description: This role authorizes MaxCompute to access other big data computing services such as Hologres.
Policy of the role: AliyunServiceRolePolicyForMaxComputeIdentityMgmt
Policy document:
{ "Statement": [ { "Effect": "Allow", "Action": "odps:ActOnBehalfOfAUser", "Resource": "acs:odps:*:*:users/*" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "identity.odps.aliyuncs.com" } } } ], "Version": "1" }
Authorization during MaxCompute activation
Click Create Service-linked Role when you activate MaxCompute.
Authorization after MaxCompute activation
Go to the RAM Quick Authorization page to assign the role to MaxCompute.
View a service-linked role
After the service-linked role AliyunServiceRoleForMaxComputeIdentityMgmt is created, you can go to the Roles page, search for AliyunServiceRoleForMaxComputeIdentityMgmt, and view the following information about the role:
Basic information
In the Basic Information section of the details page for the AliyunServiceRoleForMaxComputeIdentityMgmt role, view the basic information about the role, including the role name, creation time, Alibaba Cloud Resource Name (ARN), and description.
Permission policy
On the Permissions tab of the details page for the AliyunServiceRoleForMaxComputeIdentityMgmt role, click the name of the policy to view the policy document and the cloud resources that can be accessed by using the role.
Trust policy
On the Trust Policy tab of the details page for the AliyunServiceRoleForMaxComputeIdentityMgmt role, view the document of the trust policy. A trust policy describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a service-linked role is a cloud service. To obtain the trusted entity of a service-linked role, you can view the value of the
Serviceparameter in the trust policy.
For more information about how to view the information about a service-linked role, see View the information about a RAM role.
Delete a service-linked role
If you do not use MaxCompute for a long period of time, you can delete the service-linked role in the RAM console. For more information, see Delete a RAM role.
After you delete the service-linked role AliyunServiceRoleForMaxComputeIdentityMgmt, MaxCompute cannot access other big data computing services. Proceed with caution.