In a data lakehouse built on MaxCompute, Data Lake Formation (DLF), and Object Storage Service (OSS), a RAM user for a MaxCompute project cannot access DLF or OSS by default. To enable access, create a RAM role with a trust policy that authorizes MaxCompute to assume the role, then attach a custom access policy that grants the required DLF and OSS permissions.
Prerequisites
Before you begin, make sure that you have:
A MaxCompute project
An Alibaba Cloud account with permissions to manage RAM roles and policies in the RAM console
How it works
This authorization model uses two policies attached to a single RAM role:
| Policy | Purpose |
|---|---|
| Trust policy | Specifies which entity (the MaxCompute service) can assume the RAM role |
| Access policy (custom) | Specifies which DLF and OSS operations the role can perform |
The trust policy Service value depends on whether the MaxCompute project and DLF are deployed under the same Alibaba Cloud account:
| Deployment scenario | Service value |
|---|---|
| MaxCompute and DLF under the same account | odps.aliyuncs.com |
| MaxCompute and DLF under different accounts | <Alibaba Cloud account ID of the MaxCompute project owner>@odps.aliyuncs.com |
For the cross-account scenario, find your Account ID in Account Center.
Step 1: Create a RAM role
Log on to the RAM console and create a RAM role for a trusted Alibaba Cloud account.
For details, see Create a RAM role for a trusted Alibaba Cloud account.
Step 2: Set the trust policy
Modify the trust policy of the RAM role you created. For details, see Modify the trust policy of a RAM role.
Use the policy that matches your deployment scenario.
Same account — MaxCompute and DLF are under the same Alibaba Cloud account:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"odps.aliyuncs.com"
]
}
}
],
"Version": "1"
}Different accounts — MaxCompute and DLF are under different Alibaba Cloud accounts:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"<Alibaba Cloud account ID of the MaxCompute project owner>@odps.aliyuncs.com"
]
}
}
],
"Version": "1"
}Replace <Alibaba Cloud account ID of the MaxCompute project owner> with the actual Alibaba Cloud account ID. The Service field identifies the entity that can assume this role: odps.aliyuncs.com represents the MaxCompute service itself (for same-account access), while {account ID}@odps.aliyuncs.com scopes the trust to MaxCompute operating under a specific account (for cross-account access).
Step 3: Create a custom access policy
Create a custom policy for the RAM role. For details, see Create a custom policy.
The following policy grants the OSS and DLF permissions required for MaxCompute data lakehouse operations:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:ListBuckets",
"oss:GetObject",
"oss:ListObjects",
"oss:PutObject",
"oss:DeleteObject",
"oss:AbortMultipartUpload",
"oss:ListParts"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dlf:CreateFunction",
"dlf:BatchGetPartitions",
"dlf:ListDatabases",
"dlf:CreateLock",
"dlf:UpdateFunction",
"dlf:BatchUpdateTables",
"dlf:DeleteTableVersion",
"dlf:UpdatePartitionColumnStatistics",
"dlf:ListPartitions",
"dlf:DeletePartitionColumnStatistics",
"dlf:BatchUpdatePartitions",
"dlf:GetPartition",
"dlf:BatchDeleteTableVersions",
"dlf:ListFunctions",
"dlf:DeleteTable",
"dlf:GetTableVersion",
"dlf:AbortLock",
"dlf:GetTable",
"dlf:BatchDeleteTables",
"dlf:RenameTable",
"dlf:RefreshLock",
"dlf:DeletePartition",
"dlf:UnLock",
"dlf:GetLock",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:BatchCreatePartitions",
"dlf:ListPartitionNames",
"dlf:RenamePartition",
"dlf:CreateTable",
"dlf:BatchCreateTables",
"dlf:UpdateTableColumnStatistics",
"dlf:ListTableNames",
"dlf:UpdateDatabase",
"dlf:GetTableColumnStatistics",
"dlf:ListFunctionNames",
"dlf:ListPartitionsByFilter",
"dlf:GetPartitionColumnStatistics",
"dlf:CreatePartition",
"dlf:CreateDatabase",
"dlf:DeleteTableColumnStatistics",
"dlf:ListTableVersions",
"dlf:BatchDeletePartitions",
"dlf:ListCatalogs",
"dlf:UpdateTable",
"dlf:ListTables",
"dlf:DeleteDatabase",
"dlf:BatchGetTables",
"dlf:DeleteFunction"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Step 4: Attach the policy to the RAM role
Attach the custom policy to the RAM role. For details, see Grant permissions to a RAM role.