A Resource Access Management (RAM) user for a MaxCompute project cannot access Data Lake Formation (DLF) or Object Storage Service (OSS) without authorization. You can grant custom permissions to the RAM user by adding a trust policy and an access policy. This topic describes how to grant custom permissions to a RAM user for a MaxCompute project.
Background information
In a data lakehouse scenario that uses MaxCompute, DLF, and OSS, a RAM user for the MaxCompute project cannot access DLF without authorization.
If the RAM user for the MaxCompute project belongs to the same Alibaba Cloud account that is used to deploy DLF, set the service parameter to
odps.aliyuncs.comwhen you add the trust policy.If the RAM user for the MaxCompute project belongs to a different Alibaba Cloud account than the one used to deploy DLF, set the service parameter to
<Alibaba Cloud account ID of the MaxCompute project owner>@odps.aliyuncs.comwhen you add the trust policy. You can find the Account ID in the or Account Center.
Procedure
Log on to the Resource Access Management (RAM) console and create a RAM role for a trusted Alibaba Cloud account.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
In the RAM console, modify the trust policy of the new RAM role.
For more information, see Modify the trust policy of a RAM role. The trust policy is as follows:
If the Alibaba Cloud account that creates the MaxCompute project is the same as the account that deploys DLF:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "odps.aliyuncs.com" ] } } ], "Version": "1" }If the Alibaba Cloud account that creates the MaxCompute project is different from the account that deploys DLF:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<Alibaba Cloud account ID of the MaxCompute project owner>@odps.aliyuncs.com" ] } } ], "Version": "1" }
In the RAM console, create a custom policy for the new RAM role.
For more information, see Create a custom policy. The custom policy is as follows:
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListBuckets", "oss:GetObject", "oss:ListObjects", "oss:PutObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListParts" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dlf:CreateFunction", "dlf:BatchGetPartitions", "dlf:ListDatabases", "dlf:CreateLock", "dlf:UpdateFunction", "dlf:BatchUpdateTables", "dlf:DeleteTableVersion", "dlf:UpdatePartitionColumnStatistics", "dlf:ListPartitions", "dlf:DeletePartitionColumnStatistics", "dlf:BatchUpdatePartitions", "dlf:GetPartition", "dlf:BatchDeleteTableVersions", "dlf:ListFunctions", "dlf:DeleteTable", "dlf:GetTableVersion", "dlf:AbortLock", "dlf:GetTable", "dlf:BatchDeleteTables", "dlf:RenameTable", "dlf:RefreshLock", "dlf:DeletePartition", "dlf:UnLock", "dlf:GetLock", "dlf:GetDatabase", "dlf:GetFunction", "dlf:BatchCreatePartitions", "dlf:ListPartitionNames", "dlf:RenamePartition", "dlf:CreateTable", "dlf:BatchCreateTables", "dlf:UpdateTableColumnStatistics", "dlf:ListTableNames", "dlf:UpdateDatabase", "dlf:GetTableColumnStatistics", "dlf:ListFunctionNames", "dlf:ListPartitionsByFilter", "dlf:GetPartitionColumnStatistics", "dlf:CreatePartition", "dlf:CreateDatabase", "dlf:DeleteTableColumnStatistics", "dlf:ListTableVersions", "dlf:BatchDeletePartitions", "dlf:ListCatalogs", "dlf:UpdateTable", "dlf:ListTables", "dlf:DeleteDatabase", "dlf:BatchGetTables", "dlf:DeleteFunction" ], "Resource": "*", "Effect": "Allow" } ] }Attach the custom policy to the new RAM role.
For more information, see Grant permissions to a RAM role.