MaxCompute uses Resource Access Management (RAM) and Security Token Service (STS) of Alibaba Cloud to secure data access. This topic describes how to use RAM and STS to authorize MaxCompute to access Object Storage Service (OSS), Tablestore, and Hologres.
STS authorization for OSS
To access OSS data by using the external table feature of MaxCompute, you must grant OSS access permissions to the Alibaba Cloud account that is used to run MaxCompute jobs. You can use one of the following methods to grant OSS access permissions:
Method 1: If your MaxCompute project and the OSS bucket you want to access belong to the same Alibaba Cloud account, log on to the RAM console and perform one-click authorization. We recommend that you use this method.
Method 2: If your MaxCompute project and the OSS bucket you want to access do not belong to the same Alibaba Cloud account, you can customize a RAM role and grant permissions to the RAM role.
Create a RAM role.
Log on to the RAM console by using the Alibaba Cloud account to which the OSS bucket belongs. Create a RAM role on the Roles page in the RAM console. For example, you can create a RAM role named oss-admin.
NoteFor more information about how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account.
Modify the policy of the RAM role.
On the Roles page in the RAM console, click the name of the RAM role in the Role Name column. On the page that appears, click the Trust Policy Management tab and click Edit Trust Policy. In the Edit Trust Policy panel, modify the policy. Replace the document of the policy with the following code to allow your MaxCompute project to access the OSS bucket:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ID of the Alibaba Cloud account to which the MaxCompute project belongs@odps.aliyuncs.com" ] } } ], "Version": "1" }NoteID of the Alibaba Cloud account to which the MaxCompute project belongsindicates the account that is used to access the OSS bucket.For more information about how to modify a policy, see Edit the trust policy of a RAM role.
Create a policy.
On the Policies page in the RAM console, create a policy. In this example, a policy named AliyunODPSRolePolicy is created. The following code provides the policy document. You can specify permissions in the policy based on your business requirements.
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListBuckets", "oss:GetObject", "oss:ListObjects", "oss:PutObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListParts" ], "Resource": "*", "Effect": "Allow" } ] }Attach the policy AliyunODPSRolePolicy to the RAM role.
For more information about how to attach a policy to a RAM role, see Grant permissions to a RAM role.
STS authorization for Tablestore
To access Tablestore data by using the external table feature of MaxCompute, you must grant Tablestore access permissions to the Alibaba Cloud account that is used to run MaxCompute jobs. You can use one of the following methods to grant permissions to the account:
Method 1: If your MaxCompute project and the Tablestore instance you want to access belong to the same Alibaba Cloud account, log on to the RAM console and perform one-click authorization. We recommend that you use this method.
Method 2: If your MaxCompute project and the Tablestore instance you want to access do not belong to the same Alibaba Cloud account, you can customize a RAM role and grant permissions to the RAM role.
Create a RAM role.
Log on to the RAM console by using the Alibaba Cloud account to which the Tablestore instance belongs. Create a RAM role on the Roles page in the RAM console. For example, you can create a RAM role named oss-adminots.
For more information about how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account.
Modify the policy of the RAM role.
On the Roles page in the RAM console, click the name of the RAM role in the Role Name column. On the page that appears, click the Trust Policy Management tab and click Edit Trust Policy. In the Edit Trust Policy panel, modify the policy. Replace the document of the policy with the following code to allow your MaxCompute project to access the Tablestore instance:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "ID of the Alibaba Cloud account to which the MaxCompute project belongs@odps.aliyuncs.com" ] } } ], "Version": "1" }ID of the Alibaba Cloud account to which the MaxCompute project belongsis the account that is used to access Tablestore.Create a policy.
On the Policies page in the RAM console, create a policy. In this example, a policy named AliyunODPSRolePolicy is created. The following code provides the policy document. You can specify permissions in the policy based on your business requirements.
{ "Version": "1", "Statement": [ { "Action": [ "ots:ListTable", "ots:DescribeTable", "ots:GetRow", "ots:PutRow", "ots:UpdateRow", "ots:DeleteRow", "ots:GetRange", "ots:BatchGetRow", "ots:BatchWriteRow", "ots:ComputeSplitPointsBySize" ], "Resource": "*", "Effect": "Allow" } ] }Attach the policy AliyunODPSRolePolicy to the RAM role.
For more information about how to attach a policy to a RAM role, see Grant permissions to a RAM role.
STS authorization for Hologres
To access Hologres data by using the external table feature of MaxCompute, you must grant Hologres the access permissions to the Alibaba Cloud account that is used to run MaxCompute jobs. You can use one of the following methods to perform authorization for Hologres:
Log on to the RAM console by using the Alibaba Cloud account to which the Hologres instance belongs. Create a RAM role on the Roles page in the RAM console.
Alibaba Cloud Account:
A RAM user of your Alibaba Cloud account can access cloud resources by assuming a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
IdP:
You can log on to the Alibaba Cloud Management Console by using role-based single sign-on (SSO). You can log on without the need to provide a username and password. For more information, see Create a RAM role for a trusted IdP.
Edit the trust policy.
On the Roles page, click the name of the RAM role that you create.
Click the Trust Policy Management tab.
On the Trust Policy Management tab, click Edit Trust Policy.
In the Edit Trust Policy panel, modify the trust policy configuration based on the following content.
The configuration of the trust policy varies based on the type of the trusted entity that you selected.
Alibaba Cloud Account is selected for Select Trusted Entity:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<UID>:root" ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<UID>@odps.aliyuncs.com" ] } } ], "Version": "1" }IdP is selected for Select Trusted Entity:
{ "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "saml:recipient": "https://signin.aliyun.com/saml-role/sso" } }, "Effect": "Allow", "Principal": { "Federated": [ "acs:ram::<UID>:saml-provider/IDP" ] } }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<UID>@odps.aliyuncs.com" ] } } ], "Version": "1" }Note<UID> indicates the ID of your Alibaba Cloud account. You can obtain the ID of your Alibaba Cloud account on the Security Settings page of the Account Management console.
Click OK.
Assign the RAM role to the Alibaba Cloud account to which the Hologres instance belongs and grant permissions to the RAM role
Before the RAM role can use the Hologres instance, the role must obtain the required development permissions on the Hologres instance. By default, the RAM role is not granted the permissions to view or manage instances in the Hologres console. You must grant the permissions to the RAM role by using your Alibaba Cloud account. After you assign the RAM role to the Alibaba Cloud account to which the Hologres instance belongs, you can use one of the following methods to grant the permissions to the RAM role:
Use the Hologres console to grant the required permissions to the RAM role.
Log on to the Hologres console.
In the left-side navigation pane, click Instances. On the Hologres Instances page, click the name of the Hologres instance to which you want to add the RAM role.
On the instance details page, click Accounts.
On the User management page, click Add New User to add a RAM role to the Hologres instance.
On the Database Authorization page, grant the development permissions on the instance to the RAM role.
Use an SQL statement to grant the required permissions to the RAM role.
For more information about how to use an SQL statement to grant the required permissions to a RAM user, see Overview.
By default, a RAM user is not granted the permissions to perform operations in the Hologres console. If you want a RAM user to assume the RAM role, you must attach the AliyunRAMReadOnlyAccess policy to the RAM user by using your Alibaba Cloud account. Otherwise, the RAM user cannot perform operations in the Hologres console. For more information, see Grant permissions on Hologres to RAM users.
Hologres also supports dual-signature authentication. For more information, see Create a Hologres foreign table in dual-signature mode.