MaxCompute supports three identity types for authentication: an Alibaba Cloud account, a Resource Access Management (RAM) user, and a RAM role.
Do not use your Alibaba Cloud account for routine MaxCompute operations. The account has unrestricted control over all resources — a leaked AccessKey pair exposes everything. Use RAM users or RAM roles for day-to-day access.
Choose an identity type
Use the following table to select the identity type that matches your scenario.
| Identity type | Credentials | Scenario |
|---|---|---|
| Alibaba Cloud account | Console logon or AccessKey pair | Initial setup and account-level administration only — not for routine use |
| RAM user | AccessKey pair or console logon | Human team members who need persistent, permission-scoped access |
| RAM role | Security Token Service (STS) token | Automated workloads, cross-service access, and enterprise single sign-on (SSO) |
Use an Alibaba Cloud account
The Alibaba Cloud account owner has full operational control over all resources under that account.
Console access
Log on to the or the DataWorks console with your Alibaba Cloud account. From the console, you can activate MaxCompute, create projects, manage data, manage users, and analyze data.
Programmatic access
Optional: If you do not already have an AccessKey pair, create an Alibaba Cloud account, complete account verification, and create an AccessKey pair. See identity verificationCreate an Alibaba Cloud account.
An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to retrieve the AccessKey pair, and the AccessKey secret is used to calculate the signature of a request. Keep both values confidential. To rotate a pair, create a new one and disable the existing one. It takes about 15 minutes for an AccessKey pair to take effect after it is enabled or disabled.
Use one of the following methods:
| Method | How |
|---|---|
| MaxCompute client (odpscmd) | Configure the AccessKey pair in odps_config.ini, then connect. See Install and configure the MaxCompute client. |
| SDK | Use the AccessKey pair with SDK for Java or SDK for Python. |
Use a RAM user
RAM users are identities created under your Alibaba Cloud account. Assign RAM users to team members who need scoped, ongoing access to MaxCompute.
By default, MaxCompute projects recognize only the Alibaba Cloud account system. To allow RAM users to access a project, first enable the RAM account system for that project.
When MaxCompute authenticates a RAM user, it checks the user's identity but does not enforce the permission definitions configured in RAM. MaxCompute projects recognize only the RAM account system's identity, not the original RAM permissions.
Step 1: Enable the RAM account system (Optional)
If the RAM account system is not already enabled for your MaxCompute project, perform the following steps:
Log on to the MaxCompute client (odpscmd).
Run the following command to add the RAM account system:
add accountprovider ram;Confirm the RAM account system is active: The output should include
ram.list accountproviders;
Step 2: Create a RAM user and add them to the project
Create a RAM user and grant the required permissions. See Prepare a RAM user.
Add the RAM user to the MaxCompute project and assign a role. See Add workspace members and assign roles to them.
Use a RAM role
A RAM role is a virtual identity within your Alibaba Cloud account. Unlike RAM users, RAM roles do not have an account, a logon password, or an AccessKey pair. A trusted entity assumes the role and receives a temporary STS token for authentication.
RAM roles suit two scenarios:
Role-based SSO: Alibaba Cloud acts as the service provider (SP) and the enterprise's identity management system acts as the identity provider (IdP). Employees log on to Alibaba Cloud using a specific RAM role. The enterprise manages users in the local IdP without synchronizing them to Alibaba Cloud.
Cross-service access: Grant a trusted Alibaba Cloud service the ability to access MaxCompute by assuming a RAM role. MaxCompute manages the role's permissions the same way it manages RAM user permissions — including permissions to create data objects, execute jobs, write data, and read data.
Set up RAM role access
Create a RAM role and define its trust policy. Choose the guide based on your trusted entity: To edit the trust policy after creation, see Edit the trust policy of a RAM role.
Add the RAM role to the MaxCompute project. See Add a RAM role (project-level).
Configure the trusted entity to assume the role and access MaxCompute using the STS token. See Overview.
Next steps
Prepare a RAM user — create and configure a RAM user for MaxCompute access
Create an Alibaba Cloud account — if you do not yet have an account
Install and configure the MaxCompute client — set up odpscmd for programmatic access