MaxCompute allows you to access a MaxCompute project by using an Alibaba Cloud account, a Resource Access Management (RAM) user, or a RAM role. This topic describes three access methods.
Background information
- Use an Alibaba Cloud account to access MaxCompute
The owner of the Alibaba Cloud account has full operational control over all the resources that belong to this account.
- Use a RAM user to access MaxCompute
If you want to invite other users to use MaxCompute, you can create a RAM user and grant required permissions to the RAM user.
- Use a RAM role to access MaxCompute
A RAM role is a virtual RAM identity that you can create within your Alibaba Cloud account. A RAM role does not have a specific logon password or AccessKey pair. A RAM role can be used only after the role is assumed by a trusted entity.
Use an Alibaba Cloud account to access MaxCompute
To access MaxCompute with an Alibaba Cloud account, perform the following steps:
Use a RAM user to access MaxCompute
By default, MaxCompute projects recognize only the Alibaba Cloud account system. You can manually add support for the RAM account system. To access MaxCompute by using the credentials of a RAM user, perform the following steps:
Use a RAM role to access MaxCompute
A RAM role does not represent a specific individual. A RAM role can be assumed by other users. In addition, a RAM role does not have an account, a password, or an AccessKey pair for identity authentication. You must use a temporary security token (STS) for identity authentication.
- Role-based SSO: If Alibaba Cloud and the identity management system of an enterprise work together to implement role-based SSO, Alibaba Cloud is the service provider (SP) and the identity management system is the identity provider (IdP). Role-based SSO allows the enterprise to manage users in the local IdP without the need to synchronize users from the IdP to Alibaba Cloud. In addition, employees of the enterprise can log on to Alibaba Cloud by using a specific RAM role.
- Cross-service access: Create a RAM role for a trusted Alibaba Cloud service. This way, the trusted Alibaba Cloud service can use this RAM role to access another service. MaxCompute allows you to add the RAM role to a MaxCompute project in a similar way MaxCompute adds a common RAM user. MaxCompute manages the permissions of the RAM role just like MaxCompute manages the permissions of a common RAM user, such as granting the permissions to create data objects, execute jobs, write data, and read data. Other services can assume this RAM role to access MaxCompute projects for data management, data analysis, and data exchange.
- Create a RAM role and define the trust policy of the RAM role. For more information about how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted IdP, or Create a RAM role for a trusted Alibaba Cloud service. For more information about how to define the trust policy of a RAM role, see Edit the trust policy of a RAM role.
- Add the RAM role to a MaxCompute project. For more information, see Add a RAM role (project-level).
- Use the RAM role to access the MaxCompute project. For more information, see Overview.