This topic describes how to assign a Resource Access Management (RAM) role to an account that uses Realtime Compute for Apache Flink in exclusive mode.

Assign a RAM role to an account

You must assign a RAM role to your Alibaba Cloud account before you use Realtime Compute for Apache Flink.

  1. Click Authorize to go to the authorization page.
    Note If you do not assign the default RAM role to your Alibaba Cloud account, the preceding message appears when you use Realtime Compute for Apache Flink.
  2. Click AliyunStreamDefaultRole and click Authorize.
    Note After your account is assigned the RAM role, refresh the page in the Realtime Compute for Apache Flink console. Then, you can perform operations in the console.

View the authorization information about the current role

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click Roles. On the Roles page, click AliyunStreamDefaultRole in the Role Name column of the role list.
  3. On the AliyunStreamDefaultRole page, click AliyunStreamRolePolicy in the Policy column on the Permissions tab.
  4. On the Policy Document tab, view the current policy information of Realtime Compute for Apache Flink.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ots:List*",
            "ots:DescribeTable",
            "ots:Get*",
            "ots:*Row"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "dhs:Create*",
            "dhs:List*",
            "dhs:Get*",
            "dhs:PutRecords",
            "dhs:DeleteTopic"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "log:List*",
            "log:Get*",
            "log:Post*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "mns:List*",
            "mns:Get*",
            "mns:Send*",
            "mns:Publish*",
            "mns:Subscribe"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "drds:DescribeDrdsInstance",
            "drds:ModifyDrdsIpWhiteList"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "rds:Describe*",
            "rds:ModifySecurityIps*"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:CreateSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:CreateNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:AttachNetworkInterface",
            "ecs:DescribeNetworkInterfacePermissions",
            "ecs:CreateNetworkInterfacePermission"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": "oss:*",
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }

Attach a policy to a RAM role

After you create a RAM role, you can attach a specific policy to the RAM role.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, configure Name and Note. In this example, the policy name is AliyunStreamDefaultRolePolicy.
  5. In the code editor below Policy Document, enter the following code and click OK:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "vpc:DescribeVpcs",
            "vpc:DescribeVSwitches"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:CreateSecurityGroup",
            "ecs:AuthorizeSecurityGroup",
            "ecs:CreateNetworkInterface",
            "ecs:DescribeNetworkInterfaces",
            "ecs:AttachNetworkInterface",
            "ecs:DescribeNetworkInterfacePermissions",
            "ecs:CreateNetworkInterfacePermission"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }                    
    Note You can delete the following permissions after you create a cluster:
    • ecs:CreateSecurityGroup
    • ecs:AuthorizeSecurityGroup
  6. In the left-side navigation pane, click Roles. On the Roles page, find AliyunStreamDefaultRole in the role list and click Add Permissions in the Actions column.
  7. In the Add Permissions panel, click Custom Policy in the Select Policy section and enter AliyunOSSFullAccess in the search box below Custom Policy.
  8. Click AliyunOSSFullAccess in the Authorization Policy Name column.
  9. In the Add Permissions panel, click Custom Policy in the Select Policy section.
  10. In the search box below Custom Policy of the Select Policy section, enter AliyunStreamDefaultRolePolicy.
  11. Click AliyunStreamDefaultRolePolicy in the Authorization Policy Name column.
  12. Click OK.