This topic describes how to connect Tablestore and MaxCompute across different Alibaba Cloud accounts.
Prerequisites
Cross-account access requires two Alibaba Cloud accounts. In this guide, Account A grants access permissions to Account B. This allows Account B to use MaxCompute to access Account A's Tablestore data. The basic account information is as follows:
Replace these values with your actual information.
|
Item |
Tablestore |
MaxCompute |
|
Alibaba Cloud account name |
Account A |
Account B |
|
UID |
1234567890**** |
5678901234**** |
Before you use MaxCompute to access Tablestore across accounts, complete the following tasks:
-
On the MaxCompute product details page, activate MaxCompute for Account B and create a workspace. For more information, see Create a workspace.
-
Obtain the AccessKey pairs for Account A and Account B. For more information, see Obtain an AccessKey pair.
-
In Account A, create a Resource Access Management (RAM) role for a trusted Alibaba Cloud account and configure its trust policy. For more information, see Create a RAM role for an Alibaba Cloud account and Modify the trust policy for a RAM role.
NoteIn the policy, 5678901234**** is the UID of Account B.
In this example, the RAM role is named aliyunodpsroleforotheruser. The following sample trust policy allows the MaxCompute service in Account B to assume this RAM role.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "5678901234****@odps.aliyuncs.com" ] } } ], "Version": "1" } -
Record the ARN of the aliyunodpsroleforotheruser RAM role from Account A, for example, acs:ram::1234567890****:role/aliyunodpsroleforotheruser. You need this role ARN to create the external table. After creating the role, copy its ARN from the basic information section on the RAM role details page. The ARN format is
acs:ram::UID_of_Account_A:role/aliyunodpsroleforotheruser. -
Create a custom permission policy and attach it to the aliyunodpsroleforotheruser RAM role in Account A. For more information, see Create a custom policy and Manage permissions for a RAM role.
The following sample permission policy grants the RAM role read and write permissions on the Tablestore instance named cap1 and all its data tables in the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ots:*", "Resource": [ "acs:ots:cn-hangzhou:1234567890****:instance/cap1", "acs:ots:cn-hangzhou:1234567890****:instance/cap1/table/*" ], "Condition": {} } ] }For more information about custom permissions, see Custom RAM policy.
-
In the Tablestore console, create an instance and a data table. For more information, see Create instance and Create a data table.
In this example, the Tablestore instance and data table use the following configuration:
-
Instance name: cap1
-
Data table name: vehicle_track
-
Primary keys: vid (integer), gt (integer)
-
Endpoint:
https://cap1.cn-hangzhou.ots-internal.aliyuncs.comNoteUse the private endpoint of the Tablestore instance for access from MaxCompute.
-
Ensure that the network type for the instance is set to Any Network.
-
Use MaxCompute to access Tablestore
The procedure for cross-account access is similar to same-account access, but you must specify the role ARN when you create the external table.
Account B uses MaxCompute to create an external table and specifies the role ARN from the Prerequisites section to access Tablestore.
CREATE EXTERNAL TABLE ads_log_ots_pt_external
(
vid bigint,
gt bigint,
longitude double,
latitude double,
distance double,
speed double,
oil_consumption double
)
STORED BY 'com.aliyun.odps.TableStoreStorageHandler'
WITH SERDEPROPERTIES (
'tablestore.columns.mapping'=':vid, :gt, longitude, latitude, distance, speed, oil_consumption',
'tablestore.table.name'='vehicle_track',
'odps.properties.rolearn'='acs:ram::1234567890****:role/aliyunodpsroleforotheruser'
)
LOCATION 'tablestore://cap1.cn-hangzhou.ots-internal.aliyuncs.com'
USING 'odps-udf-example.jar'