All Products
Search
Document Center

Tablestore:Cross-account authorization

Last Updated:Jun 20, 2026

This topic describes how to connect Tablestore and MaxCompute across different Alibaba Cloud accounts.

Prerequisites

Cross-account access requires two Alibaba Cloud accounts. In this guide, Account A grants access permissions to Account B. This allows Account B to use MaxCompute to access Account A's Tablestore data. The basic account information is as follows:

Note

Replace these values with your actual information.

Item

Tablestore

MaxCompute

Alibaba Cloud account name

Account A

Account B

UID

1234567890****

5678901234****

Before you use MaxCompute to access Tablestore across accounts, complete the following tasks:

  • On the MaxCompute product details page, activate MaxCompute for Account B and create a workspace. For more information, see Create a workspace.

  • Obtain the AccessKey pairs for Account A and Account B. For more information, see Obtain an AccessKey pair.

  • In Account A, create a Resource Access Management (RAM) role for a trusted Alibaba Cloud account and configure its trust policy. For more information, see Create a RAM role for an Alibaba Cloud account and Modify the trust policy for a RAM role.

    Note

    In the policy, 5678901234**** is the UID of Account B.

    In this example, the RAM role is named aliyunodpsroleforotheruser. The following sample trust policy allows the MaxCompute service in Account B to assume this RAM role.

    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "5678901234****@odps.aliyuncs.com"
            ]
          }
        }
      ],
      "Version": "1"
    }
                            
  • Record the ARN of the aliyunodpsroleforotheruser RAM role from Account A, for example, acs:ram::1234567890****:role/aliyunodpsroleforotheruser. You need this role ARN to create the external table. After creating the role, copy its ARN from the basic information section on the RAM role details page. The ARN format is acs:ram::UID_of_Account_A:role/aliyunodpsroleforotheruser.

  • Create a custom permission policy and attach it to the aliyunodpsroleforotheruser RAM role in Account A. For more information, see Create a custom policy and Manage permissions for a RAM role.

    The following sample permission policy grants the RAM role read and write permissions on the Tablestore instance named cap1 and all its data tables in the China (Hangzhou) region.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "ots:*",
          "Resource": [
          "acs:ots:cn-hangzhou:1234567890****:instance/cap1",
          "acs:ots:cn-hangzhou:1234567890****:instance/cap1/table/*"
          ],
          "Condition": {}
        }
      ]
    }

    For more information about custom permissions, see Custom RAM policy.

  • In the Tablestore console, create an instance and a data table. For more information, see Create instance and Create a data table.

    In this example, the Tablestore instance and data table use the following configuration:

    • Instance name: cap1

    • Data table name: vehicle_track

    • Primary keys: vid (integer), gt (integer)

    • Endpoint: https://cap1.cn-hangzhou.ots-internal.aliyuncs.com

      Note

      Use the private endpoint of the Tablestore instance for access from MaxCompute.

    • Ensure that the network type for the instance is set to Any Network.

Use MaxCompute to access Tablestore

The procedure for cross-account access is similar to same-account access, but you must specify the role ARN when you create the external table.

Account B uses MaxCompute to create an external table and specifies the role ARN from the Prerequisites section to access Tablestore.

CREATE EXTERNAL TABLE ads_log_ots_pt_external
(
vid bigint,
gt bigint,
longitude double,
latitude double,
distance double,
speed double,
oil_consumption double
)
STORED BY 'com.aliyun.odps.TableStoreStorageHandler'
WITH SERDEPROPERTIES (
'tablestore.columns.mapping'=':vid, :gt, longitude, latitude, distance, speed, oil_consumption',
'tablestore.table.name'='vehicle_track',
'odps.properties.rolearn'='acs:ram::1234567890****:role/aliyunodpsroleforotheruser'
)
LOCATION 'tablestore://cap1.cn-hangzhou.ots-internal.aliyuncs.com'
USING 'odps-udf-example.jar'