This topic explains how to authorize MaxCompute in one Alibaba Cloud account to access Tablestore resources in a different account.
Prerequisites
To enable cross-account access, you need two Alibaba Cloud accounts. Account A, which owns the Tablestore resources, grants permissions to Account B. This allows MaxCompute in Account B to access the data in Account A. The following table outlines the accounts used in this example.
The information in this topic is provided as an example. Replace the example values with your actual information.
|
Item |
Tablestore |
MaxCompute |
|
Alibaba Cloud account name |
Account A |
Account B |
|
UID |
1234567890**** |
5678901234**** |
Before you use MaxCompute to access Tablestore resources across accounts, complete the following steps:
-
For Account B, activate MaxCompute on the MaxCompute product details page and create a workspace. For more information, see Create a workspace.
-
Obtain the AccessKey pair for both Account A and Account B. For more information, see Obtain an AccessKey pair.
-
In Account A, create a RAM role with Alibaba Cloud account as the trusted entity, and then configure its trust policy. For more information, see Create a RAM role for an Alibaba Cloud account and Modify the trust policy of a RAM role.
NoteIn the policy,
5678901234****is the UID of Account B.The following sample trust policy allows the MaxCompute service in Account B to assume this RAM role.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "5678901234****@odps.aliyuncs.com" ] } } ], "Version": "1" } -
Record the ARN of the AliyunODPSRoleForOtherUser RAM role from Account A. You will need this role ARN when you create the external table. Example:
acs:ram::1234567890****:role/aliyunodpsroleforotheruser.
-
Create a policy and attach it to the AliyunODPSRoleForOtherUser RAM role in Account A. For more information, see Create a custom policy and Manage permissions for a RAM role.
The following sample policy grants the RAM role read and write permissions on the instance named
cap1and all of its tables. The instance belongs to Account A and is located in the China (Hangzhou) region.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ots:*", "Resource": [ "acs:ots:cn-hangzhou:1234567890****:instance/cap1", "acs:ots:cn-hangzhou:1234567890****:instance/cap1/table/*" ], "Condition": {} } ] }For more information about custom policies, see Custom RAM policies.
-
In the Tablestore console, create an instance and a data table. For more information, see Create an instance and Create a data table.
In this example, the Tablestore instance and data table are configured as follows:
-
Instance name: cap1
-
Data table name: vehicle_track
-
Primary keys: vid (integer), gt (integer)
-
Endpoint:
https://cap1.cn-hangzhou.ots-internal.aliyuncs.comNoteWhen you use MaxCompute to access Tablestore, we recommend that you use the private endpoint of the Tablestore instance.
-
Ensure the instance's network access control is set to Any Network.
-
Use MaxCompute to access Tablestore
The procedure for cross-account access is identical to same-account access, except that you must specify the role ARN when you create the external table.
In Account B, create an external table in MaxCompute. Specify the role ARN that you created in the Prerequisites section to grant access to Tablestore.
CREATE EXTERNAL TABLE ads_log_ots_pt_external
(
vid bigint,
gt bigint,
longitude double,
latitude double,
distance double,
speed double,
oil_consumption double
)
STORED BY 'com.aliyun.odps.TableStoreStorageHandler'
WITH SERDEPROPERTIES (
'tablestore.columns.mapping'=':vid, :gt, longitude, latitude, distance, speed, oil_consumption',
'tablestore.table.name'='vehicle_track',
'odps.properties.rolearn'='acs:ram::1234567890****:role/aliyunodpsroleforotheruser'
)
LOCATION 'tablestore://cap1.cn-hangzhou.ots-internal.aliyuncs.com'
USING 'odps-udf-example.jar'