当您开通OSS数据管理功能时,系统会自动创建名为AliyunServiceRoleForDataworksDataMap的服务关联角色,以访问OSS资源。本文为您介绍服务关联角色的相关信息。

AliyunServiceRoleForDataworksDataMap介绍

  • 角色名称:AliyunServiceRoleForDataworksDataMap
  • 角色权限策略:AliyunServiceRolePolicyForDataworksDataMap
  • 权限说明:用于大数据开发治理平台 DataWorks的服务关联角色,DataWorks使用此角色来访问您在OSS中的资源,并进行统计分析。
  • 使用该权限的作用:获取带有access_by=DW-OSS-MANAGE标签的存储空间访问权限,包括开通/关闭存储空间清单、开通/关闭访问日志、获取存储空间的信息、列出对象和读取对象等。
{
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:GetBucketInventory",
                "oss:PutBucketInventory",
                "oss:DeleteBucketInventory",
                "oss:GetBucketLogging",
                "oss:PutBucketLogging",
                "oss:DeleteBucketLogging",
                "oss:ListObjects",
                "oss:ListObjectsV2",
                "oss:GetBucketInfo",
                "oss:GetBucketStat"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "oss:BucketTag/access_by": [
                        "DW-OSS-MANAGE"
                    ]
                }
            }
        },
        {
            "Action": [
                "oss:ListBuckets"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "datamap.dataworks.aliyuncs.com"
                }
            }
        }
    ],
    "Version": "1"
}

删除服务关联角色的影响

您可以随时删除AliyunServiceRoleForDataworksDataMap角色。如果您删除了该角色,将无法使用OSS数据管理功能。详情请参见删除服务关联角色

子账号创建服务关联角色所需要的权限

子账号创建服务关联角色AliyunServiceRoleForDataworksDataMap时,需要为该角色添加DataWorksFullAccess策略或如下策略。
{
    "Version": "1",
    "Statement": [
        {
            "Action": "dataworks:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "datamap.dataworks.aliyuncs.com"
                }
            }
        }
    ]
}