DocsICP FilingConsole
官方文档
首页

Cross-account authorization (MaxCompute and Hologres)

更新时间:
复制 MD 格式
产品详情
我的收藏

To access a MaxCompute or Hologres project owned by another Alibaba Cloud account, you must add it as a data source in your current account. This enables cross-account data access.

Limitations

  • You cannot use cross-account data sources for data development or scheduling. To perform these operations, you must create a data source within your own account. For more information, see Bind a MaxCompute compute engine and Bind a Hologres compute engine.

  • When you create a cross-account data source, you can only access the project by using a RAM role.

Prerequisites

  • Two Alibaba Cloud accounts are created, referred to as Account A and Account B in this topic. For more information about how to create an account, see Sign up for an Alibaba Cloud account.

    • Alibaba Cloud account A: The consumer that creates the cross-account data source by using the credentials of Account B.

    • Alibaba Cloud account B: The resource provider that provides credentials to Account A, enabling it to create the cross-account data source.

  • Ensure the data resources to be shared are ready in Account B. For example, a MaxCompute project or a Hologres instance and database have been created.

Step 1: Create and authorize a RAM role

Create a RAM role and trust policy

Using Account B, log on to the RAM console to create a RAM role and add Account A as a trusted account. Account A can then assume this role to access the authorized resources.

  1. Create a RAM role.

    For details, see Create a RAM role for a trusted Alibaba Cloud account.

    Note

    The RAM role created here is used by Account A to access DataWorks in Account B. If this RAM role is also required to access DataWorks in Account A, you must redefine its permission policy. For more information, see Define a permission policy for a RAM role.

    Key parameter configurations are as follows:

    • Principal Type: Alibaba Cloud Account.

    • Principal: Other Alibaba Cloud Account. Enter the UID of Account A. You can obtain the UID by logging on to the console with Account A and hovering the pointer over the profile picture in the top navigation bar.

    • Role Name: testRole.

    After the configuration is complete, Account A can assume the testRole role to access the authorized resources.

  2. Modify the trust policy.

    After creating the role, go to the Trust Policy tab, click Edit Trust Policy, and replace the policy content with the following code. This allows the DataWorks service of Account A to assume this role. For more information, see Modify the trust policy of a RAM role.

    {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "UID of Account A@engine.dataworks.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

    Replace UID of Account A with the actual UID of Account A.

Configure a permission policy for the RAM role

Scenario 1: Authorize access to MaxCompute

  1. In Account B, go to the target MaxCompute project.

    You can use the SQL analysis feature in the MaxCompute console to quickly access the MaxCompute project. For more information, see Connect by using SQL analysis.

    For more information about connection tools, see Select a connection tool.

  2. Add the RAM role to the MaxCompute project.

    1. Add the testRole role that you created in Step 1 to the MaxCompute project. The SQL statement format is as follows:

      -- Add the RAM role to the MaxCompute project.
add user `RAM$<account_name>:role/<ram_role_name>`;
-- View all users in the project.
list users;
-- View the permissions granted to the RAM role.
show grants for `RAM$<account_name>:role/<ram_role_name>`;

      Parameters:

      • <account_name>: The name of Account B.

      • <ram_role_name>: The name of the role created in Step 1, which is testRole.

    2. Grant permissions to the role as needed. For more information, see Authorization.

      Note

      You can grant permissions to the RAM role in advance based on how the workspace in Account A will use the data source. For example, if you want to query a table in the data source of Account B from the workspace of Account A, make sure that the RAM role configured for the data source has the SELECT permission on the table.

Scenario 2: Authorize access to Hologres

  1. Modify the role's permission policy (Hologres only)

    1. In the RAM console of Account B, create a custom policy to grant the permissions required to access the Hologres instance. The policy content is as follows:

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "hologram:GetInstance",
        "hologram:DescribeInstance",
        "hologram:ListDatabases",
        "hologram:ListWarehouses",
        "hologram:ListInstances"
      ],
      "Resource": "*"
    }
  ]
}

    2. Attach this policy to the testRole role. For more information, see Manage permissions for a RAM role.

  2. Add the RAM role to the Hologres database.

    Add and authorize the role in Hologres. Log on to the Hologres management console by using Account B and open the HoloWeb interface for the target instance.

    • On the Security Center > User Management page, add the created RAM role as a database user.

      In the Add User dialog box, select the created RAM role, such as testRole, in the Select Organization Members section. In the Select Member Role section, select Regular User and click Confirm.

    • If the role is a regular user, you must grant database-level permissions to the user on the Security Center > DB Authorization page.

      Click Add Authorization. In the dialog box that appears, select the target role, such as role/testRole, for User, select Developer for User Group, and then click Confirm.

    For more information, see Quick start for RAM user authorization.

Step 2: Create a data source for Account A by using user information from Account B

    1. Log on to the DataWorks console. In the target region, click More > Management Center in the left-side navigation pane. Select a workspace from the drop-down list and click Go to Management Center.

    2. On the Workspace Management page, click Data Sources in the left-side navigation pane to open the data source page.

  2. Click Add Data Source and select the data source type (MaxCompute or Hologres).

  3. On the data source configuration page, configure these key parameters:

    • Alibaba Cloud Account: Other Alibaba Cloud Account.

    • Region: The region where the MaxCompute project or Hologres instance is located.

    • UID of Alibaba Cloud Account: Enter the UID of Account B.

    • MaxCompute Project Name/Other Hologres Instance: Enter the name or ID of the target resource in Account B.

    • RAM Role: Enter the name of the RAM role that you created in Account B, such as testRole.

  4. Configure resource group connectivity.

    Select a resource group and test its connectivity. For information about network connectivity configurations, see Connect to a data source that belongs to a different Alibaba Cloud account.

    A green Connected status in the Connection Status column indicates a correctly configured resource group network.

  5. Click Complete Creation to create the cross-account data source.

Next steps

After creating the data source, you can:

Previous:Cross-account authorization (RDS, Hive, or Kafka)Next:Manage third-party authentication files