Configure cross-account authorization-DataWorks(DataWorks)-阿里云帮助中心

This is required if you create a data source in Alibaba Cloud instance mode and the instance belongs to a different Alibaba Cloud account than the one for your DataWorks workspace. This authorization grants the DataWorks account the read permission needed to run the sync task.

Background

When you add a data source, you can set its type to Alibaba Cloud instance mode. If the instance belongs to a different Alibaba Cloud account than the one for your DataWorks workspace, you must configure cross-account authorization.

Prerequisites

A network connection must exist between the data source instance's VPC and the DataWorks resource group, for example, through Cloud Enterprise Network (CEN). For more information, see Network connectivity solutions.

Procedure

To configure cross-account authorization for an RDS, Hive, or Kafka data source, follow these steps:

Actions on the data source account

Log on to the RAM console and create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Key parameters:
- Principal Type: Select Cloud Account.
- Role Name: Enter a custom name.
- Principal Name: Select Another Alibaba Cloud Account, and then enter the UID of the Alibaba Cloud account that owns the DataWorks workspace.

Grant the required permissions to the newly created RAM role. For more information, see Grant permissions to a RAM role.

Key parameters:

Permission Policy: Select System Policy.

Policy Name: Select a policy based on the instance type.

Instance type	Policy name
RDS (MySQL, SQL Server, PostgreSQL, MariaDB)	AliyunDataWorksAccessingRdsReadOnlyPolicy
Hive	AliyunDataWorksAccessingDLFReadOnlyPolicy, AliyunDataWorksAccessingEMRReadOnlyPolicy
Kafka	AliyunDataWorksAccessingAlikafkaPolicy
AnalyticDB for MySQL 3.0	AliyunADBReadOnlyAccess

Modify the trust policy of the RAM role. For more information, see Modify the trust policy of a RAM role.

Trust policy:

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "<UID of the primary Alibaba Cloud account that owns the DataWorks workspace>@cdp.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

Note

<Alibaba Cloud account ID of the primary account for the DataWorks user> needs to be replaced with the ID of the primary Alibaba Cloud account for your DataWorks workspace.

Actions on the DataWorks account

Log on to the DataWorks console. In the target region, click Data Integration > Data Integration in the left-side navigation pane. Select a workspace from the drop-down list and click Go to Data Integration.

Add an RDS, Hive, or Kafka data source.

Key parameters:

Parameter	Description
Data Source Type	Select ApsaraDB for RDS.
Instance Owner	Select Another Alibaba Cloud Account or Other Alibaba Cloud Account. Note Select an option based on your data source configuration.
UID of other Alibaba Cloud account (the UID of the other primary account)	Enter the UID of the primary Alibaba Cloud account that owns the RDS, Hive, or Kafka instance.
RAM role for authorization (the other RAM role)	Enter the name of the RAM role.

Test connectivity.