By default, a RAM user for a MaxCompute project cannot access resources in Data Lake Formation (DLF) or Object Storage Service (OSS). To enable this access, create a dedicated RAM role with a custom trust policy and access policy.
Background
-
If the RAM user for the MaxCompute project is the same as the account used to deploy DLF, set the service parameter to
odps.aliyuncs.comwhen you add a trust policy. -
If the RAM user for the MaxCompute project and the account that deployed DLF are different, set the service parameter to
<the account ID of the MaxCompute project owner>@odps.aliyuncs.comwhen you add a trust policy. You can obtain the Account ID from the Account Overview .
Procedure
-
Log on to the RAM console and create a RAM role for a trusted Alibaba Cloud account.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
-
In the RAM console, modify the trust policy of the new RAM role.
For more information, see Modify the trust policy of a RAM role. Use one of the following trust policies:
-
If the MaxCompute project and DLF are in the same account:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "odps.aliyuncs.com" ] } } ], "Version": "1" } -
If the MaxCompute project and DLF are in different accounts:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<ACCOUNT_ID>@odps.aliyuncs.com" ] } } ], "Version": "1" }
-
-
In the RAM console, create a custom access policy for the new RAM role.
For more information, see Create a custom access policy. The following policy grants the necessary permissions:
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListBuckets", "oss:GetObject", "oss:ListObjects", "oss:PutObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListParts" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dlf:CreateFunction", "dlf:BatchGetPartitions", "dlf:ListDatabases", "dlf:CreateLock", "dlf:UpdateFunction", "dlf:BatchUpdateTables", "dlf:DeleteTableVersion", "dlf:UpdatePartitionColumnStatistics", "dlf:ListPartitions", "dlf:DeletePartitionColumnStatistics", "dlf:BatchUpdatePartitions", "dlf:GetPartition", "dlf:BatchDeleteTableVersions", "dlf:ListFunctions", "dlf:DeleteTable", "dlf:GetTableVersion", "dlf:AbortLock", "dlf:GetTable", "dlf:BatchDeleteTables", "dlf:RenameTable", "dlf:RefreshLock", "dlf:DeletePartition", "dlf:UnLock", "dlf:GetLock", "dlf:GetDatabase", "dlf:GetFunction", "dlf:BatchCreatePartitions", "dlf:ListPartitionNames", "dlf:RenamePartition", "dlf:CreateTable", "dlf:BatchCreateTables", "dlf:UpdateTableColumnStatistics", "dlf:ListTableNames", "dlf:UpdateDatabase", "dlf:GetTableColumnStatistics", "dlf:ListFunctionNames", "dlf:ListPartitionsByFilter", "dlf:GetPartitionColumnStatistics", "dlf:CreatePartition", "dlf:CreateDatabase", "dlf:DeleteTableColumnStatistics", "dlf:ListTableVersions", "dlf:BatchDeletePartitions", "dlf:ListCatalogs", "dlf:UpdateTable", "dlf:ListTables", "dlf:DeleteDatabase", "dlf:BatchGetTables", "dlf:DeleteFunction" ], "Resource": "*", "Effect": "Allow" } ] } -
Attach the custom access policy to the new RAM role.
For more information, see Manage permissions for a RAM role.