This topic describes how to create, update, and delete a data lake connection, and how to grant other users permissions to use it.
This feature is in invitation-only preview. To enable it, submit a ticket.
Overview
A data lake connection (CONNECTION) hosts access credentials for cloud services. You can delegate access to external storage through a connection for scenarios such as data discovery and querying external tables. The connection is encrypted and stored securely in the metadata service. Users with the Connection_Admin or Connection_User role can manage and use the corresponding connections. When you use a connection to access cloud services, you no longer need to expose authentication information, such as AccessKey IDs and AccessKey secrets, in plaintext.
Use cases
Create an OSS data discovery task by using a connection.
Create and access an OSS external table by using a connection.
Usage notes
Region: Data lake connections are supported only in the China (Beijing) and China (Shenzhen) regions.
Permissions: An Alibaba Cloud account or a user with the tenant-level
Connection_Adminrole can manage and create a connection.Role
Permissions
Connection_Admin
List, view, create, update, delete, and use connections. Grant other users the Connection_User role so they can use a connection.
Connection_User
View and use a connection.
Grant roles
If you are a RAM user, you must be granted the tenant-level
Connection_Adminrole before you can create and manage connections. For instructions, see Tenant-level role authorization.Currently, only an Alibaba Cloud account can grant the
Connection_Adminrole.Log in to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose .
On the Tenants page, click the Roles tab.
On the Roles tab, find the
Connection_Adminrole and click Create Authorization in the Actions column.In the Create Authorization dialog box, add the desired users, and then click OK.
Create a connection
Log in to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose .
On the Data Lake Connection (CONNECTION) page, click Create Data Lake Connection.
In the Create Data Lake Connection dialog box, configure the parameters and click OK.
Parameter
Description
Data lake connection parameter
The name of the data lake connection. The name must be unique within a tenant.
RAMRoleARN
The Alibaba Cloud Resource Name (ARN) of the RAM role with OSS access permissions.
You can create a custom role and specify its RAMRoleARN. For more information, see Authorization scheme for accessing external data sources.
Data lake connection description
The description of the data lake connection.
Authorize a connection
To grant other users permission to use a connection, grant them the Connection_User role by following these steps.
Log in to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose .
On the Data Lake Connection (CONNECTION) page, in the Operation column for the desired CONNECTION, click Add Authorization.
In the Data Lake Connection Authorization dialog box, add the users you want to authorize and click OK.
View connections
Log in to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose .
On the Data Lake Connection (CONNECTION) page, view the CONNECTION list.
Delete a connection
Deleting a connection invalidates access authorizations for dependent external tables and external storage, causing access attempts to fail. Evaluate the potential impact on your business before you proceed. This action is irreversible.
Log in to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose .
On the Data Lake Connection (CONNECTION) page, in the Operation column for the desired CONNECTION, click Delete.
In the dialog box, click Delete.