You can access and operate on projects, such as MaxCompute or Hologres projects, that belong to another Alibaba Cloud account by adding them as data sources in your current Alibaba Cloud account. This enables cross-account data access.
Limits
You cannot use data sources created for cross-account access for data development or scheduling. To perform data development operations, you must create a data source in your current account. For more information, see Add a MaxCompute compute engine and Add a Hologres compute engine.
When you create a data source for cross-account access, you can only use a Resource Access Management (RAM) role to access the corresponding project.
Preparations
Ensure that you have two Alibaba Cloud accounts, A and B. For more information, see Create an Alibaba Cloud account.
Alibaba Cloud account A: The user of the cross-account data source. This account creates the data source using information from Alibaba Cloud account B.
Alibaba Cloud account B: The resource provider for the cross-account data source. This account provides the required information to Alibaba Cloud account A.
Ensure that the data resources to be shared are available in Alibaba Cloud account B. For example, a MaxCompute project or a Hologres instance and database must be created.
Scenario 1 (Accessing MaxCompute): A MaxCompute project is created in Alibaba Cloud account B. This project is used as the destination project when you create the data source for cross-account access. For more information about how to create a MaxCompute project, see Create a MaxCompute project.
Scenario 2 (Accessing Hologres): A Hologres instance is purchased and a database is created in Alibaba Cloud account B.
Step 1: Create and authorize a RAM role in Account B
Create a RAM role and establish a trust relationship
Log on to the RAM console using Alibaba Cloud account B. Create a RAM role and add Alibaba Cloud account A as a trusted Alibaba Cloud account. This allows Alibaba Cloud account A to assume the role and access the authorized resources.
Create a RAM role.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
NoteAlibaba Cloud account A assumes this RAM role to access DataWorks in Alibaba Cloud account B. If this RAM role needs to access DataWorks in Alibaba Cloud account A, you must redefine the policy for the RAM role. For more information, see Define a policy for a RAM role.
The following list describes the key parameters:
Principal Type: Alibaba Cloud Account.
Principal Name: Select Other Alibaba Cloud Account. Enter the UID of Alibaba Cloud account A. To obtain the UID, log on to the console using Alibaba Cloud account A and move the pointer over your profile picture in the top menu bar.
Role Name: testRole.
After the configuration is complete, Alibaba Cloud account A can assume the testRole role to access the authorized resources.
Modify the policy document of the role.
After the role is created, go to the Policy Document tab for the role. Click Edit Policy Document and update the policy with the following content. This allows the DataWorks service of Alibaba Cloud account A to assume this role. For more information, see Modify the trust policy of a RAM role.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "UID of Alibaba Cloud Account A@engine.dataworks.aliyuncs.com" ] } } ], "Version": "1" }Replace
Account A's UIDwith the UID of Account A.
Configure an access policy for the RAM role
Scenario 1: Grant permissions to access MaxCompute
Using Alibaba Cloud account B, go to the destination MaxCompute project.
You can use the SQL analysis feature in the MaxCompute console to quickly navigate to a MaxCompute project.
For more information about other connection tools, see Select a connection tool.
Add the RAM role to the MaxCompute project.
Add the testRole role that you created in Step 1 to the MaxCompute project. The SQL statement format is as follows.
-- Add the RAM role to the MaxCompute project. add user `RAM$<account_name>:role/<RAM role name>`; -- View all users in the workspace. list users; -- View the permissions that are granted to the RAM role. show grants for `RAM$<account_name>:role/<RAM role name>`;The parameters are described as follows:
<account_name>: Replace this with the name of Alibaba Cloud account B.
<RAM role name>: Replace this with testRole, which is the role name that you created in Step 1.
Grant permissions to the role as needed. For more information about authorization operations, see Authorization operations.
NoteYou can grant permissions to the RAM role in advance based on how the cross-account data source will be used in Workspace A. For example, if you want to query tables from the data source in Workspace B from Workspace A, ensure that the RAM role configured for the data source has the SELECT permission on the tables.
Scenario 2: Grant permissions to access Hologres
Modify the access policy of the role (for Hologres only)
In the RAM console of Alibaba Cloud account B, create a custom policy to grant the basic permissions required to access the Hologres instance. The policy content is as follows:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "hologram:GetInstance", "hologram:DescribeInstance", "hologram:ListDatabases", "hologram:ListWarehouses", "hologram:ListInstances" ], "Resource": "*" } ] }Attach this policy to the testRole role. For more information, see Grant permissions to a RAM role.
Add the RAM role to the Hologres database.
Add and authorize the role in Hologres. Log on to the Hologres management console using Alibaba Cloud account B and go to the HoloWeb interface of the destination instance.
On the User Management page in the Security Center, add the RAM role that you created as a database user.
If the role is a regular user, go to the Database Authorization page in the Security Center to grant database-level operation permissions to the user.
For more information, see Quick Start for RAM user authorization.
Step 2: Use the user information of Account B to create a data source in Account A
Go to the Data Sources page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, select the desired workspace from the drop-down list and click Go to Management Center.
In the left-side navigation pane of the SettingCenter page, click Data Sources.
Click Add Data Source and select the data source type, either MaxCompute or Hologres.
On the data source configuration page, configure the following key parameters:
Alibaba Cloud Account: Select Another Alibaba Cloud Account.
Region: Select the region where the MaxCompute project or Hologres instance resides.
UID Of Alibaba Cloud Account: Enter the UID of Alibaba Cloud account B.
MaxCompute Project Name/Hologres Instance: Enter the name or ID of the destination resource in Alibaba Cloud account B.
RAM Role: Enter the name of the RAM role that you created in Alibaba Cloud account B, such as testRole.
Configure resource group connectivity.
Select a resource group as required and test the connectivity. For more information about network connectivity configuration, see Connect to a data source that belongs to a different Alibaba Cloud account.
Click Complete Creation to create the cross-account data source.
What to do next
After you create the data source, you can perform the following operations:
Synchronize data from this data source using Data Integration. For more information, see Data Integration.
View more details about the data source in Data Map. For more information, see Data Map.