Configure cross-account authorization

0.0.201

If you add a data source, such as a MaxCompute, Hologres, or AnalyticDB for PostgreSQL data source, to DataWorks in Alibaba Cloud instance mode and want to use an Alibaba Cloud account that is different from the account to which the data source belongs to configure a synchronization task for the data source in Data Integration, you must perform cross-account authorization to grant the read permissions on the data source to the Alibaba Cloud account to which the synchronization task belongs. This way, the synchronization task can run as expected.

Background information

When you add a data source, you can set the Data Source Type parameter to Alibaba Cloud Instance Mode for the data source. In this case, if the data source that you add to DataWorks and the synchronization task that is configured for the data source belong to different Alibaba Cloud accounts, you must configure cross-account authorization for the data source by referring to the instructions provided in this topic before you can run the synchronization task.

Prerequisites

A connection is established between the virtual private cloud (VPC) in which the data source resides and the VPC in which a desired resource group resides by using connection tools such as Cloud Enterprise Network (CEN). For more information, see Network connectivity solutions.

Procedure

MaxCompute, Hologres, AnalyticDB for PostgreSQL, or AnalyticDB for MySQL data sources

For information about how to configure cross-account authorization for a MaxCompute data source, see Scenario: Add a data source across accounts.
For information about how to configure cross-account authorization for a Hologres data source, see Add a Hologres data source.
For information about how to configure cross-account authorization for an AnalyticDB for PostgreSQL data source, see Add an AnalyticDB for PostgreSQL data source.
For information about how to configure cross-account authorization for an AnalyticDB for MySQL data source, see Add an AnalyticDB for MySQL V3.0 data source.

ApsaraDB RDS, Hive, or Kafka data sources

Perform operations with the Alibaba Cloud account to which the data source belongs

Log on to the Resource Access Management (RAM) console with the Alibaba Cloud account to which the data source belongs. Then, create a RAM role on the Roles page. For information about how to create a RAM role, see Create a RAM role for a trusted Alibaba Cloud account.
Key parameters:
- Principal Type: Set this parameter to Cloud Account.
- Role Name: Specify a custom role name.
- Principal Name: Set this parameter to Other Account, and enter the ID of the Alibaba Cloud account to which the DataWorks workspace belongs in the field that appears.

Grant permissions to the created RAM role. For information about how to grant permissions to a RAM role, see Method 2: Grant permissions to a RAM role by clicking Precise Permission on the Roles page.

Key parameters:

Policy: Set this parameter to System Policy.

Policy Name: The following table provides the details.

Data source type	Policy name

Data source type	Policy name
ApsaraDB RDS data sources that run the MySQL, SQL Server, PostgreSQL, or MariaDB engine	AliyunDataWorksAccessingRdsReadOnlyPolicy
Hive	AliyunDataWorksAccessingDLFReadOnlyPolicy and AliyunDataWorksAccessingEMRReadOnlyPolicy
Kafka	AliyunDataWorksAccessingAlikafkaPolicy

Modify the trust policy for the created RAM role. For information about how to modify the trust policy for a RAM role, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account.

Trust policy after modification:

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "<ID of the Alibaba Cloud account of a DataWorks user>@cdp.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

Note

Replace <ID of the Alibaba Cloud account of a DataWorks user> with the ID of the Alibaba Cloud account to which the DataWorks workspace belongs.

Perform operations with the Alibaba Cloud account to which the DataWorks workspace belongs

Go to the Data Integration page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose Data Integration > Data Integration. On the page that appears, select the desired workspace from the drop-down list and click Go to Data Integration.

Add an ApsaraDB RDS, Hive, or Kafka data source.

The following table describes the key parameters that you must configure.

Parameter	Description

Parameter	Description
Data Source Type or Configuration Mode	Set this parameter to Alibaba Cloud Instance Mode.
Alibaba Cloud Account	Set this parameter to Another Alibaba Cloud Account.
ID of Another Alibaba Cloud Account or UID of Another Alibaba Cloud Account	Set this parameter to the ID of the Alibaba Cloud account to which the ApsaraDB RDS, Hive, or Kafka data source belongs.
Name of Role Assigned to RAM User or RAM Role	Set this parameter to the name of the RAM role to which you want to grant permissions on the data source.

Test the network connectivity of the data source.

Feedback

Previous: Manage third-party authentication filesNext: Isolate a data source in the development and production environments

On this page （1）

Background information

Prerequisites

Procedure

MaxCompute, Hologres, AnalyticDB for PostgreSQL, or AnalyticDB for MySQL data sources

ApsaraDB RDS, Hive, or Kafka data sources

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

Background information

Prerequisites

Procedure

MaxCompute, Hologres, AnalyticDB for PostgreSQL, or AnalyticDB for MySQL data sources

ApsaraDB RDS, Hive, or Kafka data sources

Perform operations with the Alibaba Cloud account to which the data source belongs

Perform operations with the Alibaba Cloud account to which the DataWorks workspace belongs

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)