If you want to use a compute engine, such as a MaxCompute or an E-MapReduce (EMR) compute engine, in DataWorks, you must authorize DataWorks to access the Alibaba Cloud service to which the compute engine belongs. After the authorization is complete, the system creates a service-linked role for the Alibaba Cloud service to which the related compute engine belongs. This topic describes the service-linked roles that are automatically created when you authorize DataWorks to access the Alibaba Cloud services to which compute engines belong, and the policies that are attached to the roles.
Background information
If you want to perform compute engine-related operations in the DataWorks console, such as associating a compute engine with a workspace or modifying an existing compute engine instance, the system prompts you to perform authorization operations for DataWorks. After the authorization is complete, the system creates a service-linked role for the Alibaba Cloud service to which the related compute engine belongs.
Only an Alibaba Cloud account or a RAM user to which the
AliyunDataWorksFullAccesspolicy is attached can authorize DataWorks to perform operations related to compute engines. If you want to perform operations related to compute engines as a RAM user, you must make sure that theAliyunDataWorksFullAccesspolicy is attached to the RAM user. For information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.If you want to perform the following operations, you must authorize DataWorks to access the Alibaba Cloud service to which a compute engine belongs: create and manage data sources.
You can log on to the RAM console and go to the Roles page to search for a service-linked role that is created for the Alibaba Cloud service to which a compute engine belongs and view information about the service-linked role. For more information about service-linked roles, see Service-linked roles.
The following table describes the service-linked roles that can be automatically created based on authorization.
Role name | Role permission | References |
AliyunServiceRoleForDataworksEngine | Allows DataWorks to access MaxCompute. | |
AliyunServiceRoleForDataworksOnEmr | Obtains metadata information of an EMR DataLake cluster and previews related data records in Data Map. | |
AliyunServiceRoleForDataWorks | Obtains and modifies the network configurations of virtual private clouds (VPCs) and the configurations of security groups, and establishes network connections between DataWorks exclusive resource groups and data sources. | |
AliyunServiceRoleForDataWorksDI | Allows Data Integration to obtain RAM roles and assume a custom RAM role to access a data source. | |
AliyunDIDefaultRole | Allows DataWorks to access resources of other Alibaba Cloud services activated by the current account during data source configuration, node configuration, and data synchronization. The services include ApsaraDB RDS, ApsaraDB for Redis, ApsaraDB for MongoDB, PolarDB-X, HybridDB for MySQL, AnalyticDB for PostgreSQL, PolarDB, Data Management (DMS), and Data Lake Formation (DLF). | |
AliyunServiceRoleForDataWorksOpenPlatform | Accesses and modifies events in EventBridge and supports message event capabilities in DataWorks Open Platform. | |
AliyunServiceRoleForDataWorksAccessDLF | Allows DataWorks to access metadata information of DLF, grants permissions on metadata to users, and revokes permissions on metadata from users. This role is used to implement application and request processing for permissions on DLF metadata in Security Center. | Appendix: Service-linked role used by DataWorks to access DLF |
The following sections describe the service-linked roles related to MaxCompute compute engines and EMR DataLake clusters.
Role 1: AliyunServiceRoleForDataworksEngine
Role name: AliyunServiceRoleForDataworksEngine
Role permissions: Authorizes DataWorks to access MaxCompute.
Policy attached to the role: AliyunServiceRolePolicyForDataworksEngine
Policy document:
{ "Version": "1", "Statement": [ { "Action": "odps:*", "Effect": "Allow", "Resource": "*" }, { "Action": [ "pai:*", "paiplugin:*", "eas:*" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:DeleteServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "engine.dataworks.aliyuncs.com" } } } ] }
Role 2: AliyunServiceRoleForDataworksOnEmr
Do not modify or delete the service-linked role that is automatically created based on authorization and the policy that is attached to the role. Otherwise, you cannot use EMR features in DataWorks.
Role name: AliyunServiceRoleForDataworksOnEmr
Role permissions: Previews data records in Data Map, and obtains metadata information of an EMR DataLake cluster that uses DLF for metadata management and the configurations of the EMR DataLake cluster.
Policy attached to the role: AliyunServiceRolePolicyForDataworksOnEmr
Policy document:
Permissions to access EMR
{ "Version": "1", "Statement": [ { "Action": [ "emr:GetCluster", "emr:GetOnKubeCluster", "emr:GetClusterClientMeta", "emr:GetApplicationConfigFile", "emr:ListClusters", "emr:ListNodes", "emr:ListNodeGroups", "emr:ListApplications", "emr:ListApplicationConfigs", "emr:ListApplicationConfigFiles", "emr:ListApplicationLinks", "emr:ListComponentInstances" ], "Resource": "*", "Effect": "Allow" } ] }Permissions to access DLF
If the EMR DataLake cluster that you want to access uses DLF to manage metadata, the policy attached to the service-linked role also contains the following access permissions on DLF. The permissions allow DataWorks to obtain metadata information of the EMR DataLake cluster.
{ "Action": [ "dlf:SubmitQuery", "dlf:GetQueryResult", "dlf:GetTable", "dlf:ListDatabases", "dlf:GetTableProfile", "dlf:GetCatalogSettings", "dlf:BatchGrantPermissions", "dlf:ListPartitionsByFilter", "dlf:ListPartitions" ], "Resource": "*", "Effect": "Allow" }Permissions to access Container Service for Kubernetes (ACK)
If you want to access an EMR on ACK cluster, the policy attached to the role also contains the following access permissions on ACK:
{ "Action": [ "cs:DescribeUserPermission", "cs:DescribeClusterDetail", "cs:DescribeClusterUserKubeconfig", "cs:GetClusters", "cs:GrantPermissions", "cs:RevokeK8sClusterKubeConfig" ], "Resource": "*", "Effect": "Allow" }Permissions to access Serverless Spark
If you want to access an EMR Serverless Spark cluster, the policy attached to the role also contains the following access permissions on Serverless Spark:
{ "Effect": "Allow", "Action": [ "emr-serverless-spark:TerminateSqlStatement", "emr-serverless-spark:CreateSqlStatement", "emr-serverless-spark:GetSqlStatement", "emr-serverless-spark:TerminateSqlStatement", "emr-serverless-spark:ListSessionClusters", "emr-serverless-spark:ListWorkspaces", "emr-serverless-spark:ListWorkspaceQueues", "emr-serverless-spark:ListReleaseVersions", "emr-serverless-spark:CancelJobRun", "emr-serverless-spark:ListJobRuns", "emr-serverless-spark:GetJobRun", "emr-serverless-spark:StartJobRun", "emr-serverless-spark:AddMembers", "emr-serverless-spark:GrantRoleToUsers" ], "Resource": "*" }The policy attached to the role also contains the following access permissions on Object Storage Service (OSS) when you upload SQL files or JAR packages or save ad hoc query results:
{ "Action": [ "oss:PutObject", "oss:GetObject", "oss:DeleteObject" ], "Resource": [ "acs:oss:*:*:*/.dataworks/*", "acs:oss:*:*:*/.dlsdata/*" ], "Effect": "Allow" }, { "Action": "oss:PostDataLakeStorageFileOperation", "Resource": "*", "Effect": "Allow" }