In DataWorks, you can use a RAM user to assume a specific RAM role and use the RAM role to log on to the DataWorks to perform development operations. This topic describes how to use role-based single sign-on (SSO) to log on to the DataWorks console and use DataWorks.
Background information
You can use one of the following methods to log on to the DataWorks console:
Use an Alibaba Cloud account or a RAM user
You can use your Alibaba Cloud account or a RAM user and the password to log on to the DataWorks console and use DataWorks. In this case, the Alibaba Cloud account or the RAM user becomes a member of a DataWorks workspace and is granted the permissions to use the features of DataWorks.
Use role-based SSO
Some enterprises prefer to use role-based SSO to log on to the DataWorks console and use DataWorks because the regulatory requirements for enterprise security become increasingly strict. In this case, the RAM role becomes a member of a DataWorks workspace. The user who assumes the RAM role has the same permissions as the Alibaba Cloud account or RAM user that you use to log on to the DataWorks console. For more information about roles, see RAM role overview and Overview.
Precautions
You can use role-based SSO to access only DataWorks workspaces that are associated with the MaxCompute or Hologres compute engine.
To grant the required permissions to a user by using a RAM user or a RAM role, you must attach the AliyunRAMFullAccess policy to the RAM user or RAM role. For more information, see Grant permissions to a RAM user.
Step 1: Create a RAM role
Log on to the RAM console.
Log on to the RAM console by using your Alibaba Cloud account and password.
In the left-side navigation pane, choose .
Create a RAM role.
On the Roles page, click Create Role and follow the on-screen instructions to create a RAM role.
If you want a RAM user to assume the RAM role by switching the identity in the Alibaba Cloud Management Console, select Alibaba Cloud Account for Select Trusted Entity. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
If you want an on-premises identity provider (IdP) to assume the RAM role, select IdP for Select Trusted Entity. For more information, see Create a RAM role for a trusted IdP.
Step 2: Define the trust policy of the RAM role
On the Roles page, click the name of the RAM role. On the page that appears, click the Trust Policy Management tab and define the trust policy of the RAM role. The trust policy document contains two parts. The first part defines that the RAM role can be assumed by a RAM user or an on-premises IdP. The second part defines that the RAM role can be assumed by the DataWorks service. The following section describes the trust policies of the RAM role in different scenarios. You can select a trust policy based on your business requirements.
You must replace UID in the following policy documents with the UID of your Alibaba Cloud account and IDP with the name of the on-premises IdP that you selected.
Scenario 1: The RAM role is assumed by a RAM user
If you want a RAM user to assume the RAM role and use DataWorks, configure the following policy document for the RAM role:
In the following policy, a specified RAM user and the DataWorks service are allowed to obtain a Security Token Service (STS) token to assume a RAM role. For information about the AssumeRole operation, see AssumeRole.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::UID:root"
]
}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"dataworks.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Scenario 2: The RAM role is assumed by an on-premises IdP
If you want an on-premises IdP to assume the RAM role and use DataWorks, configure the following policy document for the RAM role:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"saml:recipient": "https://signin.aliyun.com/saml-role/sso"
}
},
"Effect": "Allow",
"Principal": {
"Federated": [
"acs:ram::UID:saml-provider/IDP"
]
}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"dataworks.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Step 3: Attach the AliyunSTSAssumeRoleAccess policy to the RAM user that needs to assume the RAM role
If you want a RAM user to assume the RAM role, you must attach the AliyunSTSAssumeRoleAccess policy to the RAM user. This way, the RAM user can call the AssumeRole operation of STS to obtain the STS token of the RAM role. For more information, see Grant permissions to a RAM user.
If you want an on-premises IdP to assume the RAM role, you do not need to perform this step.
Step 4: Log on to the DataWorks console by using a RAM user that assumes the RAM role
After you perform the operations in this step, you can use DataWorks as the RAM role. For information about role-based SSO, see Overview.
Log on to the DataWorks console.
Log on to the DataWorks console as a RAM user.
Switch the identity.
After you log on to the DataWorks console, move the pointer over the user profile in the upper-right corner and select Switch Identity to switch to the RAM role.
Additional information
After you create a workspace, you can perform the following operations. For information about how to create a workspace, see Create a workspace.
Add the RAM role to a DataWorks workspace as a member for data development.
The DataWorks workspace administrator can add the RAM role to a DataWorks workspace as a member for data development. For more information, see Add a RAM user to a workspace as a member and assign roles to the member.
Specify the RAM role as an identity to schedule MaxCompute tasks in the production environment.
When you add a MaxCompute data source, you can specify the RAM role as an access identity to schedule MaxCompute tasks in the production environment. If you specify the RAM role as a scheduling access identity, we recommend that you do not use the RAM role in other services and make sure that all MaxCompute tasks are run by using exclusive resource groups for scheduling.