Only authorized RAM users in MaxCompute projects can access Data Lake Formation (DLF) or Object Storage Service (OSS). You can add trust policies and custom policies to authorize RAM users to access DLF and OSS. This topic describes how to authorize RAM users in MaxCompute projects to access DLF.
Background information
If you use MaxCompute, DLF, and OSS to implement the lakehouse solution, only authorized RAM users in MaxCompute projects can access DLF.
If the same RAM user is used to create a MaxCompute project and deploy DLF, you must set service to
odps.aliyuncs.com
when you add a trust policy to the RAM user.If the RAM user that is used to create a MaxCompute project is different from the RAM user that is used to deploy DLF, you must set service to
<MaxCompute project owner ID>@odps.aliyuncs.com
when you add a trust policy to the RAM user. You can obtain the MaxCompute project owner ID on the Personal Information page.
Procedure
Log on to the RAM console and create a RAM role whose trusted entity is Alibaba Cloud account.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Modify the trust policy of the created RAM role in the RAM console.
For more information, see Edit the trust policy of a RAM role. The following code shows the trust policy after modification.
-- If the same account is used to create a MaxCompute project and deploy DLF, the trust policy contains the following content:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "odps.aliyuncs.com" ] } } ], "Version": "1" }
-- If the account that is used to create a MaxCompute project is different from the account that is used to deploy DLF, the trust policy contains the following content:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<MaxCompute project owner ID>@odps.aliyuncs.com" ] } } ], "Version": "1" }
Create a custom policy for the created RAM role in the RAM console.
For more information, see Create a custom policy. The custom policy contains the following content:
{ "Version": "1", "Statement": [ { "Action": [ "oss:ListBuckets", "oss:GetObject", "oss:ListObjects", "oss:PutObject", "oss:DeleteObject", "oss:AbortMultipartUpload", "oss:ListParts" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dlf:CreateFunction", "dlf:BatchGetPartitions", "dlf:ListDatabases", "dlf:CreateLock", "dlf:UpdateFunction", "dlf:BatchUpdateTables", "dlf:DeleteTableVersion", "dlf:UpdatePartitionColumnStatistics", "dlf:ListPartitions", "dlf:DeletePartitionColumnStatistics", "dlf:BatchUpdatePartitions", "dlf:GetPartition", "dlf:BatchDeleteTableVersions", "dlf:ListFunctions", "dlf:DeleteTable", "dlf:GetTableVersion", "dlf:AbortLock", "dlf:GetTable", "dlf:BatchDeleteTables", "dlf:RenameTable", "dlf:RefreshLock", "dlf:DeletePartition", "dlf:UnLock", "dlf:GetLock", "dlf:GetDatabase", "dlf:GetFunction", "dlf:BatchCreatePartitions", "dlf:ListPartitionNames", "dlf:RenamePartition", "dlf:CreateTable", "dlf:BatchCreateTables", "dlf:UpdateTableColumnStatistics", "dlf:ListTableNames", "dlf:UpdateDatabase", "dlf:GetTableColumnStatistics", "dlf:ListFunctionNames", "dlf:ListPartitionsByFilter", "dlf:GetPartitionColumnStatistics", "dlf:CreatePartition", "dlf:CreateDatabase", "dlf:DeleteTableColumnStatistics", "dlf:ListTableVersions", "dlf:BatchDeletePartitions", "dlf:ListCatalogs", "dlf:UpdateTable", "dlf:ListTables", "dlf:DeleteDatabase", "dlf:BatchGetTables", "dlf:DeleteFunction" ], "Resource": "*", "Effect": "Allow" } ] }
Attach the custom policy to the created RAM role.
For more information, see Grant permissions to a RAM role.