All Products
Search

This Product

    MaxCompute:STS mode authorization

    Document Center

    MaxCompute:STS mode authorization

    Last Updated:Dec 05, 2025

    MaxCompute integrates with Alibaba Cloud Resource Access Management (RAM) and Security Token Service (STS) to ensure secure data access. This topic describes the authorization methods that use RAM and STS.

    STS mode authorization for a regular role for OSS

    Before a MaxCompute external table can directly access data in Object Storage Service (OSS), you must grant the required OSS permissions to the MaxCompute access account. You can grant these permissions in one of the following ways:

    • One-click authorization (recommended): If the same Alibaba Cloud account owns both MaxCompute and OSS, you can log on to your Alibaba Cloud account and click here to complete one-click authorization.

      Note

      The default AliyunODPSDefaultRole role has extensive permissions and is provided for reference only. Configure appropriate permission and trust policies in the RAM console based on the external data that your MaxCompute external tables or data sources need to access.

    • Custom authorization: You can use this method regardless of whether the same account owns MaxCompute and OSS. The procedure is as follows.

      • If the same account owns MaxCompute and OSS, set service to odps.aliyuncs.com when you add the trust policy.

      • If different accounts own MaxCompute and OSS, set service to <UID of the MaxCompute owner's Alibaba Cloud account>@odps.aliyuncs.com when you add the trust policy. You can find the UID of the Alibaba Cloud account that owns MaxCompute on the Account Overview page.

      1. Create a RAM role.

        Log on to the RAM console and create a role on the RAM Roles page. For example, you can create a role named oss-admin. For more information about how to create a role, see Create a RAM role for a trusted Alibaba Cloud account.image

      2. Modify the trust policy of the RAM role.

        1. Log on to the Resource Access Management (RAM) console.

        2. In the navigation pane on the left, choose Identities > Roles.

        3. On the Roles page, click the target Role Name to open its details page.

        4. On the Trust Policy tab, click Edit Trust Policy. On the Edit Trust Policy page, click the JSON tab.

          Configure the following policy:

          If the same account owns MaxCompute and OSS

          {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "odps.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

          If different accounts own MaxCompute and OSS

          {
"Statement": [
{
 "Action": "sts:AssumeRole",
 "Effect": "Allow",
 "Principal": {
   "Service": [
     "<UID of the MaxCompute owner's Alibaba Cloud account>@odps.aliyuncs.com"
   ]
 }
}
],
"Version": "1"
}

        5. When you are finished, click OK.

      3. Create a permission policy.

        On the Policies page in the RAM console, create a permission policy. For example, you can create a policy named AliyunODPSRolePolicy.

        The following is an example policy. You can also customize permissions. For more information, see Create a custom permission policy.

        {
"Version": "1",
"Statement": [
{
 "Action": [
   "oss:ListBuckets",
   "oss:GetObject",
   "oss:ListObjects",
   "oss:PutObject",
   "oss:DeleteObject",
   "oss:AbortMultipartUpload",
   "oss:ListParts"
 ],
 "Resource": "*",
 "Effect": "Allow"
}
]
}

      4. Grant the new permission policy to the new RAM role.

        1. Log on to the Resource Access Management (RAM) console.

        2. In the navigation pane on the left, choose Identities > Roles.

        3. On the Roles page, click the target Role Name to open its details page.

        4. On the Permissions tab, click Grant Permission. In the Grant Permission panel, select an access policy for the role and click OK.

          For more information, see Grant permissions to a RAM role.

    STS mode authorization for a regular role for Tablestore

    Before a MaxCompute external table can directly access data in Tablestore, you must grant the required Tablestore permissions to the MaxCompute access account. You can grant these permissions in one of the following ways:

    • One-click authorization (recommended): If the same Alibaba Cloud account owns both MaxCompute and Tablestore, you can log on to your Alibaba Cloud account and click here to complete one-click authorization.

    • Custom authorization: If different accounts own MaxCompute and Tablestore, create a custom role and grant permissions.

      1. Create a RAM role.

        Log on to the RAM console using the Alibaba Cloud account that owns Tablestore and create a role on the RAM Roles page. For example, you can create a role named oss-adminots.

        For more information about how to create a role, see Create a RAM role for a trusted Alibaba Cloud account.

      2. Modify the trust policy of the RAM role.

        If different accounts own MaxCompute and Tablestore, configure the policy as shown in the following example to enable cross-account access from MaxCompute to Tablestore.

        1. Log on to the Resource Access Management (RAM) console.

        2. In the navigation pane on the left, choose Identities > Roles.

        3. On the Roles page, click the target Role Name to open its details page.

        4. On the Trust Policy tab, click Edit Trust Policy. On the Edit Trust Policy page, click the JSON tab.

          Configure the following policy:

          {
"Statement": [
{
 "Action": "sts:AssumeRole",
 "Effect": "Allow",
 "Principal": {
   "Service": [
     "<UID of the MaxCompute owner's Alibaba Cloud account>@odps.aliyuncs.com"
   ]
 }
}
],
"Version": "1"
}

          Alibaba Cloud account ID of the MaxCompute owner is the ID of the Alibaba Cloud account that is used to access the OTS service.

      3. Create a permission policy.

        On the Policies page in the RAM console, create a permission policy. For example, you can create a policy named AliyunODPSRolePolicy.

        The following is a sample policy. You can also customize other permissions. For more information, see Create a custom permission policy.

        {
"Version": "1",
"Statement": [
{
 "Action": [
   "ots:ListTable",
   "ots:DescribeTable",
   "ots:GetRow",
   "ots:PutRow",
   "ots:UpdateRow",
   "ots:DeleteRow",
   "ots:GetRange",
   "ots:BatchGetRow",
   "ots:BatchWriteRow",
   "ots:ComputeSplitPointsBySize"
 ],
 "Resource": "*",
 "Effect": "Allow"
}
]
}

      4. Grant the AliyunODPSRolePolicy permission policy to the new RAM role.

        1. Log on to the Resource Access Management (RAM) console.

        2. In the navigation pane on the left, choose Identities > Roles.

        3. On the Roles page, click the target Role Name to open its details page.

        4. On the Permissions tab, click Grant Permission. In the Grant Permission panel, select an access policy for the role and click OK.

          For more information, see Grant permissions to a RAM role.

    STS mode authorization for a regular role for Hologres

    Before a MaxCompute external table can directly access data in Hologres, you must grant the required Hologres permissions to the MaxCompute access account. This section describes how to grant permissions in STS mode for Hologres.

    1. Log on to the RAM console using the Alibaba Cloud account that owns Hologres and create a role on the RAM Roles page.

    2. Modify the trust policy

      1. Log on to the Resource Access Management (RAM) console.

      2. In the navigation pane on the left, choose Identities > Roles.

      3. On the Roles page, click the target Role Name to open its details page.

      4. On the Trust Policy tab, click Edit Trust Policy. On the Edit Trust Policy page, click the JSON tab.

        The trust policy configuration depends on the trusted entity type that you select.

        • If the trusted entity is an Alibaba Cloud account, configure the policy as follows:

          {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::<UID>:root"
        ]
      }
    },
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID>@odps.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

        • If the trusted entity is an identity provider, configure the policy as follows:

          {
  "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "saml:recipient": "https://signin.aliyun.com/saml-role/sso"
                }
            },
            "Effect": "Allow",
            "Principal": {
                "Federated": [
                    "acs:ram::<UID>:saml-provider/IDP"
                ]
            }
        },
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "<UID>@odps.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

    3. Add the RAM role to a Hologres instance and grant permissions

      The RAM role must have developer permissions on the Hologres instance to use Hologres resources within the authorized scope.

      By default, a RAM role does not have permissions to view or manage instances in the Hologres console. Therefore, an Alibaba Cloud account must grant the relevant RAM permissions before you can proceed.

      To add a RAM role to a Hologres instance:

      Grant permissions in the Hologres console

      1. Log on to the Hologres Management Console, and select a region in the top-left corner.

      2. In the left navigation pane, select Instances.

      3. On the Instances page, click the name of the target instance.

      4. On the instance details page, in the left navigation pane, select Account Management.

      5. On the User Management page, you can click Add User.

      6. On the Add User page, configure the required information and click OK.

        • For Role, select AliyunODPSDefaultRole.

        • For Member Role, select Regular User.

      7. On the User Management page, in the navigation pane on the left, select Database Authorization.

      8. On the Database Authorization page, click Create Database.

      9. In the Create Database dialog box, configure the required parameters and click OK.

        Set Permission Policy to SPM.

      10. On the Database Authorization page, click Authorize User in the Actions column for the target database.

      11. Click Grant Permissions in the upper-right corner. In the Grant Permissions dialog box, configure the User and User Group.

        • For User, select the RAM user that you want to configure.

        • For User Group, select Developer.

      Grant permissions using SQL

      For information about the authorization SQL statements, see Hologres permission model.

      Tab title

      Grant the new permission policy AliyunODPSRolePolicy to the new RAM role.

      1. Log on to the Resource Access Management (RAM) console.

      2. In the navigation pane on the left, choose Identities > Users.

      3. On the Users page, click the User Logon Name/Display Name of the target user to open the user details page.

      4. On the user details page, click the Permissions tab.

      5. On the Permissions tab, select Individual and click Grant Permission.

      6. In the Grant Permission panel, select an access policy and click OK.

        For Permission Policy, select AliyunRAMReadOnlyAccess.

        For more information about how to grant permissions, see Grant permissions to a RAM user.

    Note

    Hologres also supports dual-signature authentication. For more information, see Create a Hologres external table (dual-signature mode).

    STS mode authorization for a regular role for DLF and OSS

    When you build a data lakehouse with MaxCompute, DLF, and OSS, you must grant permissions because the account that owns the MaxCompute project cannot access DLF or OSS by default. You can grant these permissions in one of the following ways:

    • One-click authorization (recommended): Use this method if the account that created the MaxCompute project is the same as the account that deployed DLF and OSS. Click Grant permissions to DLF and OSS to complete one-click authorization.

    • Custom authorization: You can use this method regardless of whether the account that created the MaxCompute project is the same as the account that deployed DLF and OSS. The procedure is as follows.

      • If the account that owns the MaxCompute project is the same as the account that deploys DLF, set service to odps.aliyuncs.com when you add the trust policy.

      • If the account that owns the MaxCompute project is different from the account that deploys DLF, set service to <UID of the Alibaba Cloud account that owns the MaxCompute project>@odps.aliyuncs.com when you add the trust policy. You can find the UID of the Alibaba Cloud account that owns the MaxCompute project on the Account Overview page.

      1. Log on to the RAM console to create a RAM role for a trusted Alibaba Cloud account.

      2. In the RAM console, modify the trust policy of the RAM role. The following code provides a sample policy:

        If the same account created the MaxCompute project and deployed DLF

        {
"Statement": [
{
 "Action": "sts:AssumeRole",
 "Effect": "Allow",
 "Principal": {
   "Service": [
     "odps.aliyuncs.com"
   ]
 }
}
],
"Version": "1"
}

        If different accounts created the MaxCompute project and deployed DLF

        {
"Statement": [
{
 "Action": "sts:AssumeRole",
 "Effect": "Allow",
 "Principal": {
   "Service": [
     "<UID of the Alibaba Cloud account that owns the MaxCompute project>@odps.aliyuncs.com"  
   ]
 }
}
],
"Version": "1"
}

      3. In the RAM console, create a custom permission policy for the new RAM role. For more information, see Create a custom policy. The following code provides a sample custom policy:

        {
"Version": "1",
"Statement": [
{
 "Action": [
   "oss:ListBuckets",
   "oss:GetObject",
   "oss:ListObjects",
   "oss:PutObject",
   "oss:DeleteObject",
   "oss:AbortMultipartUpload",
   "oss:ListParts"
 ],
 "Resource": "*",
 "Effect": "Allow"
},
{
 "Action": [
 "dlf:CreateFunction",
"dlf:BatchGetPartitions",
"dlf:ListDatabases",
"dlf:CreateLock",
"dlf:UpdateFunction",
"dlf:BatchUpdateTables",
"dlf:DeleteTableVersion",
"dlf:UpdatePartitionColumnStatistics",
"dlf:ListPartitions",
"dlf:DeletePartitionColumnStatistics",
"dlf:BatchUpdatePartitions",
"dlf:GetPartition",
"dlf:BatchDeleteTableVersions",
"dlf:ListFunctions",
"dlf:DeleteTable",
"dlf:GetTableVersion",
"dlf:AbortLock",
"dlf:GetTable",
"dlf:BatchDeleteTables",
"dlf:RenameTable",
"dlf:RefreshLock",
"dlf:DeletePartition",
"dlf:UnLock",
"dlf:GetLock",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:BatchCreatePartitions",
"dlf:ListPartitionNames",
"dlf:RenamePartition",
"dlf:CreateTable",
"dlf:BatchCreateTables",
"dlf:UpdateTableColumnStatistics",
"dlf:ListTableNames",
"dlf:UpdateDatabase",
"dlf:GetTableColumnStatistics",
"dlf:ListFunctionNames",
"dlf:ListPartitionsByFilter",
"dlf:GetPartitionColumnStatistics",
"dlf:CreatePartition",
"dlf:CreateDatabase",
"dlf:DeleteTableColumnStatistics",
"dlf:ListTableVersions",
"dlf:BatchDeletePartitions",
"dlf:ListCatalogs",
"dlf:UpdateTable",
"dlf:ListTables",
"dlf:DeleteDatabase",
"dlf:BatchGetTables",
"dlf:DeleteFunction"
 ],
 "Resource": "*",
 "Effect": "Allow"
}
]
}

      4. Grant the custom permission policy to the new RAM role. For more information, see Grant permissions to a RAM role.

    STS mode authorization for a service-linked role for Hologres

    When MaxCompute accesses data in Hologres using an external data source and an external project, you must grant the required Hologres data permissions to the MaxCompute access account.

    Using the task executor identity essentially grants the MaxCompute service-linked role permissions to access Hologres and passes the task executor's identity to Hologres. Both services restrict the current task executor to the permissions that they have within each product. Therefore, you must first create a service-linked role for MaxCompute and grant permissions to it. You can grant the permissions in the following way:

    1. Log on to the Resource Access Management (RAM) console.

    2. In the navigation pane on the left, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the upper-right corner of the Create Role page, click Create Service Linked Role.

    5. On the Create Service Linked Role page, for Select Service, select aliyunserviceroleformaxcomputeidentitymgmt, and click Create Service Linked Role.

      If a message indicates that the role already exists, the role has already been authorized. You can ignore this message.

    STS mode authorization for a service-linked role for Paimon_DLF

    When MaxCompute accesses data in Paimon_DLF using an external data source and an external project, you must grant the required DLF data permissions to the MaxCompute access account.

    Using the task executor identity essentially grants the MaxCompute service-linked role permissions to access DLF and passes the task executor's identity to DLF. Both services restrict the current task executor to the permissions that they have within each product. Therefore, you must first create a service-linked role for MaxCompute and grant permissions to it. You can grant the permissions in the following way:

    1. Log on to the Resource Access Management (RAM) console.

    2. In the navigation pane on the left, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the upper-right corner of the Create Role page, click Create Service Linked Role.

    5. On the Create Service Linked Role page, select AliyunServiceRoleForMaxComputeLakehouse for Select Service, and click Create Service Linked Role.

      If a message indicates that the role already exists, the role has already been authorized. You can ignore this message.