常规授权
添加子账号:add user RAM$zx037:cd-maxcompute;
新建角色: create role cddevelopment;
绑定project slb_http_logs到权限cddevelopment
grant CreateInstance, CreateResource, CreateFunction, CreateTable, List ON PROJECT slb_http_logs TO ROLE cd_development;
绑定table slb_http_logs到权限cddevelopment
grant Describe , Select ,Alter,Update ON TABLE slb_http_log TO ROLE cd_development;
将role绑定到子账号:
grant cddevelopment to RAM$zx037:cd-maxcompute;
取消角色子账号绑定:
revoke cddevelopment from RAM$zx037:cd-maxcompute;

针对整个project表授权(去除drop权限)
[root@ops-server ~]# cat /tmp/cd_development.json
{
"Statement": [{
"Action": ["odps:Read","odps:CreateInstance","odps:CreateTable","odps:List"],
"Effect": "Allow",
"Resource": ["acs:odps::projects/zx037_stage"]
},
{
"Action": ["odps:Select","odps:Describe","odps:Alter","odps:Update"],
"Effect": "Allow",
"Resource": ["acs:odps::projects/zx037_stage/tables/"]
},
{
"Action": ["odps:Drop"],
"Effect": "Deny",
"Resource": ["acs:odps::projects/zx037_stage/tables/*"]
}
],
"Version": "1"
}
查看role的policy语法:get policy on role cddevelopment;
将本地文件上传至role:put policy /tmp/cd_development.txt on role cddevelopment;
将role 绑定子账号:grant cddevelopment to RAM$zx037:cd-maxcompute;
查看子账号的权限:show grants for RAM$zx037:cd-maxcompute;

参考链接:
https://yq.aliyun.com/articles/71902
https://help.aliyun.com/document_detail/27935.html?spm=a2c4g.11186623.6.860.759ecfe6r4suEm
https://blog.csdn.net/yunqiinsight/article/details/82461136