AliyunServiceRoleForDAS is the RAM role that is linked to Database Autonomy Service (DAS). This topic describes the application scenarios of the RAM role and provides the details about how to delete the RAM role.

Background information

To implement DAS features, DAS may need to access other cloud services. To meet this need, Alibaba Cloud provides the AliyunServiceRoleForDAS RAM role that allows DAS to obtain the required access permissions. For more information, see Service linked roles.

Scenarios

You may need to connect DAS to the user-created databases that are hosted on Elastic Compute Service (ECS) instances. You may also need to connect DAS to the cloud databases that you purchase from Alibaba Cloud, such as ApsaraDB for RDS, ApsaraDB for MongoDB, ApsaraDB for Redis, and PolarDB databases. In these scenarios, DAS must have the permissions to access the databases. To obtain the required access permissions, DAS can assume the AliyunServiceRoleForDAS RAM role.

Introduction

The name of the RAM role is AliyunServiceRoleForDAS.

The permission policy that is attached to the RAM role is AliyunServiceRolePolicyForDAS.

The permission policy specifies the following permissions:
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeRegions",
        "rds:DescribeDBInstances",
        "rds:DescribeDatabases",
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeAccounts",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:DescribeDBInstancePerformance",
        "rds:ModifySecurityIps",
        "rds:CreateAccount",
        "rds:GrantAccountPrivilege",
        "rds:RevokeAccountPrivilege",
        "rds:CreateDatabase",
        "rds:ModifyDBInstanceDescription",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeSlowLogs",
        "rds:DescribeResourceUsage",
        "rds:DescribeSQLCollectorPolicy",
        "rds:ModifyDBInstanceSpec",
        "rds:DescribeTasks",
        "rds:DescribeTaskIdByRequestID",
        "rds:ModifyDBNodeClass",
        "rds:DescribeParameters",
        "rds:ModifyParameter"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribePhysicalConnections",
        "vpc:DescribeVpnGateways",
        "vpc:DescribeRouterInterfaces",
        "vpc:DescribeVirtualBorderRouters"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceAttribute",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceMonitorData",
        "ecs:DescribeSecurityGroups",
        "ecs:JoinSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeDisks",
        "ecs:DescribeImages"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeCacheAnalysisReport",
        "kvstore:DescribeCacheAnalysisReportList",
        "kvstore:CreateCacheAnalysisTask",
        "kvstore:DescribeAccounts",
        "kvstore:CreateAccount",
        "kvstore:DescribeRegions",
        "kvstore:DescribeInstances",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:DescribeHistoryMonitorValues",
        "kvstore:DescribeMonitorItems",
        "kvstore:VerifyPassword",
        "kvstore:DescribeSecurityIps",
        "kvstore:ModifySecurityIps",
        "kvstore:ModifyInstanceAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dts:DescribeMigrationJobs",
        "dts:DescribeMigrationJobDetail",
        "dts:DescribeMigrationJobStatus",
        "dts:CreateMigrationJob",
        "dts:ConfigureMigrationJob",
        "dts:SuspendMigrationJob",
        "dts:StartMigrationJob",
        "dts:StopMigrationJob",
        "dts:DeleteMigrationJob",
        "dts:DescribeSynchronizationJobs",
        "dts:DescribeSynchronizationJobStatus",
        "dts:CreateSynchronizationJob",
        "dts:ConfigureSynchronizationJob",
        "dts:SuspendSynchronizationJob",
        "dts:StartSynchronizationJob",
        "dts:DeleteSynchronizationJob",
        "dts:DescribeObjectModifyStatus",
        "dts:ModifySynchronizationObject",
        "dts:ResetSynchronizationJob"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:DescribeUserServiceStatus",
        "pvtz:DescribeZones",
        "pvtz:DescribeZoneRecords",
        "pvtz:UpdateZoneRecord"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstances",
        "dds:DescribeReplicaSetRole",
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeRegions",
        "dds:DescribeDBInstancePerformance",
        "dds:DescribeSecurityIps",
        "dds:ModifyDBInstanceDescription",
        "dds:ModifySecurityIps",
        "dds:DescribeShardingNetworkAddress",
        "dds:DescribeSlowLogRecords",
        "dds:DescribeRunningLogRecords",
        "dds:DescribeErrorLogList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:QueryContactGroup",
        "cms:QueryContact"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeDBClusters",
        "polardb:DescribeRegions",
        "polardb:DescribeDBClusterAttribute",
        "polardb:ModifyDBNodeClass",
        "polardb:DescribeDBClusterAvailableResources",
        "polardb:CreateDBNodes",
        "polardb:DeleteDBNodes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "hdm.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForDAS RAM role

For information about how to delete the AliyunServiceRoleForDAS RAM role, see Service linked roles.