AliyunServiceRoleForDAS is the RAM role that is linked to Database Autonomy Service (DAS). This topic describes the scenarios of the RAM role and how to delete the RAM role.

Background information

To implement features, DAS may need to access other cloud services. Therefore, RAM provides the AliyunServiceRoleForDAS role that allows DAS to obtain the required access permissions. For more information, see Service linked roles.

Scenarios

You may need to connect DAS to the user-created databases that are hosted on Elastic Compute Service (ECS) instances. You may also need to connect DAS to the cloud databases that you purchase from Alibaba Cloud, such as ApsaraDB RDS, ApsaraDB for MongoDB, ApsaraDB for Redis, and PolarDB databases. In these scenarios, DAS must have the permissions to access the databases. To obtain the required access permissions, DAS can assume the AliyunServiceRoleForDAS role.

Introduction

The name of the RAM role is AliyunServiceRoleForDAS.

The permission policy that is attached to the RAM role is AliyunServiceRolePolicyForDAS.

The permission policy specifies the following permissions:
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeRegions",
        "rds:DescribeDBInstances",
        "rds:DescribeDatabases",
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeAccounts",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:DescribeDBInstancePerformance",
        "rds:ModifySecurityIps",
        "rds:CreateAccount",
        "rds:GrantAccountPrivilege",
        "rds:RevokeAccountPrivilege",
        "rds:CreateDatabase",
        "rds:ModifyDBInstanceDescription",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeSlowLogs",
        "rds:DescribeResourceUsage",
        "rds:DescribeSQLCollectorPolicy",
        "rds:ModifyDBInstanceSpec",
        "rds:DescribeTasks",
        "rds:DescribeTaskIdByRequestID",
        "rds:ModifyDBNodeClass",
        "rds:DescribeParameters",
        "rds:ModifyParameter"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribePhysicalConnections",
        "vpc:DescribeVpnGateways",
        "vpc:DescribeRouterInterfaces",
        "vpc:DescribeVirtualBorderRouters"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceAttribute",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceMonitorData",
        "ecs:DescribeSecurityGroups",
        "ecs:JoinSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:AuthorizeSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeDisks",
        "ecs:DescribeImages"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeCacheAnalysisReport",
        "kvstore:DescribeCacheAnalysisReportList",
        "kvstore:CreateCacheAnalysisTask",
        "kvstore:DescribeAccounts",
        "kvstore:CreateAccount",
        "kvstore:DescribeRegions",
        "kvstore:DescribeInstances",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:DescribeHistoryMonitorValues",
        "kvstore:DescribeMonitorItems",
        "kvstore:VerifyPassword",
        "kvstore:DescribeSecurityIps",
        "kvstore:ModifySecurityIps",
        "kvstore:ModifyInstanceAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dts:DescribeMigrationJobs",
        "dts:DescribeMigrationJobDetail",
        "dts:DescribeMigrationJobStatus",
        "dts:CreateMigrationJob",
        "dts:ConfigureMigrationJob",
        "dts:SuspendMigrationJob",
        "dts:StartMigrationJob",
        "dts:StopMigrationJob",
        "dts:DeleteMigrationJob",
        "dts:DescribeSynchronizationJobs",
        "dts:DescribeSynchronizationJobStatus",
        "dts:CreateSynchronizationJob",
        "dts:ConfigureSynchronizationJob",
        "dts:SuspendSynchronizationJob",
        "dts:StartSynchronizationJob",
        "dts:DeleteSynchronizationJob",
        "dts:DescribeObjectModifyStatus",
        "dts:ModifySynchronizationObject",
        "dts:ResetSynchronizationJob"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "pvtz:DescribeUserServiceStatus",
        "pvtz:DescribeZones",
        "pvtz:DescribeZoneRecords",
        "pvtz:UpdateZoneRecord"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstances",
        "dds:DescribeReplicaSetRole",
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeRegions",
        "dds:DescribeDBInstancePerformance",
        "dds:DescribeSecurityIps",
        "dds:ModifyDBInstanceDescription",
        "dds:ModifySecurityIps",
        "dds:DescribeShardingNetworkAddress",
        "dds:DescribeSlowLogRecords",
        "dds:DescribeRunningLogRecords",
        "dds:DescribeErrorLogList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:QueryContactGroup",
        "cms:QueryContact"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeDBClusters",
        "polardb:DescribeRegions",
        "polardb:DescribeDBClusterAttribute",
        "polardb:ModifyDBNodeClass",
        "polardb:DescribeDBClusterAvailableResources",
        "polardb:CreateDBNodes",
        "polardb:DeleteDBNodes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "hdm.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForDAS role

For information about how to delete the AliyunServiceRoleForDAS role, see Service linked roles.