If you are using DTS for the first time, you must authorize DTS by assigning the default role AliyunDTSDefaultRole to DTS. After authorization, DTS can access Alibaba Cloud resources such as RDS and ECS instances under the current Alibaba Cloud account. When you configure data migration, data synchronization, or change tracking tasks, you can call relevant Alibaba Cloud resources.

Usage notes

If the message that requires authorization is not displayed when you log on to the DTS console, this indicates that the current Alibaba Cloud account has been authorized. You can skip the steps that are described in this topic.

Permission policies

The AliyunDTSDefaultRole policy is used to grant permissions to the default role of DTS. These permissions allow DTS to access ApsaraDB for RDS, Elastic Compute Service (ECS), PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, DRDS, DataHub, and Elasticsearch. The following statement shows the permission policies.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:Describe*",
                "rds:CreateDBInstance",
                "rds:CreateAccount*",
                "rds:CreateDataBase*",
                "rds:ModifySecurityIps",
                "rds:GrantAccountPrivilege"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeInstances",
                "ecs:DescribeRegions",
                "ecs:AuthorizeSecurityGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dhs:ListProject",
                "dhs:GetProject",
                "dhs:CreateTopic",
                "dhs:ListTopic",
                "dhs:GetTopic",
                "dhs:UpdateTopic",
                "dhs:ListShard",
                "dhs:MergeShard",
                "dhs:SplitShard",
                "dhs:PutRecords",
                "dhs:GetRecords",
                "dhs:GetCursors"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "elasticsearch:DescribeInstance",
                "elasticsearch:ListInstance",
                "elasticsearch:UpdateAdminPwd",
                "elasticsearch:UpdatePublicNetwork",
                "elasticsearch:UpdateBlackIps",
                "elasticsearch:UpdateKibanaIps",
                "elasticsearch:UpdatePublicIps",
                "elasticsearch:UpdateWhiteIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrds*",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeRegions",
                "drds:DescribeRdsList",
                "drds:CeateDrdsDB",
                "drds:DescribeShardDBs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterIPArrayList",
                "polardb:DescribeDBClusterNetInfo",
                "polardb:DescribeDBClusters",
                "polardb:DescribeRegions",
                "polardb:ModifySecurityIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dds:DescribeDBInstanceAttribute",
                "dds:DescribeReplicaSetRole",
                "dds:DescribeSecurityIps",
                "dds:DescribeDBInstances",
                "dds:ModifySecurityIps",
                "dds:DescribeRegions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kvstore:DescribeSecurityIps",
                "kvstore:DescribeInstances",
                "kvstore:DescribeRegions",
                "kvstore:ModifySecurityIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "petadata:DescribeInstanceInfo",
                "petadata:DescribeSecurityIPs",
                "petadata:DescribeInstances",
                "petadata:ModifySecurityIPs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Note For more information about permission policies, see Policy structure and syntax.

Authorize DTS by using an Alibaba Cloud account

  1. Log on to the DTS console.
  2. In the Information dialog box, click Authorize Role in RAM Console.
    Information
  3. In the Cloud Resource Access Authorization dialog box, click Confirm Authorization Policy.
    Grant permissions to DTS

Authorize DTS as a RAM user

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a policy named AliyunDTSDefaultRole for the RAM user.
    Note The AliyunDTSDefaultRole policy cannot be directly attached to a RAM user in the RAM console. You must manually create this policy and attach the policy to the RAM user.
    1. In the left-side navigation pane, click Policies under Permissions.
    2. On the Policies page, click Create Policy.
    3. Configure parameters for the custom policy.
      Create a custom policy
      Parameter Description
      Policy Name Enter an informative name for easy identification. In this example, enter AliyunDTSDefaultRole_Custom.
      Note Optional. Enter the description of the policy.
      Configuration Mode Select Script. To configure policies for DTS, you must select Script.
      Policy Document This topic describes how to create a custom policy. You do not need to specify this parameter.
      Policy Statement Replace the existing policy statement with the policy statement of AliyunDTSDefaultRole. For more information, see Permission policies.
    4. Click OK.
    5. Click Back.
  3. Grant the RAM user the permissions to access Alibaba Cloud resources.
    1. In the left-side navigation pane, click Users under Identities.
    2. On the Users page, find the RAM user, and click Add Permissions in the Actions column.
      Add permissions
    3. In the Add Permissions pane, select Custom Policy.
    4. Click the name of the created custom policy to add the policy to the Selected section. In this example, the policy name is AliyunDTSDefaultRole_Custom.
      Grant permissions
    5. Click OK.
    6. Click Complete.