All Products
Search
Document Center

Data Transmission Service:Authorize DTS to access Alibaba Cloud resources

Last Updated:Mar 07, 2024

If you use Data Transmission Service (DTS) for the first time, you must assign the default role AliyunDTSDefaultRole to DTS and attach the AliyunDTSRolePolicy policy to the role. After the authorization is complete, DTS can access Alibaba Cloud resources such as ApsaraDB for RDS and Elastic Compute Service (ECS) instances within the current Alibaba Cloud account. When you configure data migration, data synchronization, or change tracking tasks, you can specify relevant Alibaba Cloud resources to be accessed by DTS.

Background information

If you do not authorize DTS to access Alibaba Cloud resources,

  • the following error message is displayed when you log on to the DTS console.DTS提示未授权

  • the following error message is displayed when you configure a task.image

Usage notes

If the current Alibaba Cloud account has been authorized, no message is displayed to prompt authorization when you log on to the DTS console. You can skip the steps that are described in the "Authorize DTS to access Alibaba Cloud resources in the Cloud Resource Access Authorization message" and "Authorize DTS to access Alibaba Cloud resources in the RAM console" sections of this topic.

Authorize DTS to access Alibaba Cloud resources in the Cloud Resource Access Authorization message

  1. Log on to the DTS console by using an Alibaba Cloud account.

  2. In the Error Message message, click Authorize Role in RAM Console.

    Note

    You can also authorize DTS to access Alibaba Cloud resources in the Resource Access Management (RAM) console. For more information, see the Authorize DTS to access Alibaba Cloud resources in the RAM console section of this topic.

  3. In the Cloud Resource Access Authorization message, click Confirm Authorization Policy.

    If the "Cloud resource access authorization successful" message appears, the authorization is complete.

    授予DTS权限

Authorize DTS to access Alibaba Cloud resources in the RAM console

  1. Find the default role.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. To the right of Create Role, enter AliyunDTSDefaultRole in the search box.

  2. Find the role AliyunDTSDefaultRole and click it name.

  3. Grant the required permissions to the RAM role.

    1. On the Permissions tab, click Precise Permission.

      image

    2. Optional. In the Precise Permission panel, select System Policy for the Type parameter.

      image

    3. In the Policy Name field, enter AliyunDTSRolePolicy.

    4. Click OK.

  4. After you grant the required permissions, click Close.

View the authorization result

You can perform the following steps to view the result of authorization by using the default role. If you have created the role AliyunDTSDefaultRole and assigned the role to DTS, but the system still prompts that DTS is not authorized to access Alibaba Cloud resources, you can also see the following steps to grant the permissions to DTS again.

  1. Log on to the RAM console by using an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. In the left-side navigation pane, choose Identities > Roles. On the page that appears, enter AliyunDTSDefaultRole in the search box to the right of Create Role.

  4. Find the role AliyunDTSDefaultRole and click it name.

  5. Click the role AliyunDTSDefaultRole to view the role details.

    • If both of the following conditions are met, the authorization is successful:

      • On the Trust Policy tab, dts.aliyuncs.com is included in the Service field.

        image

      • On the Permissions tab, the AliyunDTSRolePolicy policy exists.

        image

    • If one of the preceding conditions is not met, the authorization fails. You must grant the permissions again.

      Delete the role AliyunDTSDefaultRole and go to the Cloud Resource Access Authorization page to authorize DTS to access Alibaba Cloud resources.

Policy description

The AliyunDTSRolePolicy policy is used to grant permissions to the default role AliyunDTSDefaultRole. These permissions allow DTS to manage multiple cloud resources such as ApsaraDB for RDS, ECS, PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, PolarDB-X, DataHub, and Elasticsearch. For more information, see AliyunDTSRolePolicy.

Note

For more information about the policy, see Policy structure and syntax.