When you perform specific operations in DRDS, API operations of ApsaraDB for RDS are called. Therefore, before you use Resource Access Management (RAM), you must activate the authorization for DRDS to access ApsaraDB for RDS and create a RAM role that DRDS can use to access ApsaraDB for RDS. This topic describes how to activate authorization in the console and by calling API operations of RAM.

Activate RAM authorization in the console

  1. Log on to the DRDS console.
  2. In the left-side navigation pane, click Resource Authorization.
  3. On the Cloud Resource Authorization Management page, click Activate Authorization.
    1C
  4. In the dialog box that appears, click Confirm Authorization Policy.
    2c
    Warning When you activate authorization, a RAM role named AliyunDRDSDefaultRole is created by default in the RAM console. DRDS uses this RAM role to access the ApsaraDB RDS for MySQL resources of the corresponding account. DRDS is also authorized to access API operations of ApsaraDB for RDS. Exercise caution when you delete this RAM role.

Activate RAM authorization by calling API operations of RAM

If you cannot access the console temporarily, you can call the related API operation to create a RAM role. After the RAM role is created, the authorization for DRDS to access ApsaraDB RDS for MySQL resources is also activated.

  • Create a RAM role named Jack.
    • Call the CreateRole operation and specify the following parameters to create a RAM role.
      Parameter Description
      Action CreateRole
      RoleName Jack
      AssumeRolePolicyDocument The trust policy, in the following format:
      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "drds.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }         
    • Use the SDK for Java to create a RAM role. The following code is a demo:
      // Create a role.
      String rolePolicyDoc = "{\"Statement\":[{\"Action\": \"sts:AssumeRole\", \"Effect\": \"Allow\",\"Principal\":{\"Service\":[\"drds.aliyuncs.com\"]}}],\"Version\": \"1\"}";
      String roleName = "Jack";
      CreateRoleRequest request = new CreateRoleRequest();
      request.setAssumeRolePolicyDocument(rolePolicyDoc);
      request.setAssumeRolePolicyDocument(rolePolicyDoc);
      client.getAcsResponse(request);
      // Grant permissions to the role.
      AttachPolicyToRoleRequest attachRequest = new AttachPolicyToRoleRequest();
      attachRequest.setPolicyType("System");
      attachRequest.setPolicyName("AliyunDRDSRolePolicy");
      attachRequest.setRoleName("AliyunDRDSDefaultRole");
      client.getAcsResponse(attachRequest);
  • Check whether the RAM role named Jack is created.
    • Call the GetRole operation and specify the following parameters to query the details of the RAM role.
      Parameter Description
      Action CreateRole
      RoleName Jack
    • Use the SDK for Java to query the details of the RAM role. The following code is a demo:
      String roleName = "AliyunDRDSDefaultRole";
      GetRoleRequest request = new GetRoleRequest();
      request.setRoleName(roleName);
      GetRoleResponse resp = client.getAcsResponse(request);
      GetRoleResponse.Role role = resp.getRole();