The Cloud Migration Hub (CMH) service-linked role (AliyunServiceRoleForCMH) grants CMH access to other cloud services. You can delete the role when it is no longer needed.
Scenarios
AliyunServiceRoleForCMH is used in the following scenarios:
-
Access Server Migration Center (SMC): When you link the server migration tool, CMH syncs your tasks from SMC. This role grants CMH permission to query SMC.
-
Access Data Transmission Service (DTS): When you link the database migration tool, CMH syncs your tasks from DTS. This role grants CMH permission to query DTS.
-
Use Cloud Config: When you link the Alibaba Cloud import feature, CMH syncs the resources you purchased in a specific region. This role grants CMH permission to query the resource list and details.
-
Use IaC Service: When you create resources in batches for a migration plan, CMH uses the resource export and creation features of IaC Service. This role grants CMH permission to manage IaC Service. Note: This permission only covers IaC Service. To export and create your Alibaba Cloud resources in this scenario, your account must have management permissions for those resources.
-
Migrate Alibaba Cloud resources: When you use the cross-zone migration template to create a migration plan, CMH migrates your resources across zones. This role grants CMH permission to query and migrate your resources. The supported cloud products include Elastic Compute Service (ECS), ApsaraDB RDS, Tair (Redis OSS-compatible), Server Load Balancer (SLB), and VPC vSwitches.
For more information about service-linked roles, see Service-linked roles.
Permissions
Role name: AliyunServiceRoleForCMH
Access policy: AliyunServiceRolePolicyForCMH
Description: CMH uses this role by default to access your resources in other cloud products, such as SMC, DTS, and Cloud Config.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListImportJob",
"oss:ListImportAddress",
"oss:ListBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"smc:DescribeSourceServers",
"smc:DescribeReplicationJobs",
"smc:CreateReplicationJob",
"smc:StartReplicationJob"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"dts:DescribeDtsJobs",
"dts:ConfigureDtsJob",
"dts:StartDtsJob",
"dts:CreateDtsInstance",
"dts:DescribeDatabases",
"dts:DescribePreCheckStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"config:ListDiscoveredResources",
"config:GetDiscoveredResource",
"config:GetDiscoveredResourceCountsGroupByResourceType",
"config:GetDiscoveredResourceCountsGroupByRegion"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:MigrateToOtherZone",
"rds:DescribeAvailableClasses",
"rds:DescribeAvailableZones",
"rds:ModifySecurityIps",
"rds:DescribeDatabases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kvstore:DescribeInstances",
"kvstore:MigrateToOtherZone",
"kvstore:DescribeAvailableResource",
"kvstore:DescribeDBInstanceNetInfo",
"kvstore:ModifySecurityIps"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"oos:StartExecution",
"oos:ListExecutions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iacservice:CreateModule",
"iacservice:ListModules",
"iacservice:UpdateModuleAttribute",
"iacservice:GetModule",
"iacservice:CreateModuleVersion",
"iacservice:ListModuleVersion",
"iacservice:GetModuleVersion",
"iacservice:CreateTask",
"iacservice:GetTask",
"iacservice:ListTasks",
"iacservice:UpdateTaskAttribute",
"iacservice:CreateJob",
"iacservice:ListJobs",
"iacservice:GetJob",
"iacservice:OperateJob",
"iacservice:CreateParameterSet",
"iacservice:UpdateParameterSetAttribute",
"iacservice:GetParameterSet",
"iacservice:ListParameterSets",
"iacservice:AssociateParameterSet",
"iacservice:DissociateParameterSet",
"iacservice:CreateRabbitmqPublisher",
"iacservice:ListRabbitmqPublishers",
"iacservice:UpdateRabbitmqPublisherAttribute",
"iacservice:GetRabbitmqPublisher",
"iacservice:AttachRabbitmqPublisher",
"iacservice:DetachRabbitmqPublisher",
"iacservice:CheckResourceName",
"iacservice:CreateResourceExportTask",
"iacservice:ExecuteResourceExportTask",
"iacservice:CancelResourceExportTask",
"iacservice:GetResourceExportTask",
"iacservice:ListResourceExportTaskVersions",
"iacservice:ListResourceExportTasks",
"iacservice:UpdateResourceExportTaskAttribute",
"iacservice:ListResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeAvailableResource",
"ecs:CloneInstanceWithIncrementSnapshot",
"ecs:DescribeDisks",
"ecs:DescribeAvailableResource",
"ecs:StartInstance",
"ecs:DescribeVSwitches",
"ecs:StopInstance",
"ecs:DeleteImage",
"ecs:DeleteSnapshot",
"ecs:RunInstances",
"ecs:DescribeSnapshots",
"ecs:CreateImage",
"ecs:DescribeInstances",
"ecs:DescribeImages",
"ecs:CreateSnapshot",
"ecs:DescribePrice",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"slb:DescribeAvailableResource",
"slb:DescribeAccessControlLists",
"slb:DescribeAccessControlListAttribute",
"slb:AddAccessControlListEntry"
],
"Resource": "*"
}
]
}
Create a service-linked role
The AliyunServiceRoleForCMH role is automatically created in the following scenarios:
-
When you call the InitializeCMHTools API operation to create a trail for the first time.
-
When you first click Link for the server migration tool, the database migration tool, or the Alibaba Cloud discovery tool in CMH. To use the Alibaba Cloud discovery feature, make sure that Cloud Config is enabled. You can go to the Cloud Config console to enable it.
Delete a service-linked role
You can delete the service-linked role in the Resource Access Management (RAM) console. For more information, see Delete a RAM role.