If you are using Data Transmission Service (DTS) for the first time, you must authorize DTS by assigning the default role AliyunDTSDefaultRole to DTS. After the authorization is complete, DTS can access Alibaba Cloud resources such as ApsaraDB RDS and Elastic Compute Service (ECS) instances that belong to the current Alibaba Cloud account. When you configure data migration, data synchronization, or change tracking tasks, you can call relevant Alibaba Cloud resources.
Usage notes
If the current Alibaba Cloud account has performed authorization, no message is displayed to prompt authorization when you log on to the DTS console.
Policy description
The AliyunDTSRolePolicy policy is used to grant permissions to the default role AliyunDTSDefaultRole. These permissions allow DTS to access ApsaraDB RDS, ECS, PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, PolarDB-X 1.0, DataHub, and Elasticsearch. The following statement shows the policy.
Syntax of the AliyunDTSRolePolicy policy for the default role AliyunDTSDefaultRole
(click to show details)
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:Describe*",
"rds:CreateDBInstance",
"rds:CreateAccount*",
"rds:CreateDataBase*",
"rds:ModifySecurityIps",
"rds:GrantAccountPrivilege",
"rds:ReceiveDBInstance",
"rds:CreateMigrateTask",
"rds:DescribeMigrateTaskById",
"rds:CreateOnlineDatabaseTask"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeInstances",
"ecs:DescribeRegions",
"ecs:AuthorizeSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:RevokeSecurityGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dhs:ListProject",
"dhs:GetProject",
"dhs:CreateTopic",
"dhs:ListTopic",
"dhs:GetTopic",
"dhs:UpdateTopic",
"dhs:ListShard",
"dhs:MergeShard",
"dhs:SplitShard",
"dhs:PutRecords",
"dhs:GetRecords",
"dhs:GetCursors"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticsearch:DescribeInstance",
"elasticsearch:ListInstance",
"elasticsearch:UpdateAdminPwd",
"elasticsearch:UpdatePublicNetwork",
"elasticsearch:UpdateBlackIps",
"elasticsearch:UpdateKibanaIps",
"elasticsearch:UpdatePublicIps",
"elasticsearch:UpdatePrivateNetworkWhiteIps",
"elasticsearch:UpdatePublicWhiteIps",
"elasticsearch:UpdateWhiteIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrds*",
"drds:ModifyDrdsIpWhiteList",
"drds:DescribeRegions",
"drds:DescribeRdsList",
"drds:CreateDrdsDB",
"drds:CreateDrdsAccount",
"drds:DescribeShardDBs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeDBClusterIPArrayList",
"polardb:DescribeDBClusterNetInfo",
"polardb:DescribeDBClusters",
"polardb:DescribeRegions",
"polardb:DescribeDBClusterEndpoints",
"polardb:DescribeDBClusterAccessWhiteList",
"polardb:ModifyDBClusterAccessWhitelist",
"polardb:ModifySecurityIps",
"polardb:DescribeDBClusterAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstanceAttribute",
"dds:DescribeReplicaSetRole",
"dds:DescribeSecurityIps",
"dds:DescribeDBInstances",
"dds:ModifySecurityIps",
"dds:DescribeShardingNetworkAddress",
"dds:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeSecurityIps",
"kvstore:DescribeInstances",
"kvstore:DescribeRegions",
"kvstore:ModifySecurityIps",
"kvstore:DescribeAccounts",
"kvstore:CreateAccount",
"kvstore:DescribeDBInstanceNetInfoForInner",
"kvstore:DescribeDBInstanceNetInfo",
"kvstore:AllocateInstancePrivateConnection",
"kvstore:SyncDtsStatus",
"kvstore:GetDbMasterInfo"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"petadata:DescribeInstanceInfo",
"petadata:DescribeSecurityIPs",
"petadata:DescribeInstances",
"petadata:ModifySecurityIPs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"adb:DescribeDBClusters",
"adb:DescribeDBClusterAttribute",
"adb:DescribeRegions",
"adb:DescribeDBClusterNetInfo",
"adb:DescribeDBClusterAccessWhiteList",
"adb:ModifyDBClusterAccessWhiteList",
"adb:DescribeDBClusterPerformance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstanceAttribute",
"gpdb:DescribeDBInstances",
"gpdb:DescribeRegions",
"gpdb:DescribeDBInstanceIPArrayList",
"gpdb:DescribeDBClusterIPArrayList",
"gpdb:ModifySecurityIps",
"gpdb:DescribeDBInstanceNetInfo",
"gpdb:DescribeDBClusterPerformance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"clickhouse:DescribeRegions",
"clickhouse:DescribeDBClusters",
"clickhouse:DescribeDBClusterAttribute",
"clickhouse:DescribeDBClusterNetInfoItems",
"clickhouse:DescribeDBClusterAccessWhiteList",
"clickhouse:ModifyDBClusterAccessWhiteList",
"clickhouse:DescribeAllDataSource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ots:ListInstance",
"ots:GetInstance",
"ots:GetRow",
"ots:PutRow",
"ots:UpdateRow",
"ots:DeleteRow",
"ots:BatchWriteRow",
"ots:BulkImport",
"ots:CreateTable",
"ots:DescribeTable",
"ots:ListTable"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dg:GetUserDatabases",
"dg:GetUserGateways"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:DeleteRouteServiceInCen",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCens",
"cen:DescribeRouteServicesInCen",
"cen:ResolveAndRouteServiceInCen"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardbx:DescribeDBInstances",
"polardbx:DescribeDBInstanceAttribute",
"polardbx:DescribeSecurityIps",
"polardbx:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dms:GetUserActiveTenant",
"dms:GetInstance",
"dms:GetLogicDatabase",
"dms:ListLogicDatabases",
"dms:GetDBTopology",
"dms:ListLogicTables",
"dms:GetTableDBTopology"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVpcAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lindorm:GetLindormInstanceListForDMS",
"lindorm:GetLindormInstanceForDMS",
"lindorm:UpdateInstanceIpWhiteList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hbase:DescribeClusterConnection",
"hbase:DescribeInstance",
"hbase:DescribeInstances",
"hbase:ModifyIpWhitelist"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Note For more information about policies, see Policy structure and syntax.
Procedure
- In the Information message, click Authorize Role in RAM Console.
Note You can also perform the following operations to grant permissions to the default role of DTS.- Log on to the Resource Access Management (RAM) console.
- To the right of Create Role, enter AliyunDTSDefaultRole in the search box.
- Find the role and click Input and Attach in the Actions column.
- In the Add Permissions panel, set Policy Name to AliyunDTSRolePolicy.
- Click OK.
- In the Cloud Resource Access Authorization message, click Confirm Authorization Policy.
