If you are using DTS for the first time, you must authorize DTS by assigning the default role AliyunDTSDefaultRole to DTS. After authorization, DTS can access Alibaba Cloud resources such as RDS and ECS instances under the current Alibaba Cloud account. When you configure data migration, data synchronization, or change tracking tasks, you can call relevant Alibaba Cloud resources.
Usage notes
If the message that requires authorization is not displayed when you log on to the DTS console, this indicates that the current Alibaba Cloud account has been authorized. You can skip the steps that are described in this topic.
Permission policies
The AliyunDTSDefaultRole policy is used to grant permissions to the default role of DTS. These permissions allow DTS to access ApsaraDB for RDS, Elastic Compute Service (ECS), PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, DRDS, DataHub, and Elasticsearch. The following statement shows the permission policies.
{ "Version": "1", "Statement": [ { "Action": [ "rds:Describe*", "rds:CreateDBInstance", "rds:CreateAccount*", "rds:CreateDataBase*", "rds:ModifySecurityIps", "rds:GrantAccountPrivilege" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeSecurityGroupAttribute", "ecs:DescribeInstances", "ecs:DescribeRegions", "ecs:AuthorizeSecurityGroup" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dhs:ListProject", "dhs:GetProject", "dhs:CreateTopic", "dhs:ListTopic", "dhs:GetTopic", "dhs:UpdateTopic", "dhs:ListShard", "dhs:MergeShard", "dhs:SplitShard", "dhs:PutRecords", "dhs:GetRecords", "dhs:GetCursors" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "elasticsearch:DescribeInstance", "elasticsearch:ListInstance", "elasticsearch:UpdateAdminPwd", "elasticsearch:UpdatePublicNetwork", "elasticsearch:UpdateBlackIps", "elasticsearch:UpdateKibanaIps", "elasticsearch:UpdatePublicIps", "elasticsearch:UpdateWhiteIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "drds:DescribeDrds*", "drds:ModifyDrdsIpWhiteList", "drds:DescribeRegions", "drds:DescribeRdsList", "drds:CeateDrdsDB", "drds:DescribeShardDBs" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "polardb:DescribeDBClusterIPArrayList", "polardb:DescribeDBClusterNetInfo", "polardb:DescribeDBClusters", "polardb:DescribeRegions", "polardb:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dds:DescribeDBInstanceAttribute", "dds:DescribeReplicaSetRole", "dds:DescribeSecurityIps", "dds:DescribeDBInstances", "dds:ModifySecurityIps", "dds:DescribeRegions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kvstore:DescribeSecurityIps", "kvstore:DescribeInstances", "kvstore:DescribeRegions", "kvstore:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "petadata:DescribeInstanceInfo", "petadata:DescribeSecurityIPs", "petadata:DescribeInstances", "petadata:ModifySecurityIPs" ], "Resource": "*", "Effect": "Allow" } ] }