If you are using Data Transmission Service (DTS) for the first time, you must assign the default role AliyunDTSDefaultRole to DTS and attach the AliyunDTSRolePolicy policy to the role. After the authorization is complete, DTS can access Alibaba Cloud resources such as ApsaraDB RDS and Elastic Compute Service (ECS) instances within the current Alibaba Cloud account. When you configure data migration, data synchronization, or change tracking tasks, you can specify relevant Alibaba Cloud resources to be accessed by DTS.

Background information

If you do not authorize DTS to access Alibaba Cloud resources,
  • the following error message is displayed when you log on to the DTS console.Message indicating that you have not assigned the default role AliyunDTSDefaultrole to DTS
  • the following error message is displayed when you configure a task.Message indicating that you have not assigned the default role AliyunDTSDefaultrole to DTS

Usage notes

If the current Alibaba Cloud account has been authorized, no message is displayed to prompt authorization when you log on to the DTS console. You can skip the steps that are described in this topic.

Procedure

  1. Log on to the DTS console by using an Alibaba Cloud account.
  2. In the Error Message message, click Authorize Role in RAM Console.
    Note You can also log on to the RAM console to authorize DTS to access Alibaba Cloud resources. For more information, see Authorize DTS to access Alibaba Cloud resources in the RAM console.
  3. In the Cloud Resource Access Authorization message, click Confirm Authorization Policy.

    If the "Cloud resource access authorization successful" message appears, the authorization is complete.

    Grant permissions to DTS

Authorize DTS to access Alibaba Cloud resources in the RAM console

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. To the right of Create Role, enter AliyunDTSDefaultRole in the search box.
  4. Find the role and click Input and Attach in the Actions column.
  5. In the Add Permissions panel, set the Policy Name parameter to AliyunDTSRolePolicy.
  6. Click OK.

View the authorization result

You can perform the following steps to view the result of authorization by using the default role. If you have created the role AliyunDTSDefaultRole and assigned the role to DTS, but the system still prompts that DTS is not authorized to access Alibaba Cloud resources, you can also refer to the following steps to grant the permissions to DTS again.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, enter AliyunDTSDefaultRole in the search box to the right of Create Role.
  4. Click the role AliyunDTSDefaultRole to view the role details.
    • If both of the following conditions are met, the authorization is successful.
      • On the Trust Policy Management tab, dts.aliyuncs.com is included in the Service field. Trust Policy Management
      • On the Permissions tab, the AliyunDTSRolePolicy policy exists. Permissions
    • If one of the preceding conditions is not met, the authorization fails. You must grant the permissions again.

      Delete the role AliyunDTSDefaultRole and go to the Cloud Resource Access Authorization page to authorize DTS to access Alibaba Cloud resources.

Policy description

The AliyunDTSRolePolicy policy is used to grant permissions to the default role AliyunDTSDefaultRole. These permissions allow DTS to access ApsaraDB RDS, ECS, PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, Distributed Relational Database Service (DRDS), DataHub, and Elasticsearch. The following code shows the policy content.

Content of the AliyunDTSRolePolicy policy
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:Describe*",
                "rds:CreateDBInstance",
                "rds:CreateAccount*",
                "rds:CreateDataBase*",
                "rds:ModifySecurityIps",
                "rds:GrantAccountPrivilege",
                "rds:ReceiveDBInstance",
                "rds:CreateMigrateTask",
                "rds:DescribeMigrateTaskById",
                "rds:CreateOnlineDatabaseTask"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeInstances",
                "ecs:DescribeRegions",
                "ecs:AuthorizeSecurityGroup",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:RevokeSecurityGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dhs:ListProject",
                "dhs:GetProject",
                "dhs:CreateTopic",
                "dhs:ListTopic",
                "dhs:GetTopic",
                "dhs:UpdateTopic",
                "dhs:ListShard",
                "dhs:MergeShard",
                "dhs:SplitShard",
                "dhs:PutRecords",
                "dhs:GetRecords",
                "dhs:GetCursors"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "elasticsearch:DescribeInstance",
                "elasticsearch:ListInstance",
                "elasticsearch:UpdateAdminPwd",
                "elasticsearch:UpdatePublicNetwork",
                "elasticsearch:UpdateBlackIps",
                "elasticsearch:UpdateKibanaIps",
                "elasticsearch:UpdatePublicIps",
                "elasticsearch:UpdatePrivateNetworkWhiteIps",
                "elasticsearch:UpdatePublicWhiteIps",
                "elasticsearch:UpdateWhiteIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrds*",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeRegions",
                "drds:DescribeRdsList",
                "drds:CreateDrdsDB",
                "drds:CreateDrdsAccount",
                "drds:DescribeShardDBs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterIPArrayList",
                "polardb:DescribeDBClusterNetInfo",
                "polardb:DescribeDBClusters",
                "polardb:DescribeRegions",
                "polardb:DescribeDBClusterEndpoints",
                "polardb:DescribeDBClusterAccessWhiteList",
                "polardb:ModifyDBClusterAccessWhitelist",
                "polardb:ModifySecurityIps",
                "polardb:DescribeDBClusterAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dds:DescribeDBInstanceAttribute",
                "dds:DescribeReplicaSetRole",
                "dds:DescribeSecurityIps",
                "dds:DescribeDBInstances",
                "dds:ModifySecurityIps",
                "dds:DescribeShardingNetworkAddress",
                "dds:DescribeRegions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kvstore:DescribeSecurityIps",
                "kvstore:DescribeInstances",
                "kvstore:DescribeRegions",
                "kvstore:ModifySecurityIps",
                "kvstore:DescribeAccounts",
                "kvstore:CreateAccount",
                "kvstore:DescribeDBInstanceNetInfoForInner",
                "kvstore:DescribeDBInstanceNetInfo",
                "kvstore:AllocateInstancePrivateConnection",
                "kvstore:SyncDtsStatus",
                "kvstore:GetDbMasterInfo"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "petadata:DescribeInstanceInfo",
                "petadata:DescribeSecurityIPs",
                "petadata:DescribeInstances",
                "petadata:ModifySecurityIPs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "adb:DescribeDBClusters",
                "adb:DescribeDBClusterAttribute",
                "adb:DescribeRegions",
                "adb:DescribeDBClusterNetInfo",
                "adb:DescribeDBClusterAccessWhiteList",
                "adb:ModifyDBClusterAccessWhiteList",
                "adb:DescribeDBClusterPerformance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "gpdb:DescribeDBInstanceAttribute",
                "gpdb:DescribeDBInstances",
                "gpdb:DescribeRegions",
                "gpdb:DescribeDBInstanceIPArrayList",
                "gpdb:DescribeDBClusterIPArrayList",
                "gpdb:ModifySecurityIps",
                "gpdb:DescribeDBInstanceNetInfo",
                "gpdb:DescribeDBClusterPerformance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "clickhouse:DescribeRegions",
                "clickhouse:DescribeDBClusters",
                "clickhouse:DescribeDBClusterAttribute",
                "clickhouse:DescribeDBClusterNetInfoItems",
                "clickhouse:DescribeDBClusterAccessWhiteList",
                "clickhouse:ModifyDBClusterAccessWhiteList",
                "clickhouse:DescribeAllDataSource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ots:ListInstance",
                "ots:GetInstance",
                "ots:GetRow",
                "ots:PutRow",
                "ots:UpdateRow",
                "ots:DeleteRow",
                "ots:BatchWriteRow",
                "ots:BulkImport",
                "ots:CreateTable",
                "ots:DescribeTable",
                "ots:ListTable"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dg:GetUserDatabases",
                "dg:GetUserGateways"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cen:DeleteRouteServiceInCen",
                "cen:DescribeCenAttachedChildInstances",
                "cen:DescribeCens",
                "cen:DescribeRouteServicesInCen",
                "cen:ResolveAndRouteServiceInCen"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardbx:DescribeDBInstances",
                "polardbx:DescribeDBInstanceAttribute",
                "polardbx:DescribeSecurityIps",
                "polardbx:ModifySecurityIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dms:GetUserActiveTenant",
                "dms:GetInstance",
                "dms:GetLogicDatabase",
                "dms:ListLogicDatabases",
                "dms:GetDBTopology",
                "dms:ListLogicTables",
                "dms:GetTableDBTopology"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVpcAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lindorm:GetLindormInstanceListForDMS",
                "lindorm:GetLindormInstanceForDMS",
                "lindorm:UpdateInstanceIpWhiteList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "hbase:DescribeClusterConnection",
                "hbase:DescribeInstance",
                "hbase:DescribeInstances",
                "hbase:ModifyIpWhitelist"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
Note For more information about policies, see Policy structure and syntax.