Data Integration uses two service-linked roles (SLRs) to connect to data sources and call their APIs.
How the two roles work together
When you add a data source (such as an Object Storage Service (OSS) data source) and select a custom RAM role for Data Integration to assume, the following happens:
-
Data Integration uses AliyunServiceRoleForDataWorksDI to look up and retrieve the custom RAM role you specified.
-
Data Integration uses AliyunDIDefaultRole to call the data source's APIs — for example, to query instance details or update IP whitelists during data synchronization.
AliyunServiceRoleForDataWorksDI is an identity-resolution role: it lets Data Integration find the custom RAM role you want it to assume. AliyunDIDefaultRole is an access role: it carries the actual permissions Data Integration uses to reach each data source.
AliyunServiceRoleForDataWorksDI
This role lets Data Integration retrieve the list of available custom RAM roles, so you can select one when configuring a data source.
| Field | Value |
|---|---|
| Role name | AliyunServiceRoleForDataWorksDI |
| Policy name | AliyunServiceRolePolicyForDataWorksDI |
| Permissions granted | ram:ListRoles, ram:GetRole |
Policy document:
{
"Version": "1",
"Statement": [
{
"Action": [
"ram:ListRoles",
"ram:GetRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunDIDefaultRole
This role lets Data Integration access the resources of other Alibaba Cloud services during data source configuration, node configuration, and data synchronization.
| Field | Value |
|---|---|
| Role name | AliyunDIDefaultRole |
| Policy name | AliyunDIRolePolicy |
| Services covered | ApsaraDB RDS, ApsaraDB for Redis, ApsaraDB for MongoDB, PolarDB-X, HybridDB for MySQL, AnalyticDB for PostgreSQL, PolarDB, Data Management (DMS), Data Lake Formation (DLF) |
The role has read and write access across these services — primarily to describe instance attributes and modify IP whitelists and security groups, enabling Data Integration to connect to your data sources.
Policy document:
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeDBInstances",
"rds:DescribeRegions",
"rds:DescribeDatabases",
"rds:DescribeSecurityGroupConfiguration",
"rds:DescribeDBInstanceIPArrayList",
"rds:ModifySecurityGroupConfiguration",
"rds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeInstances",
"kvstore:DescribeInstanceAttribute",
"kvstore:DescribeRegions",
"kvstore:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstanceAttribute",
"dds:DescribeSecurityIps",
"dds:DescribeRegions",
"dds:DescribeDBInstances",
"dds:DescribeReplicaSetRole",
"dds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrdsInstanceList",
"drds:DescribeDrdsInstance",
"drds:DescribeDrdsDbList",
"drds:DescribeDrdsDb",
"drds:DescribeLogicTableList",
"drds:DescribeRegions",
"drds:ModifyDrdsIpWhiteList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"petadata:DescribeInstanceInfo",
"petadata:DescribeInstances",
"petadata:DescribeDatabases",
"petadata:DescribeTables",
"petadata:DescribeTableInfo",
"petadata:DescribeInstancePerformance",
"petadata:DescribeDatabasePerformance",
"petadata:DescribeInstanceResourceUsage",
"petadata:DescribeDatabaseResourceUsage",
"petadata:DescribeRegions",
"petadata:DescribeSecurityIPs",
"petadata:ModifySecurityIPs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstanceAttribute",
"gpdb:DescribeDBInstances",
"gpdb:DescribeResourceUsage",
"gpdb:DescribeDBInstanceIPArrayList",
"gpdb:DescribeDBClusterIPArrayList",
"gpdb:DescribeDBInstancePerformance",
"gpdb:DescribeDBInstanceNetInfo",
"gpdb:DescribeRegions",
"gpdb:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeClusterInfo",
"polardb:DescribeDBClusterParameters",
"polardb:DescribeDBClusterEndpoints",
"polardb:ModifyDBClusterAccessWhitelist",
"polardb:DescribeDBClusterAccessWhitelist",
"polardb:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dms:ListUsers",
"dms:ListDatabases",
"dms:ListLogicTables",
"dms:GetLogicDatabase",
"dms:SearchDatabase",
"dms:GetMetaTableDetailInfo",
"dms:SearchTable",
"dms:ExecuteScript",
"dms:ListTables",
"dms:GetDatabase",
"dms:ListInstances",
"dms:GetTableDBTopology"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dlf:GetServiceStatus",
"dlf:ListDatabases",
"dlf:CreateDatabase",
"dlf:CreateTable",
"dlf:BatchCreateTables",
"dlf:CreatePartition",
"dlf:ListTableNames",
"dlf:GetTable",
"dlf:UpdateDatabase",
"dlf:UpdateTable",
"dlf:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Delete a service-linked role
You can delete either role at any time, but doing so will affect Data Integration's ability to work with data sources.
| Role | Impact of deletion |
|---|---|
AliyunServiceRoleForDataWorksDI |
Data Integration can no longer retrieve custom RAM roles. The RAM role selector is unavailable when adding a data source. |
AliyunDIDefaultRole |
Data Integration may fail to query service information during data source configuration, node configuration, or data synchronization. This can result in connectivity test errors, node configuration errors, or data synchronization errors. |
For deletion steps, see Delete an SLR.
Grant a RAM user permission to create service-linked roles
Attach the appropriate policy to the RAM user before they configure Data Integration.
AliyunServiceRoleForDataWorksDI
Attach either DataWorksFullAccess or the following custom policy:
{
"Version": "1",
"Statement": [
{
"Action": "dataworks:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "di.dataworks.aliyuncs.com"
}
}
}
]
}The Condition clause restricts the permission to the Data Integration service only (di.dataworks.aliyuncs.com), preventing the RAM user from creating service-linked roles for other services.
AliyunDIDefaultRole
Attach the following policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:CreateRole",
"ram:AttachPolicyToRole"
],
"Resource": "*"
}
]
}