Service-linked roles of DMS - Data Management - Alibaba Cloud Documentation Center

This topic describes the use scenarios of the Data Management (DMS) and Data Disaster Recovery service-linked roles (AliyunServiceRoleForDMS and AliyunServiceRoleForDBS). This topic also describes how to delete a service-linked role.

Background information

A service-linked role is a Resource Access Management (RAM) role. For more information, see RAM role overview. The service-linked role allows DMS to access other cloud services and implement specific features in some scenarios. For more information, see Service-linked roles.

Scenarios

DMS

You can assume the service-linked role of DMS to allow specific DMS features to access Elastic Compute Service (ECS) instances, virtual private clouds (VPC), ApsaraDB RDS instances, and resources related to various databases and tools.

Data Disaster Recovery

The AliyunServiceRoleForDBS role is a RAM role that allows Data Disaster Recovery to access other cloud services. Before Data Disaster Recovery can access Alibaba Cloud databases that you purchase, such as ApsaraDB RDS instances, ApsaraDB for MongoDB instances, Tair (Redis OSS-compatible) instances, and PolarDB databases, or self-managed databases hosted on ECS instances, the AliyunServiceRoleForDBS role must be assigned to Data Disaster Recovery. For more information, see Service-linked roles.

Service-linked role

AliyunServiceRoleForDMS

Role name: AliyunServiceRoleForDMS.

Policy name: AliyunServiceRolePolicyForDMS.

Permission description: The service-linked role allows DMS to access ECS instances, VPCs, ApsaraDB RDS instances, and resources related to various databases and tools.

Operations that can be performed:

Query the details of ApsaraDB RDS, PolarDB, Lindorm, and other database resources to manage Alibaba Cloud databases.
Query the details of ECS instances and VPCs to manage self-managed databases hosted on ECS instances and the Internet.
Use Alibaba Cloud services such as Data Transmission Service (DTS) and Data Disaster Recovery to manage data centrally.

Policy document

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:DescribeImages",
                "ecs:CreateSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:RevokeSecurityGroup",
                "ecs:DescribeRegions",
                "ecs:DescribeInstances",
                "ecs:DescribeInstanceAttribute",
                "ecs:CreateCommand",
                "ecs:DeleteCommand",
                "ecs:DescribeInvocationResults"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:InvokeCommand",
                "ecs:StopInvocation"
            ],
            "Resource": "acs:ecs:*:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/dms": "script-for-dms"
                }
            },
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:InvokeCommand",
                "ecs:StopInvocation"
            ],
            "Resource": "acs:ecs:*:*:command/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:DescribeDBInstanceHAConfig",
                "rds:DescribeBinlogFiles",
                "rds:DescribeDBInstancePerformance",
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeSlowLogs",
                "rds:DescribeSlowLogRecords",
                "rds:DescribeSQLCollectorPolicy",
                "rds:ModifySQLCollectorPolicy",
                "rds:DescribeSQLLogRecords",
                "rds:DescribeSQLLogFiles",
                "rds:DescribeResourceUsage",
                "rds:DescribeRegions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBInstanceAttribute",
                "rds:ModifyBackupPolicy",
                "rds:DescribeSecurityGroupConfiguration",
                "rds:DescribeDBInstanceEncryptionKey",
                "rds:DescribeDBInstanceTDE",
                "rds:DescribeDBInstanceSSL",
                "rds:DescribeCrossRegionBackupDBInstance",
                "rds:DescribeSQLCollectorRetention",
                "rds:TagResources",
                "rds:UntagResources",
                "rds:ListTagResources",
                "rds:DescribeDBInstanceByTags",
                "rds:DescribeDatabases"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dds:DescribeSecurityIps",
                "dds:ModifySecurityIps",
                "dds:DescribeDBInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kvstore:DescribeSecurityIps",
                "kvstore:ModifySecurityIps",
                "kvstore:DescribeRegions",
                "kvstore:DescribeInstances",
                "kvstore:DescribeInstanceAttribute",
                "kvstore:DescribeInstanceConfig"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrdsInstances",
                "drds:QueryInstanceInfoByConn",
                "drds:DescribeDrdsInstanceList",
                "drds:DescribeDrdsDBIpWhiteList",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeDrdsInstanceVersion"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeRegions",
                "polardb:DescribeDBClusters",
                "polardb:DescribeDBClusterAttribute",
                "polardb:DescribeDBClusterEndpoints",
                "polardb:DescribeMaskingRules",
                "polardb:ModifyMaskingRules",
                "polardb:DeleteMaskingRules",
                "polardb:DescribeDBClusterVersion",
                "polardb:DescribeDBClusterAuditLogCollector"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardbx:DescribeDBInstances",
                "polardbx:DescribeSecurityIps",
                "polardbx:ModifySecurityIps",
                "polardbx:DescribeDBInstanceAttribute",
                "polardbx:DescribeBinaryLogList",
                "polardbx:DescribeDBInstanceViaEndpoint"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "petadata:DescribeInstances",
                "petadata:DescribeInstanceInfoByConnection",
                "petadata:DescribeSecurityIPs",
                "petadata:ModifySecurityIPs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "hdm:AccessHDMInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dts:CreateMigrationJob",
                "dts:ConfigureMigrationJob",
                "dts:StartMigrationJob",
                "dts:StopMigrationJob",
                "dts:DescribeMigrationJobStatus",
                "dts:DescribeMigrationJobDetail",
                "dts:CreateSynchronizationJob",
                "dts:ConfigureSynchronizationJob",
                "dts:StartSynchronizationJob",
                "dts:SuspendSynchronizationJob",
                "dts:DescribeSynchronizationJobStatus",
                "dts:ShieldPrecheck",
                "dts:CreateDtsInstance",
                "dts:ConfigureDtsJob",
                "dts:StartDtsJob",
                "dts:ModifyDtsJob",
                "dts:StopDtsJob",
                "dts:DescribeDtsJobDetail",
                "dts:DescribeDtsJobs",
                "dts:ConfigureEtlJob",
                "dts:SaveEtlJob",
                "dts:SuspendDtsJob",
                "dts:DeleteDtsJob",
                "dts:ModifyDtsJobName",
                "dts:SkipPreCheck",
                "dts:DescribeDtsEtlJobVersionInfo",
                "dts:DescribeEtlJobLogs",
                "dts:PreviewSql",
                "dts:DescribePreCheckStatus",
                "dts:DescribeDtsJobLogs",
                "dts:DescribeJobMonitorRule",
                "dts:CreateJobMonitorRule",
                "dts:DescribeConfigRelations",
                "dts:DescribeFormInfo",
                "dts:DescribeDmsInstanceDetail",
                "dts:DescribeSchemaList",
                "dts:DescribeColumns",
                "dts:DescribeStruct",
                "dts:DescribeDtsInstancePrice",
                "dts:DescribeRegions",
                "dts:DescribeInstanceInventory",
                "dts:CreateCheckJob",
                "dts:DescribeCheckJobDiffDetails",
                "dts:EtlMockData",
                "dts:EtlMockResult",
                "dts:DescribeCheckJobStatus",
                "dts:DescribeDtsJobStatistics",
                "dts:Ping",
                "dts:DescribeUploadPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "apigateway:CreateApiGroup",
                "apigateway:ModifyApiGroup",
                "apigateway:DeleteApiGroup",
                "apigateway:DescribeApiGroups",
                "apigateway:CreateApi",
                "apigateway:ModifyApi",
                "apigateway:DeployApi",
                "apigateway:AbolishApi",
                "apigateway:DeleteApi",
                "apigateway:DescribeApi",
                "apigateway:DescribeApis",
                "apigateway:CreateApp",
                "apigateway:ModifyApp",
                "apigateway:DeleteApp",
                "apigateway:DescribeAppSecurity",
                "apigateway:ResetAppCode",
                "apigateway:ResetAppSecret",
                "apigateway:DescribeAppAttributes",
                "apigateway:SetApisAuthorities",
                "apigateway:DescribeAuthorizedApps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dg:GetUserGateways",
                "dg:GetUserDatabases",
                "dg:GetUserGatewayInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "openanalytics:QueryBucketList",
                "openanalytics:QueryDirectoryList",
                "openanalytics:ListVirtualClusters",
                "openanalytics:SubmitSparkJob",
                "openanalytics:KillSparkJob",
                "openanalytics:GetJobLog",
                "openanalytics:GetJobDetail",
                "openanalytics:GetJobStatus",
                "openanalytics:ExecuteService",
                "openanalytics:QueryService",
                "openanalytics:ExecuteOnVirtualCluster"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dbs:DescribeBackupPlanList",
                "dbs:DescribeFullBackupList",
                "dbs:CreateBackupPlan",
                "dbs:ConfigureBackupPlan",
                "dbs:ModifyBackupObjects",
                "dbs:StartBackupPlan",
                "dbs:ModifyBackupSourceEndpoint",
                "dbs:StartTask",
                "dbs:StopBackupPlan",
                "dbs:CreateRestoreTask",
                "dbs:StartRestoreTask",
                "dbs:DescribeRestoreTaskList",
                "dbs:DescribeRestoreRangeInfo",
                "dbs:CreateDLAService",
                "dbs:DescribeDLAService",
                "dbs:CloseDLAService",
                "dbs:CreateAndStartBackupPlan",
                "dbs:DescribeFullBackupSet",
                "dbs:DescribeDataSourceQueryableAttribute",
                "dbs:DescribeDataSourceQueryableAttributeDetail",
                "dbs:GetTimeTravelInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "oceanbase:DescribeAllTenantsConnectionInfo",
                "oceanbase:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "dms.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "hbase:DescribeInstances",
                "hbase:DescribeInstance",
                "hbase:DescribeEndpoints",
                "hbase:DescribeIpWhitelist",
                "hbase:ModifyIpWhitelist"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cassandra:DescribeClusters",
                "cassandra:DescribeCluster",
                "cassandra:DescribeDataCenters",
                "cassandra:DescribeIpWhitelistGroups",
                "cassandra:ModifyIpWhitelistGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lindorm:GetLindormInstanceList",
                "lindorm:GetLindormInstance",
                "lindorm:GetLindormInstanceEngineList",
                "lindorm:GetLindormInstanceListForDMS",
                "lindorm:GetLindormInstanceForDMS",
                "lindorm:GetLindormInstanceForDMSByConnStr",
                "lindorm:GetInstanceIpWhiteList",
                "lindorm:UpdateInstanceIpWhiteList",
                "lindorm:CreateComputeEngineJob",
                "lindorm:GetComputeEngineJobDetail",
                "lindorm:GetComputeEngineJobLog",
                "lindorm:ReleaseLindormComputeJob"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "adb:CreateDBCluster",
                "adb:CreateAccount",
                "adb:DescribeDBClusters",
                "adb:DescribeDBClusterNetInfo",
                "adb:SubmitSparkApp",
                "adb:KillSparkApp",
                "adb:ListSparkApps",
                "adb:GetSparkAppLog",
                "adb:GetSparkAppInfo",
                "adb:GetSparkAppState",
                "adb:GetSparkAppAttemptLog",
                "adb:GetSparkAppWebUiAddress",
                "adb:ListSparkAppAttempts",
                "adb:DescribeDBClusterAttribute",
                "adb:DescribeDBResourceGroup",
                "adb:ExecuteSparkWarehouseBatchSQL",
                "adb:CancelSparkWarehouseBatchSQL",
                "adb:GetSparkWarehouseBatchSQL"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "gpdb:DescribeDBInstances",
                "gpdb:ResumeInstance",
                "gpdb:PauseInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "hologram:GetInstance",
                "hologram:ListInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "gdb:DescribeDbInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "oss:ListBuckets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "selectdb:DescribeDBInstances",
                "selectdb:DescribeDBInstanceAttribute",
                "selectdb:DescribeDBInstanceNetInfo",
                "selectdb:DescribeSecurityIPList",
                "selectdb:ModifySecurityIPList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "clickhouse:DescribeDBClusters",
                "clickhouse:DescribeDBInstances",
                "clickhouse:DescribeDBInstanceAttribute",
                "clickhouse:DescribeEndpoints",
                "clickhouse:DescribeSecurityIPList",
                "clickhouse:ModifySecurityIPList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sr:ListInstances",
                "sr:GetInstanceDetail",
                "sr:DescribeRegions",
                "sr:GetDmsConnectionInfo",
                "sr:GetNetworkMappingIp"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dbs-inner:DescribeDataSourceQueryableAttribute",
                "dbs-inner:DescribeDataSourceQueryableAttributeDetail",
                "dbs-inner:GetTimeTravelInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:ListSecrets",
                "kms:GetSecretValue",
                "kms:Decrypt",
                "kms:ListKmsInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:CreateAccount",
                "rds:DeleteAccount",
                "rds:ResetAccountPassword",
                "rds:GrantAccountPrivilege",
                "rds:RevokeAccountPrivilege",
                "rds:CheckAccountNameAvailable"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "rds:tag/dms": "account-management"
                }
            },
            "Effect": "Allow"
        },
        {
            "Action": [
                "ots:ListInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunServiceRoleForDBS

Role name: AliyunServiceRoleForDBS

Policy name: AliyunServiceRolePolicyForDBS

Permission description: The service-linked role allows Data Disaster Recovery to connect to Alibaba Cloud databases that you purchase, such as ApsaraDB RDS instances, ApsaraDB for MongoDB instances, Tair (Redis OSS-compatible) instances, and PolarDB databases, or self-managed databases hosted on ECS instances.

Policy document

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceNetInfoForChannel",
        "rds:DescribeTasks",
        "rds:DescribeDBInstances",
        "rds:DescribeFilesForSQLServer",
        "rds:DescribeImportsForSQLServer",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeBinlogFiles",
        "rds:DescribeSQLLogRecords",
        "rds:DescribeParameters",
        "rds:DescribeParameterTemplates",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDatabases",
        "rds:DescribeAccounts",
        "rds:DescribeSecurityIPList",
        "rds:DescribeSecurityIps",
        "rds:DescribeDBInstanceIPArray",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:DescribeDBInstanceSSL",
        "rds:DescribeDBInstanceTDE",
        "rds:CreateDBInstance",
        "rds:CreateAccount",
        "rds:CreateDatabase",
        "rds:ModifySecurityIps",
        "rds:GrantAccountPrivilege",
        "rds:CreateMigrateTask",
        "rds:CreateOnlineDatabaseTask",
        "rds:DescribeMigrateTasks",
        "rds:DescribeOssDownloads",
        "rds:CreateBackup",
        "rds:DescribeBackups",
        "rds:DescribeBackupPolicy",
        "rds:ModifyBackupPolicy",
        "rds:DescribeBackupTasks",
        "rds:DescribeBinlogFiles",
        "rds:DescribeResourceUsage",
        "rds:DescribeAvailableZones",
        "rds:DescribeAvailableClasses",
        "rds:ListClasses",
        "rds:CreateDdrInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:DescribeInstance",
        "ecs:DescribeInstances",
        "ecs:DescribeVpcs",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:AuthorizeSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeSnapshots",
        "ecs:ModifySnapshotAttribute",
        "ecs:ResizeDisk",
        "ecs:CreateSecurityGroup",
        "ecs:ModifySecurityGroupPolicy"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:ListKeys"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:PutEventRule",
        "cms:PutEventTargets",
        "cms:ListEventRules",
        "cms:ListEventTargetsByRule",
        "cms:DeleteEventRule",
        "cms:DeleteEventTargets"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeDBClusterAttribute",
        "polardb:DescribeDBClusterIPArrayList",
        "polardb:DescribeDBClusterNetInfo",
        "polardb:DescribeDBClusters",
        "polardb:ModifySecurityIps",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:DescribeDBClusterAccessWhitelist",
        "polardb:ModifyDBClusterAccessWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeReplicaSetRole",
        "dds:DescribeShardingNetworkAddress",
        "dds:DescribeSecurityIps",
        "dds:DescribeDBInstances",
        "dds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeSecurityIps",
        "kvstore:DescribeInstances",
        "kvstore:DescribeAccounts",
        "kvstore:DescribeDBInstanceNetInfo",
        "kvstore:CreateAccount",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:AllocateInstancePrivateConnection",
        "kvstore:DescribeLogicInstanceTopology"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "drds:DescribeDrdsDB",
        "drds:DescribeDrdsDBs",
        "drds:DescribeDrdsDbInstance",
        "drds:DescribeDrdsDbInstances",
        "drds:DescribeDrdsDBIpWhiteList",
        "drds:DescribeDrdsInstances",
        "drds:ModifyDrdsIpWhiteList",
        "drds:CreateDrdsDB",
        "drds:DescribeTable",
        "drds:DescribeTables",
        "drds:ModifyRdsReadWeight",
        "drds:ChangeAccountPassword",
        "drds:CreateDrdsInstance",
        "drds:CreateInstanceInternetAddress",
        "drds:DescribeInstanceAccounts",
        "drds:DescribeBackupSets",
        "drds:DescribeDbInstances",
        "drds:DescribeDrdsCrossRegionBackups",
        "drds:DescribeCrossBackupMetadata",
        "drds:RegisterCrossRegionBackupSet",
        "drds:DeleteCrossRegionBackupSet",
        "drds:DescribeDrdsRdsInstances",
        "drds:CreateDrdsCrossInstance",
        "drds:DescribeDrdsInstanceLevelTasks"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:DeleteVpcEndpoint"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "bssapi:QueryResourcePackageInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "hdm:AddHDMInstance",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "dbs.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "dg:GetUserGateways",
        "dg:GetUserDatabases",
        "dg:AddDatabase",
        "dg:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Permissions required to create a service-linked role

DMS

Your RAM user must be granted the required permissions before the AliyunServiceRoleForDMS role can be created for DMS.

If your RAM user does not have the required permissions, you must add the following policy and grant permissions to the RAM user. For more information, see Create custom policies and Grant permissions to a RAM user.

The following code shows the policy that allows authorized RAM users to create the AliyunServiceRoleForDMS role for DMS:

{
  "Action":"ram:CreateServiceLinkedRole",
  "Resource":"*",
  "Effect":"Allow",
  "Condition":{
    "StringEquals":{
    "ram:ServiceName": "dms.aliyuncs.com"
    }
  }
}

Data Disaster Recovery

Your RAM user must be granted the required permissions before the AliyunServiceRoleForDBS role can be created for Data Disaster Recovery.

The following code shows the policy that allows authorized RAM users to create the AliyunServiceRoleForDBS role for Data Disaster Recovery:

{
  "Action":"ram:CreateServiceLinkedRole",
  "Resource":"*",
  "Effect":"Allow",
  "Condition":{
    "StringEquals":{
    "ram:ServiceName": "dms.aliyuncs.com"
    }
  }
}

Create a service-linked role

DMS

If your RAM user already has the required permissions to create the AliyunServiceRoleForDMS role for DMS, you can log on to the DMS console and click OK in the DMS Service-linked Role dialog box. This way, the system can automatically create the AliyunServiceRoleForDMS role for DMS. For more information, see the Create a service-linked role section of the "Service-linked roles" topic.

Data Disaster Recovery

When you use Data Disaster Recovery for the first time, the system automatically creates the AliyunServiceRoleForDBS role. Before you use Data Disaster Recovery, you must assign the AliyunServiceRoleForDBS role to Data Disaster Recovery to ensure that Data Disaster Recovery has the permissions to access your databases.

View the details of a service-linked role

DMS

After the AliyunServiceRoleForDMS role is created for DMS, you can view the role details in the RAM console, including the basic information, trust policy, and permission policy (AliyunServiceRolePolicyForDMS) of the role.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, search for the AliyunServiceRoleForDBS role and then click its name.
View the basic information of the role.
In the Basic Information section of the role details page, view the role information including the role name, creation time, and Alibaba Cloud Resource Name (ARN).
View the trust policy of the role.
On the role details page, click the Trust Policy tab to view the value of the Service field. The value indicates the cloud service that can assume the role. Example: Service": ["dms.aliyuncs.com"].
View the permissions that are granted to the role.
1. On the role details page, click the Permissions tab.
2. Find the AliyunServiceRolePolicyForDMS policy and click its name.
3. On the Policy Document tab of the page that appears, view the policy content.
Note
You cannot directly view the permissions that are granted to a service-linked role on the Policies page of the RAM console.

Data Disaster Recovery

After the AliyunServiceRoleForDBS role is created for Data Disaster Recovery, you can view the role details in the RAM console, including the basic information, trust policy, and permission policy of the role.

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, search for the AliyunServiceRoleForDBS role and click its name.
View the basic information of the role.
In the Basic Information section of the role details page, view the role information including the role name, creation time, and Alibaba Cloud Resource Name (ARN).
View the trust policy of the role.
On the role details page, click the Trust Policy tab to view the value of the Service field. The value indicates the cloud service that can assume the role. Example: "Service": ["dbs.aliyuncs.com"].
View the permission policy (AliyunServiceRolePolicyForDBS) of the role.
1. On the role details page, click the Permissions tab.
2. Find the AliyunServiceRolePolicyForDBS policy and click its name.
3. On the Policy Document tab of the page that appears, view the policy content.
Note
You cannot directly view the permissions that are granted to a service-linked role on the Policies page of the RAM console.

Delete a service-linked role

DMS

Before you delete the AliyunServiceRoleForDMS role, you must remove all instances from the instance list in the DMS console. For more information about how to remove an instance and delete a service-linked role, see Remove one or more instances and Delete a service-linked role.

Data Disaster Recovery

You can manually delete the AliyunServiceRoleForDBS role in the RAM console. For more information, see Delete a RAM role.