All Products
Search

This Product

    Data Management:Service-linked role for DMS

    Document Center

    Data Management:Service-linked role for DMS

    Last Updated:Mar 30, 2026

    Data Management Service (DMS) uses two service-linked roles to access other Alibaba Cloud services on your behalf: AliyunServiceRoleForDMS for DMS features, and AliyunServiceRoleForDBS for Data Disaster Recovery. This topic describes what each role does, what permissions it holds, and how to create, view, or delete it.

    Background

    A service-linked role is a special type of Resource Access Management (RAM) role with two key differences from a regular RAM role:

    • Owned by the service: The role is created by and belongs to the cloud service, not your account.

    • Permissions are fixed: You cannot edit the permission policy. The permissions are defined and managed by the service itself.

    For a general overview of RAM roles, see RAM role overview. For more about the service-linked role mechanism, see Service-linked roles.

    Scenarios

    Data Management (DMS)

    If a feature of DMS needs to access resources such as ECS, VPC, RDS, and other databases or tools, the service-linked role for DMS grants the required access permissions.

    Data Disaster Recovery (DBS)

    The service-linked role for DBS (AliyunServiceRoleForDBS) is a RAM role with permissions to access other Alibaba Cloud services. DBS uses this role to obtain the access permissions required to connect to ApsaraDB databases that you purchased on Alibaba Cloud, such as RDS, MongoDB, Redis, and PolarDB, or to self-managed databases on ECS instances. For more information, see Service-linked roles.

    Role details

    AliyunServiceRoleForDMS

    What this role does

    AliyunServiceRoleForDMS lets DMS access Elastic Compute Service (ECS) instances, virtual private clouds (VPCs), ApsaraDB RDS instances, and resources across the databases and tools it manages. Specifically:

    • Query ApsaraDB RDS, PolarDB, Lindorm, and other cloud database resources to enable centralized management of Alibaba Cloud databases.

    • Query ECS instances and VPCs to manage self-managed databases hosted on ECS and internet-accessible databases.

    • Invoke Data Transmission Service (DTS) and Data Disaster Recovery to support data migration, synchronization, and backup workflows.

    Field Value
    Role name AliyunServiceRoleForDMS
    Policy name AliyunServiceRolePolicyForDMS
    Trusted service dms.aliyuncs.com

    Policy document

    The policy is organized by the cloud service each statement controls.

    ECS — Manage security groups and run commands on instances tagged for DMS use:

    {
    "Action": [
        "ecs:DescribeInstances",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DescribeImages",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeRegions",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceAttribute",
        "ecs:CreateCommand",
        "ecs:DeleteCommand",
        "ecs:DescribeInvocationResults"
    ],
    "Resource": "*",
    "Effect": "Allow"
},
{
    "Action": [
        "ecs:InvokeCommand",
        "ecs:StopInvocation"
    ],
    "Resource": "acs:ecs:*:*:instance/*",
    "Condition": {
        "StringEquals": {
            "acs:ResourceTag/dms": "script-for-dms"
        }
    },
    "Effect": "Allow"
},
{
    "Action": [
        "ecs:InvokeCommand",
        "ecs:StopInvocation"
    ],
    "Resource": "acs:ecs:*:*:command/*",
    "Effect": "Allow"
}

    ApsaraDB RDS — Query instance details, SQL logs, backup policies, and manage tags:

    {
    "Action": [
        "rds:DescribeDBInstanceHAConfig",
        "rds:DescribeBinlogFiles",
        "rds:DescribeDBInstancePerformance",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeSlowLogs",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeSQLCollectorPolicy",
        "rds:ModifySQLCollectorPolicy",
        "rds:DescribeSQLLogRecords",
        "rds:DescribeSQLLogFiles",
        "rds:DescribeResourceUsage",
        "rds:DescribeRegions",
        "rds:DescribeDBInstances",
        "rds:DescribeDBInstanceAttribute",
        "rds:ModifyBackupPolicy",
        "rds:DescribeSecurityGroupConfiguration",
        "rds:DescribeDBInstanceEncryptionKey",
        "rds:DescribeDBInstanceTDE",
        "rds:DescribeDBInstanceSSL",
        "rds:DescribeCrossRegionBackupDBInstance",
        "rds:DescribeSQLCollectorRetention",
        "rds:TagResources",
        "rds:UntagResources",
        "rds:ListTagResources",
        "rds:DescribeDBInstanceByTags",
        "rds:DescribeDatabases"
    ],
    "Resource": "*",
    "Effect": "Allow"
},
{
    "Action": [
        "rds:CreateAccount",
        "rds:DeleteAccount",
        "rds:ResetAccountPassword",
        "rds:GrantAccountPrivilege",
        "rds:RevokeAccountPrivilege",
        "rds:CheckAccountNameAvailable"
    ],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "rds:tag/dms": "account-management"
        }
    },
    "Effect": "Allow"
}

    ApsaraDB for MongoDB — Query instance details and manage IP whitelists:

    {
    "Action": [
        "dds:DescribeSecurityIps",
        "dds:ModifySecurityIps",
        "dds:DescribeDBInstances"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Tair (Redis OSS-compatible) — Query instance details, configuration, and manage IP whitelists:

    {
    "Action": [
        "kvstore:DescribeSecurityIps",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeRegions",
        "kvstore:DescribeInstances",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:DescribeInstanceConfig"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    DRDS — Query instance details and manage IP whitelists:

    {
    "Action": [
        "drds:DescribeDrdsInstances",
        "drds:QueryInstanceInfoByConn",
        "drds:DescribeDrdsInstanceList",
        "drds:DescribeDrdsDBIpWhiteList",
        "drds:ModifyDrdsIpWhiteList",
        "drds:DescribeDrdsInstanceVersion"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    PolarDB — Query cluster details and manage masking rules and audit logs:

    {
    "Action": [
        "polardb:DescribeRegions",
        "polardb:DescribeDBClusters",
        "polardb:DescribeDBClusterAttribute",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:DescribeMaskingRules",
        "polardb:ModifyMaskingRules",
        "polardb:DeleteMaskingRules",
        "polardb:DescribeDBClusterVersion",
        "polardb:DescribeDBClusterAuditLogCollector"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    PolarDB-X — Query instance details and manage IP whitelists:

    {
    "Action": [
        "polardbx:DescribeDBInstances",
        "polardbx:DescribeSecurityIps",
        "polardbx:ModifySecurityIps",
        "polardbx:DescribeDBInstanceAttribute",
        "polardbx:DescribeBinaryLogList",
        "polardbx:DescribeDBInstanceViaEndpoint"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    HybridDB for MySQL (petadata) — Query instance details and manage IP whitelists:

    {
    "Action": [
        "petadata:DescribeInstances",
        "petadata:DescribeInstanceInfoByConnection",
        "petadata:DescribeSecurityIPs",
        "petadata:ModifySecurityIPs"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    HDM — Access HDM instances:

    {
    "Action": [
        "hdm:AccessHDMInstance"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Data Transmission Service (DTS) — Create and manage migration, synchronization, and ETL jobs:

    {
    "Action": [
        "dts:CreateMigrationJob",
        "dts:ConfigureMigrationJob",
        "dts:StartMigrationJob",
        "dts:StopMigrationJob",
        "dts:DescribeMigrationJobStatus",
        "dts:DescribeMigrationJobDetail",
        "dts:CreateSynchronizationJob",
        "dts:ConfigureSynchronizationJob",
        "dts:StartSynchronizationJob",
        "dts:SuspendSynchronizationJob",
        "dts:DescribeSynchronizationJobStatus",
        "dts:ShieldPrecheck",
        "dts:CreateDtsInstance",
        "dts:ConfigureDtsJob",
        "dts:StartDtsJob",
        "dts:ModifyDtsJob",
        "dts:StopDtsJob",
        "dts:DescribeDtsJobDetail",
        "dts:DescribeDtsJobs",
        "dts:ConfigureEtlJob",
        "dts:SaveEtlJob",
        "dts:SuspendDtsJob",
        "dts:DeleteDtsJob",
        "dts:ModifyDtsJobName",
        "dts:SkipPreCheck",
        "dts:DescribeDtsEtlJobVersionInfo",
        "dts:DescribeEtlJobLogs",
        "dts:PreviewSql",
        "dts:DescribePreCheckStatus",
        "dts:DescribeDtsJobLogs",
        "dts:DescribeJobMonitorRule",
        "dts:CreateJobMonitorRule",
        "dts:DescribeConfigRelations",
        "dts:DescribeFormInfo",
        "dts:DescribeDmsInstanceDetail",
        "dts:DescribeSchemaList",
        "dts:DescribeColumns",
        "dts:DescribeStruct",
        "dts:DescribeDtsInstancePrice",
        "dts:DescribeRegions",
        "dts:DescribeInstanceInventory",
        "dts:CreateCheckJob",
        "dts:DescribeCheckJobDiffDetails",
        "dts:EtlMockData",
        "dts:EtlMockResult",
        "dts:DescribeCheckJobStatus",
        "dts:DescribeDtsJobStatistics",
        "dts:Ping",
        "dts:DescribeUploadPolicy"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    API Gateway — Create and manage API groups, APIs, and apps for database API publishing:

    {
    "Action": [
        "apigateway:CreateApiGroup",
        "apigateway:ModifyApiGroup",
        "apigateway:DeleteApiGroup",
        "apigateway:DescribeApiGroups",
        "apigateway:CreateApi",
        "apigateway:ModifyApi",
        "apigateway:DeployApi",
        "apigateway:AbolishApi",
        "apigateway:DeleteApi",
        "apigateway:DescribeApi",
        "apigateway:DescribeApis",
        "apigateway:CreateApp",
        "apigateway:ModifyApp",
        "apigateway:DeleteApp",
        "apigateway:DescribeAppSecurity",
        "apigateway:ResetAppCode",
        "apigateway:ResetAppSecret",
        "apigateway:DescribeAppAttributes",
        "apigateway:SetApisAuthorities",
        "apigateway:DescribeAuthorizedApps"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Database Gateway (dg) — Query user gateways and databases for on-premises connectivity:

    {
    "Action": [
        "dg:GetUserGateways",
        "dg:GetUserDatabases",
        "dg:GetUserGatewayInstances"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    OpenAnalytics — Submit and manage Spark jobs:

    {
    "Action": [
        "openanalytics:QueryBucketList",
        "openanalytics:QueryDirectoryList",
        "openanalytics:ListVirtualClusters",
        "openanalytics:SubmitSparkJob",
        "openanalytics:KillSparkJob",
        "openanalytics:GetJobLog",
        "openanalytics:GetJobDetail",
        "openanalytics:GetJobStatus",
        "openanalytics:ExecuteService",
        "openanalytics:QueryService",
        "openanalytics:ExecuteOnVirtualCluster"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Data Disaster Recovery (dbs) — Create and manage backup and restore plans:

    {
    "Action": [
        "dbs:DescribeBackupPlanList",
        "dbs:DescribeFullBackupList",
        "dbs:CreateBackupPlan",
        "dbs:ConfigureBackupPlan",
        "dbs:ModifyBackupObjects",
        "dbs:StartBackupPlan",
        "dbs:ModifyBackupSourceEndpoint",
        "dbs:StartTask",
        "dbs:StopBackupPlan",
        "dbs:CreateRestoreTask",
        "dbs:StartRestoreTask",
        "dbs:DescribeRestoreTaskList",
        "dbs:DescribeRestoreRangeInfo",
        "dbs:CreateDLAService",
        "dbs:DescribeDLAService",
        "dbs:CloseDLAService",
        "dbs:CreateAndStartBackupPlan",
        "dbs:DescribeFullBackupSet",
        "dbs:DescribeDataSourceQueryableAttribute",
        "dbs:DescribeDataSourceQueryableAttributeDetail",
        "dbs:GetTimeTravelInstance"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    OceanBase — Query cluster and tenant connection information:

    {
    "Action": [
        "oceanbase:DescribeAllTenantsConnectionInfo",
        "oceanbase:DescribeInstances"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    HBase — Query instance details and manage IP whitelists:

    {
    "Action": [
        "hbase:DescribeInstances",
        "hbase:DescribeInstance",
        "hbase:DescribeEndpoints",
        "hbase:DescribeIpWhitelist",
        "hbase:ModifyIpWhitelist"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Cassandra — Query cluster details and manage IP whitelists:

    {
    "Action": [
        "cassandra:DescribeClusters",
        "cassandra:DescribeCluster",
        "cassandra:DescribeDataCenters",
        "cassandra:DescribeIpWhitelistGroups",
        "cassandra:ModifyIpWhitelistGroup"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Lindorm — Query instance details, manage IP whitelists, and run compute jobs:

    {
    "Action": [
        "lindorm:GetLindormInstanceList",
        "lindorm:GetLindormInstance",
        "lindorm:GetLindormInstanceEngineList",
        "lindorm:GetLindormInstanceListForDMS",
        "lindorm:GetLindormInstanceForDMS",
        "lindorm:GetLindormInstanceForDMSByConnStr",
        "lindorm:GetInstanceIpWhiteList",
        "lindorm:UpdateInstanceIpWhiteList",
        "lindorm:CreateComputeEngineJob",
        "lindorm:GetComputeEngineJobDetail",
        "lindorm:GetComputeEngineJobLog",
        "lindorm:ReleaseLindormComputeJob"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    AnalyticDB (adb) — Manage clusters and Spark workloads:

    {
    "Action": [
        "adb:CreateDBCluster",
        "adb:CreateAccount",
        "adb:DescribeDBClusters",
        "adb:DescribeDBClusterNetInfo",
        "adb:SubmitSparkApp",
        "adb:KillSparkApp",
        "adb:ListSparkApps",
        "adb:GetSparkAppLog",
        "adb:GetSparkAppInfo",
        "adb:GetSparkAppState",
        "adb:GetSparkAppAttemptLog",
        "adb:GetSparkAppWebUiAddress",
        "adb:ListSparkAppAttempts",
        "adb:DescribeDBClusterAttribute",
        "adb:DescribeDBResourceGroup",
        "adb:ExecuteSparkWarehouseBatchSQL",
        "adb:CancelSparkWarehouseBatchSQL",
        "adb:GetSparkWarehouseBatchSQL"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    AnalyticDB for PostgreSQL (gpdb) — Query instances and control pause/resume:

    {
    "Action": [
        "gpdb:DescribeDBInstances",
        "gpdb:ResumeInstance",
        "gpdb:PauseInstance"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    VPC — Query VPCs and VSwitches:

    {
    "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Hologres — Query instance details:

    {
    "Action": [
        "hologram:GetInstance",
        "hologram:ListInstances"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    GDB — Query graph database instances:

    {
    "Action": [
        "gdb:DescribeDbInstances"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Object Storage Service (OSS) — List buckets:

    {
    "Action": [
        "oss:ListBuckets"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    SelectDB — Query instance details and manage IP whitelists:

    {
    "Action": [
        "selectdb:DescribeDBInstances",
        "selectdb:DescribeDBInstanceAttribute",
        "selectdb:DescribeDBInstanceNetInfo",
        "selectdb:DescribeSecurityIPList",
        "selectdb:ModifySecurityIPList"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    ClickHouse — Query cluster and instance details and manage IP whitelists:

    {
    "Action": [
        "clickhouse:DescribeDBClusters",
        "clickhouse:DescribeDBInstances",
        "clickhouse:DescribeDBInstanceAttribute",
        "clickhouse:DescribeEndpoints",
        "clickhouse:DescribeSecurityIPList",
        "clickhouse:ModifySecurityIPList"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    StarRocks (sr) — Query instance details and connection information:

    {
    "Action": [
        "sr:ListInstances",
        "sr:GetInstanceDetail",
        "sr:DescribeRegions",
        "sr:GetDmsConnectionInfo",
        "sr:GetNetworkMappingIp"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Data Disaster Recovery internal (dbs-inner) — Query data source attributes for time travel features:

    {
    "Action": [
        "dbs-inner:DescribeDataSourceQueryableAttribute",
        "dbs-inner:DescribeDataSourceQueryableAttributeDetail",
        "dbs-inner:GetTimeTravelInstance"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Key Management Service (KMS) — List secrets and decrypt credentials:

    {
    "Action": [
        "kms:ListSecrets",
        "kms:GetSecretValue",
        "kms:Decrypt",
        "kms:ListKmsInstances"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    Tablestore (ots) — List instances:

    {
    "Action": [
        "ots:ListInstance"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

    RAM — Delete the DMS service-linked role itself:

    {
    "Action": "ram:DeleteServiceLinkedRole",
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "dms.aliyuncs.com"
        }
    }
}

    AliyunServiceRoleForDBS

    What this role does

    AliyunServiceRoleForDBS lets Data Disaster Recovery connect to and manage the following databases:

    • Alibaba Cloud databases: ApsaraDB RDS instances, ApsaraDB for MongoDB instances, Tair (Redis OSS-compatible) instances, and PolarDB databases.

    • Self-managed databases hosted on ECS instances.

    The role must exist before Data Disaster Recovery can access any of these databases. When you use Data Disaster Recovery for the first time, the system creates this role automatically.

    Field Value
    Role name AliyunServiceRoleForDBS
    Policy name AliyunServiceRolePolicyForDBS
    Trusted service dbs.aliyuncs.com

    Policy document

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceNetInfoForChannel",
        "rds:DescribeTasks",
        "rds:DescribeDBInstances",
        "rds:DescribeFilesForSQLServer",
        "rds:DescribeImportsForSQLServer",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeBinlogFiles",
        "rds:DescribeSQLLogRecords",
        "rds:DescribeParameters",
        "rds:DescribeParameterTemplates",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDatabases",
        "rds:DescribeAccounts",
        "rds:DescribeSecurityIPList",
        "rds:DescribeSecurityIps",
        "rds:DescribeDBInstanceIPArray",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:DescribeDBInstanceSSL",
        "rds:DescribeDBInstanceTDE",
        "rds:CreateDBInstance",
        "rds:CreateAccount",
        "rds:CreateDatabase",
        "rds:ModifySecurityIps",
        "rds:GrantAccountPrivilege",
        "rds:CreateMigrateTask",
        "rds:CreateOnlineDatabaseTask",
        "rds:DescribeMigrateTasks",
        "rds:DescribeOssDownloads",
        "rds:CreateBackup",
        "rds:DescribeBackups",
        "rds:DescribeBackupPolicy",
        "rds:ModifyBackupPolicy",
        "rds:DescribeBackupTasks",
        "rds:DescribeBinlogFiles",
        "rds:DescribeResourceUsage",
        "rds:DescribeAvailableZones",
        "rds:DescribeAvailableClasses",
        "rds:ListClasses",
        "rds:CreateDdrInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:DescribeInstance",
        "ecs:DescribeInstances",
        "ecs:DescribeVpcs",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:AuthorizeSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeSnapshots",
        "ecs:ModifySnapshotAttribute",
        "ecs:ResizeDisk",
        "ecs:CreateSecurityGroup",
        "ecs:ModifySecurityGroupPolicy"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:ListKeys"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:PutEventRule",
        "cms:PutEventTargets",
        "cms:ListEventRules",
        "cms:ListEventTargetsByRule",
        "cms:DeleteEventRule",
        "cms:DeleteEventTargets"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeDBClusterAttribute",
        "polardb:DescribeDBClusterIPArrayList",
        "polardb:DescribeDBClusterNetInfo",
        "polardb:DescribeDBClusters",
        "polardb:ModifySecurityIps",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:DescribeDBClusterAccessWhitelist",
        "polardb:ModifyDBClusterAccessWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeReplicaSetRole",
        "dds:DescribeShardingNetworkAddress",
        "dds:DescribeSecurityIps",
        "dds:DescribeDBInstances",
        "dds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeSecurityIps",
        "kvstore:DescribeInstances",
        "kvstore:DescribeAccounts",
        "kvstore:DescribeDBInstanceNetInfo",
        "kvstore:CreateAccount",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:AllocateInstancePrivateConnection",
        "kvstore:DescribeLogicInstanceTopology"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "drds:DescribeDrdsDB",
        "drds:DescribeDrdsDBs",
        "drds:DescribeDrdsDbInstance",
        "drds:DescribeDrdsDbInstances",
        "drds:DescribeDrdsDBIpWhiteList",
        "drds:DescribeDrdsInstances",
        "drds:ModifyDrdsIpWhiteList",
        "drds:CreateDrdsDB",
        "drds:DescribeTable",
        "drds:DescribeTables",
        "drds:ModifyRdsReadWeight",
        "drds:ChangeAccountPassword",
        "drds:CreateDrdsInstance",
        "drds:CreateInstanceInternetAddress",
        "drds:DescribeInstanceAccounts",
        "drds:DescribeBackupSets",
        "drds:DescribeDbInstances",
        "drds:DescribeDrdsCrossRegionBackups",
        "drds:DescribeCrossBackupMetadata",
        "drds:RegisterCrossRegionBackupSet",
        "drds:DeleteCrossRegionBackupSet",
        "drds:DescribeDrdsRdsInstances",
        "drds:CreateDrdsCrossInstance",
        "drds:DescribeDrdsInstanceLevelTasks"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:DeleteVpcEndpoint"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "bssapi:QueryResourcePackageInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "hdm:AddHDMInstance",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "dbs.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "dg:GetUserGateways",
        "dg:GetUserDatabases",
        "dg:AddDatabase",
        "dg:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

    Permissions required to create a service-linked role

    Data Management (DMS)

    Before a service-linked role can be created, the RAM user performing the action must have the ram:CreateServiceLinkedRole permission scoped to the appropriate service.

    Specific permissions are required to create the service-linked role for DMS.

    If the RAM user lacks this permission, attach a custom policy with the following statement. For instructions, see Create custom policies and Grant permissions to a RAM user.

    Example policy: Allow the creation of a service-linked role for DMS.

    For AliyunServiceRoleForDMS:

    {
  "Action": "ram:CreateServiceLinkedRole",
  "Resource": "*",
  "Effect": "Allow",
  "Condition": {
    "StringEquals": {
      "ram:ServiceName": "dms.aliyuncs.com"
    }
  }
}

    Data Disaster Recovery (DBS)

    Specific permissions are required to create the service-linked role for Data Disaster Recovery (DBS).

    If your RAM user does not have sufficient permissions, you must add the following permissions to the RAM user. For more information about how to add and grant permissions, see Create a custom permission policy and Manage RAM user permissions.

    Example policy: Allow the creation of a service-linked role for Data Disaster Recovery (DBS).

    For AliyunServiceRoleForDBS:

    {
  "Action": "ram:CreateServiceLinkedRole",
  "Resource": "*",
  "Effect": "Allow",
  "Condition": {
    "StringEquals": {
      "ram:ServiceName": "dbs.aliyuncs.com"
    }
  }
}

    Create a service-linked role

    Data Management (DMS)

    AliyunServiceRoleForDMS: If your RAM user has the required permissions, log on to the DMS console. When the DMS Service-linked Role dialog box appears, click OK. The system creates AliyunServiceRoleForDMS automatically. For details, see the Create a service-linked role section in the "Service-linked roles" topic.

    Data Disaster Recovery (DBS)

    AliyunServiceRoleForDBS: The system creates this role automatically the first time you use Data Disaster Recovery. No manual steps are required.

    View a service-linked role

    Data Management (DMS)

    After a service-linked role is created, you can view its Alibaba Cloud Resource Name (ARN), trust policy, and permission policy in the RAM console. The steps below apply to both roles — substitute the role name and policy name where indicated.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, search for the role name (AliyunServiceRoleForDMS or AliyunServiceRoleForDBS) and click its name.

    4. On the role details page, find the following information:

      • Basic Information — shows the role name, creation time, and ARN.

      • Trust Policy tab — shows the Service field, which identifies the cloud service that can assume the role. For example: "Service": ["dms.aliyuncs.com"].

      • Permissions tab — lists the attached policies. Click the policy name (AliyunServiceRolePolicyForDMS or AliyunServiceRolePolicyForDBS) and then open the Policy Document tab to view the full policy content.

    Service-linked role permissions are not visible on the Policies page of the RAM console. Access them through the role details page as described above.

    Data Disaster Recovery (DBS)

    After the service-linked role for Data Disaster Recovery (DBS) (AliyunServiceRoleForDBS) is created, you can view the role in the RAM console. In the console, you can view the basic information, trust policy, and access policy (AliyunServiceRolePolicyForDBS) of the role.

    1. Log on to the RAM console.

    2. In the navigation pane on the left, choose Identity Management > Roles.

    3. On the Roles page, find and click AliyunServiceRoleForDBS.

    4. View the basic information of the role.

      In the Basic Information section of the role details page, you can view information such as the RAM role name, creation time, and ARN.

    5. View the trust policy of the role.

      On the role details page, click the Trust Policy tab. In the Service field, you can view the Alibaba Cloud services that can assume this role. For example: "Service": ["dbs.aliyuncs.com"].

    6. View the access policy of the role (AliyunServiceRolePolicyForDBS).

      1. On the role details page, click the Permission Management tab.

      2. Click the policy name AliyunServiceRolePolicyForDBS.

      3. On the Policy Content tab, you can view the details of the access policy.

      Note

      You cannot directly view the access policy of a service-linked role in the access policy list in the RAM console.

    Delete a service-linked role

    Data Management (DMS)

    AliyunServiceRoleForDMS: Remove all instances from the instance list in the DMS console before deleting this role. This is required to prevent DMS from losing access to resources it is still managing. For instructions, see Remove one or more instances and Delete a service-linked role.

    Data Disaster Recovery (DBS)

    AliyunServiceRoleForDBS: Delete the role manually in the RAM console. For instructions, see Delete a RAM role.