This topic describes how to authorize Data Transmission Service (DTS) to access Alibaba Cloud resources of an Alibaba Cloud account when you use DTS for the first time.
Background
Why is authorization required?
If you use DTS for the first time, you must assign the default role AliyunDTSDefaultRole to DTS and attach the AliyunDTSRolePolicy policy to the role. After the authorization is complete, DTS can access Alibaba Cloud resources such as ApsaraDB for RDS and Elastic Compute Service (ECS) instances within the current Alibaba Cloud account. When you configure data migration, data synchronization, or change tracking tasks, you can specify relevant Alibaba Cloud resources to be accessed by DTS. Otherwise, an error occurs due to permission-related issues and you cannot use DTS as expected.
If you do not authorize DTS to access Alibaba Cloud resources, the following error message is displayed when you log on to the DTS console:
Error code: Abnormal.RamCheckUserRole
Error message: You have not authorized the default role "AliyunDTSDefaultRole" of DTS. If your account has the write permissions on Resource Access Management (RAM), you can authorize the role in the RAM console by using the account. Otherwise, you must authorize the role in the RAM console by using the Alibaba Cloud account, and then refresh this page.
Policy description
The AliyunDTSRolePolicy policy is used to grant permissions to the default role AliyunDTSDefaultRole. These permissions allow DTS to manage multiple cloud resources such as ApsaraDB for RDS, ECS, PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, PolarDB-X, DataHub, and Elasticsearch. For more information, see AliyunDTSRolePolicy.
For more information about policies, see Policy structure and syntax.
Procedure
If you use an Alibaba Cloud account to log on to the RAM Console and find that the role AliyunDTSDefaultRole is created, check whether the authorization is correct. For more information, see the section View the authorization result of this topic.
Method 1 (recommend): Use a shortcut to RAM to perform the authorization
Access the RAM Quick Authorization page by using an Alibaba Cloud account, and click Authorize.
If "EntityAlreadyExists.Role" and "EntityAlreadyExists.Role.Policy" appear on the displayed page after you perform the preceding operations, DTS is granted the permissions to access cloud resources by using the Alibaba Cloud account. Click Return to the console and configure a DTS task.
Method 2: Authorize DTS to access Alibaba Cloud resources in the Cloud Resource Access Authorization message
Log on to the DTS Console by using an Alibaba Cloud account.
In the Error Prompt message, click Authorize Role in RAM Console.
On the RAM Quick Authorization page that appears, click Authorize.
After you complete authorization, click Return to continue.
Method 3: Authorize DTS to access Alibaba Cloud resources in the RAM console
Find the default role.
Log on to the RAM console.
Optional: In the left-side navigation pane, choose
.In the text box next to Create Role, enter AliyunDTSDefaultRole, and click the search icon.
NoteIf the role AliyunDTSDefaultRole is not found, we recommend that you use Method 1 of this topic for authorization.
Click the role name in the search results.
Grant the required permissions to the RAM role.
On the Permissions tab, click Precise Permission.
Optional. In the Precise Permission panel, select System Policy for the Type parameter.
In the Policy Name field, enter AliyunDTSRolePolicy.
Click OK.
To verify the authorization, click the
icon on the right side of the Permissions tab to refresh the page.
After the required permissions are granted, click Close.
View the authorization result
You can perform the following steps to view the result of authorization by using the default role.
Log on to the RAM console.
Optional: In the left-side navigation pane, choose
.In the text box next to Create Role, enter AliyunDTSDefaultRole, and click the search icon.
Click the role name in the search results.
Click AliyunDTSDefaultRole to view the details.
If both of the following conditions are met, the authorization is successful:
On the Trust Policy tab,
dts.aliyuncs.com
is included in the Service field.On the Permissions tab, the AliyunDTSRolePolicy policy exists.
If one of the preceding conditions is not met, the authorization fails. You must grant the permissions again.
Delete the role AliyunDTSDefaultRole. Authorize again.
NoteWe recommend that you use Method 1 of this topic for authorization.
For more information about how to delete a RAM role, see Delete a RAM role.