Set Up DTS RAM Role to Enable Global Active Database - ApsaraDB for MongoDB

Before you can configure MongoDB Global Distributed Cache (formerly Global Active Database, or GAD), grant Data Transmission Service (DTS) the permissions it needs to access your MongoDB and other cloud resources. This is a one-time setup: create the default service role AliyunDTSDefaultRole and attach the AliyunDTSRolePolicy system policy to it. The authorization has no impact on your MongoDB instance performance.

Note

If you log on to the RAM console and the role AliyunDTSDefaultRole with the AliyunDTSRolePolicy permission already exists, skip this topic and create a Global Distributed Cache instance group.

Prerequisites

Before you begin, ensure that you have:

An Alibaba Cloud account. For details, see Create an Alibaba Cloud account
Access to the Alibaba Cloud account (the primary account — RAM users cannot perform this authorization)

Policy description

The AliyunDTSRolePolicy system policy grants the AliyunDTSDefaultRole service role permissions to manage the following cloud resources on behalf of DTS:

ApsaraDB for RDS
ECS
PolarDB
ApsaraDB for MongoDB
ApsaraDB for Redis
PolarDB-X
DataHub
Elasticsearch

For the full list of permissions in this policy, see AliyunDTSRolePolicy. For background on policy structure, see Policy structure and syntax.

Choose an authorization method

Scenario	Method
First-time authorization, or the role `AliyunDTSDefaultRole` does not exist	Method 1: Quick authorization from the RAM console (recommended)
The role exists but the `AliyunDTSRolePolicy` permission is not attached	Method 2: Attach the policy manually

Method 1: Quick authorization from the RAM console

Log on to the AliyunDTSDefaultRole quick authorization page using your Alibaba Cloud account. In the Cloud Resource Access Authorization dialog box, click Agree To Authorization. A success message confirms the authorization is complete.

Method 2: Attach the policy manually

Log on to the RAM console.
(Optional) In the left-side navigation pane, choose Identities > Roles.
In the text box next to Create Role, enter AliyunDTSDefaultRole and click the search icon.
If the role is not found, use Method 1 instead.
Click the role name in the search results.
On the Permissions tab, click Precise Permission.
(Optional) In the Precise Permission panel, select System Policy for the Type parameter.
In the Policy Name field, enter AliyunDTSRolePolicy.
Click OK.
To verify the change, click the icon on the right side of the Permissions tab to refresh the page.
Click Close.

Verify the authorization

Log on to the RAM console.
(Optional) In the left-side navigation pane, choose Identities > Roles.
In the text box next to Create Role, enter AliyunDTSDefaultRole and click the search icon.
Click the role name in the search results, then click AliyunDTSDefaultRole to view its details.
Confirm both of the following conditions:
- Trust Policy tab: dts.aliyuncs.com appears in the Service field.
- Permissions tab: the AliyunDTSRolePolicy policy is listed.
If either condition is not met, the authorization failed. Delete the role AliyunDTSDefaultRole and repeat the authorization using Method 1. For instructions on deleting a RAM role, see Delete a RAM role.

What's next

Create a Global Distributed Cache instance group