All Products
Search

This Product

    ApsaraDB RDS:Authorize DTS to access cloud resources

    Document Center

    ApsaraDB RDS:Authorize DTS to access cloud resources

    Last Updated:Mar 28, 2026

    Before using the Global Active Database (GAD) feature of ApsaraDB RDS for PostgreSQL, authorize Data Transmission Service (DTS) to access your cloud resources. This creates a RAM role named AliyunDTSDefaultRole and attaches the AliyunDTSRolePolicy system policy to it, allowing DTS to manage RDS instances and related services on your behalf. The authorization does not affect RDS instance performance.

    If you have already completed this authorization, skip this topic and proceed to create a GAD instance group.

    Prerequisites

    Before you begin, ensure that you have:

    Policy description

    The AliyunDTSRolePolicy system policy grants DTS the permissions required to manage the following cloud services: ApsaraDB for RDS, ECS, PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, PolarDB-X, DataHub, and Elasticsearch.

    For the full list of permissions included in this policy, see AliyunDTSRolePolicy. For information about policy structure, see Policy structure and syntax.

    Authorize DTS (recommended)

    Use your Alibaba Cloud account to open the RAM Quick Authorization page for AliyunDTSDefaultRole, then click Authorize and wait for the process to complete.

    After authorization completes, verify the result.

    Authorize DTS in the RAM console

    Use this method if the RAM Quick Authorization page is unavailable or if you prefer to configure permissions manually.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. In the search box next to Create Role, enter AliyunDTSDefaultRole and click the search icon.

      If AliyunDTSDefaultRole does not appear in the results, use the RAM Quick Authorization page instead.

    4. Click AliyunDTSDefaultRole in the search results.

    5. On the Permissions tab, click Precise Permission.

      image

    6. In the Precise Permission panel, set Type to System Policy.

      4-1

    7. In the Policy Name field, enter AliyunDTSRolePolicy, then click OK.

    8. Click Close.

    Verify the authorization result

    After completing either authorization method, confirm both of the following conditions are met:

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. In the search box next to Create Role, enter AliyunDTSDefaultRole and click the search icon.

    4. Click AliyunDTSDefaultRole in the search results.

    5. Check both of the following conditions: To refresh the permissions list, click the image icon on the right side of the Permissions tab.

      • On the Trust Policy tab, dts.aliyuncs.com appears in the Service field. image

      • On the Permissions tab, the AliyunDTSRolePolicy policy is listed. image

    If either condition is not met, the authorization failed. To fix it:

    1. Delete the AliyunDTSDefaultRole role. For instructions, see Delete a RAM role.

    2. Authorize again using the RAM Quick Authorization page.

    What's next

    Create a GAD instance group