All Products
Search

This Product

    ApsaraDB RDS:Authorize DTS to access cloud resources

    Document Center

    ApsaraDB RDS:Authorize DTS to access cloud resources

    Last Updated:Jul 03, 2025

    When you use the Global Active Database (GAD) feature of ApsaraDB RDS for the first time, you must create a default role named AliyunDTSDefaultRole and attach the system policy AliyunDTSRolePolicy to this role. This allows Data Transmission Service (DTS) to access your RDS and DTS resources for the further configuration and management of GAD. The authorization does not impact the performance of the RDS instance.

    Note

    If you log on to the RAM console using your Alibaba Cloud account and find that your account is already authorized, skip the operations in this topic and start from creating a GAD instance group.

    Prerequisites

    An Alibaba Cloud account is created. For more information, see Create an Alibaba Cloud account.

    Policy description

    The AliyunDTSRolePolicy policy is used to grant permissions to the default role AliyunDTSDefaultRole. These permissions allow DTS to manage multiple cloud resources such as ApsaraDB for RDS, ECS, PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, PolarDB-X, DataHub, and Elasticsearch. For more information, see AliyunDTSRolePolicy.

    Note

    For more information about policies, see Policy structure and syntax.

    Method 1: Authorize through the RAM Quick Authorization page (recommended)

    Use your Alibaba Cloud account to access the RAM Quick Authorization page for AliyunDTSDefaultRole. Then, click Authorize on the page and wait until the authorization is completed.

    Method 2: Authorize in the RAM console

    1. Find the default role.

      1. Log on to the RAM console.

      2. Optional: In the left-side navigation pane, choose Identities > Roles.

      3. In the text box next to Create Role, enter AliyunDTSDefaultRole, and click the search icon.

        Note

        If the role AliyunDTSDefaultRole is not found, we recommend that you use Method 1 of this topic for authorization.

    2. Click the role name in the search results.

    3. Grant the required permissions to the RAM role.

      1. On the Permissions tab, click Precise Permission.

        image

      2. Optional. In the Precise Permission panel, select System Policy for the Type parameter.

        4-1

      3. In the Policy Name field, enter AliyunDTSRolePolicy.

      4. Click OK.

        To verify the authorization, click the image icon on the right side of the Permissions tab to refresh the page.

    4. After the required permissions are granted, click Close.

    View the authorization result

    Note

    You can perform the following steps to view the result of authorization by using the default role.

    1. Log on to the RAM console.

    2. Optional: In the left-side navigation pane, choose Identities > Roles.

    3. In the text box next to Create Role, enter AliyunDTSDefaultRole, and click the search icon.

    4. Click the role name in the search results.

    5. Click AliyunDTSDefaultRole to view the details.

      • If both of the following conditions are met, the authorization is successful:

        • On the Trust Policy tab, dts.aliyuncs.com is included in the Service field.

          image

        • On the Permissions tab, the AliyunDTSRolePolicy policy exists.

          image

      • If one of the preceding conditions is not met, the authorization fails. You must grant the permissions again.

        Delete the role AliyunDTSDefaultRole. Authorize again.

        Note

        • We recommend that you use Method 1 of this topic for authorization.

        • For more information about how to delete a RAM role, see Delete a RAM role.

    What to do next

    Create a GAD instance group