Grant DTS access to cloud resources - ApsaraDB RDS - Alibaba Cloud Documentation Center

When you set up a disaster recovery instance group for ApsaraDB RDS for SQL Server for the first time, you must create a default role named AliyunDTSDefaultRole. Then, grant the AliyunDTSRolePolicy system policy to this role. This allows Data Transfer Service (DTS) to access your ApsaraDB RDS (RDS) and DTS cloud resources to set up and manage the disaster recovery instance group. This authorization is required for the RDS disaster recovery service to function and does not affect the performance of the RDS instance.

Note

If you log on to the Resource Access Management (RAM) console with an Alibaba Cloud account and find that the account already has the required permission, you can skip the steps in this topic and start setting up the disaster recovery instance group.

Prerequisites

You have registered an Alibaba Cloud account.
You must use an Alibaba Cloud account to grant the authorization.

Policy description

The AliyunDTSRolePolicy policy is used to grant permissions to the default role AliyunDTSDefaultRole. These permissions allow DTS to manage multiple cloud resources such as ApsaraDB for RDS, ECS, PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, PolarDB-X, DataHub, and Elasticsearch. For more information, see AliyunDTSRolePolicy.

Note

For more information about policies, see Policy structure and syntax.

Method 1: Grant permissions using a quick authorization link (Recommended)

Go to the quick authorization page for AliyunDTSDefaultRole using your Alibaba Cloud account. In the dialog box that appears, click Authorize. If a success message is displayed, the authorization is complete.

Method 2: Grant permissions in the RAM console

Find the default role.
1. Log on to the RAM console.
2. Optional: In the left-side navigation pane, choose Identities > Roles.
3. In the text box next to Create Role, enter AliyunDTSDefaultRole, and click the search icon.
  Note
  If the role AliyunDTSDefaultRole is not found, we recommend that you use Method 1 of this topic for authorization.
Click the role name in the search results.
Grant the required permissions to the RAM role.
1. On the Permissions tab, click Precise Permission.
2. Optional. In the Precise Permission panel, select System Policy for the Type parameter.
3. In the Policy Name field, enter AliyunDTSRolePolicy.
4. Click OK.
  To verify the authorization, click the icon on the right side of the Permissions tab to refresh the page.
After the required permissions are granted, click Close.

View the authorization result

Note

You can perform the following steps to view the result of authorization by using the default role.

Log on to the RAM console.
Optional: In the left-side navigation pane, choose Identities > Roles.
In the text box next to Create Role, enter AliyunDTSDefaultRole, and click the search icon.
Click the role name in the search results.
Click AliyunDTSDefaultRole to view the details.
- If both of the following conditions are met, the authorization is successful:
  - On the Trust Policy tab, dts.aliyuncs.com is included in the Service field.
  - On the Permissions tab, the AliyunDTSRolePolicy policy exists.
- If one of the preceding conditions is not met, the authorization fails. You must grant the permissions again.
  Delete the role AliyunDTSDefaultRole. Authorize again.
  Note
  We recommend that you use Method 1 of this topic for authorization.
  For more information about how to delete a RAM role, see Delete a RAM role.

Next step

Create a disaster recovery RDS instance