Peran terkait layanan DMS - Data Management

Topik ini menjelaskan skenario penggunaan Data Management (DMS) dan Pemulihan Bencana Data peran terkait layanan (AliyunServiceRoleForDMS dan AliyunServiceRoleForDBS). Topik ini juga menjelaskan cara menghapus peran terkait layanan.

Informasi latar belakang

Peran terkait layanan adalah Resource Access Management (RAM) role. Untuk informasi lebih lanjut, lihat Ikhtisar peran RAM. Peran ini memungkinkan DMS untuk mengakses layanan cloud lainnya serta mengimplementasikan fitur tertentu dalam berbagai skenario. Untuk detail lebih lanjut, lihat Peran terkait layanan.

Skenario

DMS

Anda dapat menggunakan peran terkait layanan DMS untuk mengizinkan fitur-fitur tertentu dari DMS mengakses instance Elastic Compute Service (ECS), Virtual Private Clouds (VPC), instance ApsaraDB RDS, serta sumber daya terkait berbagai database dan alat.

Pemulihan Bencana Data

Peran AliyunServiceRoleForDBS adalah peran RAM yang memungkinkan Pemulihan Bencana Data untuk mengakses layanan cloud lainnya. Sebelum Pemulihan Bencana Data dapat mengakses database Alibaba Cloud seperti instance ApsaraDB RDS, instance ApsaraDB for MongoDB, instance Tair (Redis OSS-compatible), dan database PolarDB, atau database yang dikelola sendiri yang di-hosting pada instance ECS, peran AliyunServiceRoleForDBS harus ditetapkan ke Pemulihan Bencana Data. Untuk informasi lebih lanjut, lihat Peran Terkait Layanan.

Peran terkait layanan

AliyunServiceRoleForDMS

Nama Peran: AliyunServiceRoleForDMS.

Nama Kebijakan: AliyunServiceRolePolicyForDMS.

Deskripsi Izin: Peran terkait layanan memungkinkan DMS untuk mengakses instance ECS, VPC, instance ApsaraDB RDS, serta sumber daya terkait berbagai database dan alat.

Operasi yang dapat dilakukan:

Kueri detail ApsaraDB RDS, PolarDB, Lindorm, dan sumber daya database lainnya untuk mengelola database Alibaba Cloud.
Kueri detail instance ECS dan VPC untuk mengelola database yang dikelola sendiri yang di-hosting pada instance ECS dan Internet.
Gunakan layanan Alibaba Cloud seperti Data Transmission Service (DTS) dan Pemulihan Bencana Data untuk mengelola data secara terpusat.

Dokumen Kebijakan

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:DescribeImages",
                "ecs:CreateSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:RevokeSecurityGroup",
                "ecs:DescribeRegions",
                "ecs:DescribeInstances",
                "ecs:DescribeInstanceAttribute",
                "ecs:CreateCommand",
                "ecs:DeleteCommand",
                "ecs:DescribeInvocationResults"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:InvokeCommand",
                "ecs:StopInvocation"
            ],
            "Resource": "acs:ecs:*:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/dms": "script-for-dms"
                }
            },
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:InvokeCommand",
                "ecs:StopInvocation"
            ],
            "Resource": "acs:ecs:*:*:command/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:DescribeDBInstanceHAConfig",
                "rds:DescribeBinlogFiles",
                "rds:DescribeDBInstancePerformance",
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeSlowLogs",
                "rds:DescribeSlowLogRecords",
                "rds:DescribeSQLCollectorPolicy",
                "rds:ModifySQLCollectorPolicy",
                "rds:DescribeSQLLogRecords",
                "rds:DescribeSQLLogFiles",
                "rds:DescribeResourceUsage",
                "rds:DescribeRegions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBInstanceAttribute",
                "rds:ModifyBackupPolicy",
                "rds:DescribeSecurityGroupConfiguration",
                "rds:DescribeDBInstanceEncryptionKey",
                "rds:DescribeDBInstanceTDE",
                "rds:DescribeDBInstanceSSL",
                "rds:DescribeCrossRegionBackupDBInstance",
                "rds:DescribeSQLCollectorRetention",
                "rds:TagResources",
                "rds:UntagResources",
                "rds:ListTagResources",
                "rds:DescribeDBInstanceByTags",
                "rds:DescribeDatabases"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dds:DescribeSecurityIps",
                "dds:ModifySecurityIps",
                "dds:DescribeDBInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kvstore:DescribeSecurityIps",
                "kvstore:ModifySecurityIps",
                "kvstore:DescribeRegions",
                "kvstore:DescribeInstances",
                "kvstore:DescribeInstanceAttribute",
                "kvstore:DescribeInstanceConfig"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrdsInstances",
                "drds:QueryInstanceInfoByConn",
                "drds:DescribeDrdsInstanceList",
                "drds:DescribeDrdsDBIpWhiteList",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeDrdsInstanceVersion"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeRegions",
                "polardb:DescribeDBClusters",
                "polardb:DescribeDBClusterAttribute",
                "polardb:DescribeDBClusterEndpoints",
                "polardb:DescribeMaskingRules",
                "polardb:ModifyMaskingRules",
                "polardb:DeleteMaskingRules",
                "polardb:DescribeDBClusterVersion",
                "polardb:DescribeDBClusterAuditLogCollector"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardbx:DescribeDBInstances",
                "polardbx:DescribeSecurityIps",
                "polardbx:ModifySecurityIps",
                "polardbx:DescribeDBInstanceAttribute",
                "polardbx:DescribeBinaryLogList",
                "polardbx:DescribeDBInstanceViaEndpoint"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "petadata:DescribeInstances",
                "petadata:DescribeInstanceInfoByConnection",
                "petadata:DescribeSecurityIPs",
                "petadata:ModifySecurityIPs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "hdm:AccessHDMInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dts:CreateMigrationJob",
                "dts:ConfigureMigrationJob",
                "dts:StartMigrationJob",
                "dts:StopMigrationJob",
                "dts:DescribeMigrationJobStatus",
                "dts:DescribeMigrationJobDetail",
                "dts:CreateSynchronizationJob",
                "dts:ConfigureSynchronizationJob",
                "dts:StartSynchronizationJob",
                "dts:SuspendSynchronizationJob",
                "dts:DescribeSynchronizationJobStatus",
                "dts:ShieldPrecheck",
                "dts:CreateDtsInstance",
                "dts:ConfigureDtsJob",
                "dts:StartDtsJob",
                "dts:ModifyDtsJob",
                "dts:StopDtsJob",
                "dts:DescribeDtsJobDetail",
                "dts:DescribeDtsJobs",
                "dts:ConfigureEtlJob",
                "dts:SaveEtlJob",
                "dts:SuspendDtsJob",
                "dts:DeleteDtsJob",
                "dts:ModifyDtsJobName",
                "dts:SkipPreCheck",
                "dts:DescribeDtsEtlJobVersionInfo",
                "dts:DescribeEtlJobLogs",
                "dts:PreviewSql",
                "dts:DescribePreCheckStatus",
                "dts:DescribeDtsJobLogs",
                "dts:DescribeJobMonitorRule",
                "dts:CreateJobMonitorRule",
                "dts:DescribeConfigRelations",
                "dts:DescribeFormInfo",
                "dts:DescribeDmsInstanceDetail",
                "dts:DescribeSchemaList",
                "dts:DescribeColumns",
                "dts:DescribeStruct",
                "dts:DescribeDtsInstancePrice",
                "dts:DescribeRegions",
                "dts:DescribeInstanceInventory",
                "dts:CreateCheckJob",
                "dts:DescribeCheckJobDiffDetails",
                "dts:EtlMockData",
                "dts:EtlMockResult",
                "dts:DescribeCheckJobStatus",
                "dts:DescribeDtsJobStatistics",
                "dts:Ping",
                "dts:DescribeUploadPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "apigateway:CreateApiGroup",
                "apigateway:ModifyApiGroup",
                "apigateway:DeleteApiGroup",
                "apigateway:DescribeApiGroups",
                "apigateway:CreateApi",
                "apigateway:ModifyApi",
                "apigateway:DeployApi",
                "apigateway:AbolishApi",
                "apigateway:DeleteApi",
                "apigateway:DescribeApi",
                "apigateway:DescribeApis",
                "apigateway:CreateApp",
                "apigateway:ModifyApp",
                "apigateway:DeleteApp",
                "apigateway:DescribeAppSecurity",
                "apigateway:ResetAppCode",
                "apigateway:ResetAppSecret",
                "apigateway:DescribeAppAttributes",
                "apigateway:SetApisAuthorities",
                "apigateway:DescribeAuthorizedApps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dg:GetUserGateways",
                "dg:GetUserDatabases",
                "dg:GetUserGatewayInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "openanalytics:QueryBucketList",
                "openanalytics:QueryDirectoryList",
                "openanalytics:ListVirtualClusters",
                "openanalytics:SubmitSparkJob",
                "openanalytics:KillSparkJob",
                "openanalytics:GetJobLog",
                "openanalytics:GetJobDetail",
                "openanalytics:GetJobStatus",
                "openanalytics:ExecuteService",
                "openanalytics:QueryService",
                "openanalytics:ExecuteOnVirtualCluster"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dbs:DescribeBackupPlanList",
                "dbs:DescribeFullBackupList",
                "dbs:CreateBackupPlan",
                "dbs:ConfigureBackupPlan",
                "dbs:ModifyBackupObjects",
                "dbs:StartBackupPlan",
                "dbs:ModifyBackupSourceEndpoint",
                "dbs:StartTask",
                "dbs:StopBackupPlan",
                "dbs:CreateRestoreTask",
                "dbs:StartRestoreTask",
                "dbs:DescribeRestoreTaskList",
                "dbs:DescribeRestoreRangeInfo",
                "dbs:CreateDLAService",
                "dbs:DescribeDLAService",
                "dbs:CloseDLAService",
                "dbs:CreateAndStartBackupPlan",
                "dbs:DescribeFullBackupSet",
                "dbs:DescribeDataSourceQueryableAttribute",
                "dbs:DescribeDataSourceQueryableAttributeDetail",
                "dbs:GetTimeTravelInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "oceanbase:DescribeAllTenantsConnectionInfo",
                "oceanbase:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "dms.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "hbase:DescribeInstances",
                "hbase:DescribeInstance",
                "hbase:DescribeEndpoints",
                "hbase:DescribeIpWhitelist",
                "hbase:ModifyIpWhitelist"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cassandra:DescribeClusters",
                "cassandra:DescribeCluster",
                "cassandra:DescribeDataCenters",
                "cassandra:DescribeIpWhitelistGroups",
                "cassandra:ModifyIpWhitelistGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lindorm:GetLindormInstanceList",
                "lindorm:GetLindormInstance",
                "lindorm:GetLindormInstanceEngineList",
                "lindorm:GetLindormInstanceListForDMS",
                "lindorm:GetLindormInstanceForDMS",
                "lindorm:GetLindormInstanceForDMSByConnStr",
                "lindorm:GetInstanceIpWhiteList",
                "lindorm:UpdateInstanceIpWhiteList",
                "lindorm:CreateComputeEngineJob",
                "lindorm:GetComputeEngineJobDetail",
                "lindorm:GetComputeEngineJobLog",
                "lindorm:ReleaseLindormComputeJob"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "adb:CreateDBCluster",
                "adb:CreateAccount",
                "adb:DescribeDBClusters",
                "adb:DescribeDBClusterNetInfo",
                "adb:SubmitSparkApp",
                "adb:KillSparkApp",
                "adb:ListSparkApps",
                "adb:GetSparkAppLog",
                "adb:GetSparkAppInfo",
                "adb:GetSparkAppState",
                "adb:GetSparkAppAttemptLog",
                "adb:GetSparkAppWebUiAddress",
                "adb:ListSparkAppAttempts",
                "adb:DescribeDBClusterAttribute",
                "adb:DescribeDBResourceGroup",
                "adb:ExecuteSparkWarehouseBatchSQL",
                "adb:CancelSparkWarehouseBatchSQL",
                "adb:GetSparkWarehouseBatchSQL"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "gpdb:DescribeDBInstances",
                "gpdb:ResumeInstance",
                "gpdb:PauseInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "hologram:GetInstance",
                "hologram:ListInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "gdb:DescribeDbInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "oss:ListBuckets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "selectdb:DescribeDBInstances",
                "selectdb:DescribeDBInstanceAttribute",
                "selectdb:DescribeDBInstanceNetInfo",
                "selectdb:DescribeSecurityIPList",
                "selectdb:ModifySecurityIPList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "clickhouse:DescribeDBClusters",
                "clickhouse:DescribeDBInstances",
                "clickhouse:DescribeDBInstanceAttribute",
                "clickhouse:DescribeEndpoints",
                "clickhouse:DescribeSecurityIPList",
                "clickhouse:ModifySecurityIPList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sr:ListInstances",
                "sr:GetInstanceDetail",
                "sr:DescribeRegions",
                "sr:GetDmsConnectionInfo",
                "sr:GetNetworkMappingIp"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dbs-inner:DescribeDataSourceQueryableAttribute",
                "dbs-inner:DescribeDataSourceQueryableAttributeDetail",
                "dbs-inner:GetTimeTravelInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:ListSecrets",
                "kms:GetSecretValue",
                "kms:Decrypt",
                "kms:ListKmsInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:CreateAccount",
                "rds:DeleteAccount",
                "rds:ResetAccountPassword",
                "rds:GrantAccountPrivilege",
                "rds:RevokeAccountPrivilege",
                "rds:CheckAccountNameAvailable"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "rds:tag/dms": "account-management"
                }
            },
            "Effect": "Allow"
        },
        {
            "Action": [
                "ots:ListInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunServiceRoleForDBS

Nama Peran: AliyunServiceRoleForDBS

Nama Kebijakan: AliyunServiceRolePolicyForDBS

Deskripsi Izin: Peran terkait layanan memungkinkan Pemulihan Bencana Data untuk terhubung ke database Alibaba Cloud yang Anda beli, seperti instance ApsaraDB RDS, instance ApsaraDB for MongoDB, instance Tair (Redis OSS-compatible), dan database PolarDB, atau database yang dikelola sendiri yang di-hosting pada instance ECS.

Dokumen Kebijakan

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceNetInfoForChannel",
        "rds:DescribeTasks",
        "rds:DescribeDBInstances",
        "rds:DescribeFilesForSQLServer",
        "rds:DescribeImportsForSQLServer",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeBinlogFiles",
        "rds:DescribeSQLLogRecords",
        "rds:DescribeParameters",
        "rds:DescribeParameterTemplates",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDatabases",
        "rds:DescribeAccounts",
        "rds:DescribeSecurityIPList",
        "rds:DescribeSecurityIps",
        "rds:DescribeDBInstanceIPArray",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:DescribeDBInstanceSSL",
        "rds:DescribeDBInstanceTDE",
        "rds:CreateDBInstance",
        "rds:CreateAccount",
        "rds:CreateDatabase",
        "rds:ModifySecurityIps",
        "rds:GrantAccountPrivilege",
        "rds:CreateMigrateTask",
        "rds:CreateOnlineDatabaseTask",
        "rds:DescribeMigrateTasks",
        "rds:DescribeOssDownloads",
        "rds:CreateBackup",
        "rds:DescribeBackups",
        "rds:DescribeBackupPolicy",
        "rds:ModifyBackupPolicy",
        "rds:DescribeBackupTasks",
        "rds:DescribeBinlogFiles",
        "rds:DescribeResourceUsage",
        "rds:DescribeAvailableZones",
        "rds:DescribeAvailableClasses",
        "rds:ListClasses",
        "rds:CreateDdrInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:DescribeInstance",
        "ecs:DescribeInstances",
        "ecs:DescribeVpcs",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:AuthorizeSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeSnapshots",
        "ecs:ModifySnapshotAttribute",
        "ecs:ResizeDisk",
        "ecs:CreateSecurityGroup",
        "ecs:ModifySecurityGroupPolicy"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:ListKeys"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:PutEventRule",
        "cms:PutEventTargets",
        "cms:ListEventRules",
        "cms:ListEventTargetsByRule",
        "cms:DeleteEventRule",
        "cms:DeleteEventTargets"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeDBClusterAttribute",
        "polardb:DescribeDBClusterIPArrayList",
        "polardb:DescribeDBClusterNetInfo",
        "polardb:DescribeDBClusters",
        "polardb:ModifySecurityIps",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:DescribeDBClusterAccessWhitelist",
        "polardb:ModifyDBClusterAccessWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeReplicaSetRole",
        "dds:DescribeShardingNetworkAddress",
        "dds:DescribeSecurityIps",
        "dds:DescribeDBInstances",
        "dds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeSecurityIps",
        "kvstore:DescribeInstances",
        "kvstore:DescribeAccounts",
        "kvstore:DescribeDBInstanceNetInfo",
        "kvstore:CreateAccount",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:AllocateInstancePrivateConnection",
        "kvstore:DescribeLogicInstanceTopology"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "drds:DescribeDrdsDB",
        "drds:DescribeDrdsDBs",
        "drds:DescribeDrdsDbInstance",
        "drds:DescribeDrdsDbInstances",
        "drds:DescribeDrdsDBIpWhiteList",
        "drds:DescribeDrdsInstances",
        "drds:ModifyDrdsIpWhiteList",
        "drds:CreateDrdsDB",
        "drds:DescribeTable",
        "drds:DescribeTables",
        "drds:ModifyRdsReadWeight",
        "drds:ChangeAccountPassword",
        "drds:CreateDrdsInstance",
        "drds:CreateInstanceInternetAddress",
        "drds:DescribeInstanceAccounts",
        "drds:DescribeBackupSets",
        "drds:DescribeDbInstances",
        "drds:DescribeDrdsCrossRegionBackups",
        "drds:DescribeCrossBackupMetadata",
        "drds:RegisterCrossRegionBackupSet",
        "drds:DeleteCrossRegionBackupSet",
        "drds:DescribeDrdsRdsInstances",
        "drds:CreateDrdsCrossInstance",
        "drds:DescribeDrdsInstanceLevelTasks"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "privatelink:CreateVpcEndpoint",
        "privatelink:ListVpcEndpoints",
        "privatelink:AddZoneToVpcEndpoint",
        "privatelink:ListVpcEndpointZones",
        "privatelink:RemoveZoneFromVpcEndpoint",
        "privatelink:GetVpcEndpointAttribute",
        "privatelink:DeleteVpcEndpoint"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "bssapi:QueryResourcePackageInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "hdm:AddHDMInstance",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "dbs.aliyuncs.com"
        }
      }
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "privatelink.aliyuncs.com"
        }
      }
    },
    {
      "Action": [
        "dg:GetUserGateways",
        "dg:GetUserDatabases",
        "dg:AddDatabase",
        "dg:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Izin yang diperlukan untuk membuat peran terkait layanan

DMS

Pengguna RAM Anda harus memiliki izin yang diperlukan sebelum peran AliyunServiceRoleForDMS dapat dibuat untuk DMS.

Jika pengguna RAM Anda tidak memiliki izin yang diperlukan, Anda harus menambahkan kebijakan berikut dan memberikan izin kepada pengguna RAM. Untuk informasi lebih lanjut, lihat Buat Kebijakan Kustom dan Berikan Izin kepada Pengguna RAM.

Berikut adalah kode yang menunjukkan kebijakan yang mengizinkan pengguna RAM yang berwenang untuk membuat peran AliyunServiceRoleForDMS untuk DMS:

{
  "Action":"ram:CreateServiceLinkedRole",
  "Resource":"*",
  "Effect":"Allow",
  "Condition":{
    "StringEquals":{
    "ram:ServiceName": "dms.aliyuncs.com"
    }
  }
}

Pemulihan Bencana Data

Pengguna RAM Anda harus memiliki izin yang diperlukan sebelum peran AliyunServiceRoleForDBS dapat dibuat untuk Pemulihan Bencana Data.

Berikut adalah kode yang menunjukkan kebijakan yang mengizinkan pengguna RAM yang berwenang untuk membuat peran AliyunServiceRoleForDBS untuk Pemulihan Bencana Data:

{
  "Action":"ram:CreateServiceLinkedRole",
  "Resource":"*",
  "Effect":"Allow",
  "Condition":{
    "StringEquals":{
    "ram:ServiceName": "dms.aliyuncs.com"
    }
  }
}

Buat peran terkait layanan

DMS

Jika pengguna RAM Anda sudah memiliki izin yang diperlukan untuk membuat peran AliyunServiceRoleForDMS untuk DMS, Anda dapat masuk ke konsol DMS dan klik OK di kotak dialog DMS Service-linked Role. Dengan cara ini, sistem akan secara otomatis membuat peran AliyunServiceRoleForDMS untuk DMS. Untuk informasi lebih lanjut, lihat bagian Buat Peran Terkait Layanan dari topik "Peran Terkait Layanan".

Pemulihan Bencana Data

Saat Anda menggunakan Pemulihan Bencana Data untuk pertama kali, sistem secara otomatis membuat peran AliyunServiceRoleForDBS. Sebelum Anda menggunakan Pemulihan Bencana Data, Anda harus menetapkan peran AliyunServiceRoleForDBS kepada Pemulihan Bencana Data untuk memastikan bahwa Pemulihan Bencana Data memiliki izin untuk mengakses database Anda.

Lihat detail peran terkait layanan

DMS

Setelah peran AliyunServiceRoleForDMS dibuat untuk DMS, Anda dapat melihat detail peran di konsol RAM, termasuk informasi dasar, kebijakan kepercayaan, dan kebijakan izin (AliyunServiceRolePolicyForDMS) dari peran tersebut.

Masuk ke konsol RAM.
Di panel navigasi sisi kiri, pilih Identities > Roles.
Di halaman Roles, cari peran AliyunServiceRoleForDBS lalu klik namanya.
Lihat informasi dasar peran.
Di bagian Basic Information halaman detail peran, lihat informasi peran termasuk nama peran, waktu pembuatan, dan Nama Sumber Daya Alibaba Cloud (ARN).
Lihat kebijakan kepercayaan peran.
Di halaman detail peran, klik tab Trust Policy untuk melihat nilai bidang Service. Nilai tersebut menunjukkan layanan cloud yang dapat mengasumsikan peran. Contoh: Service": ["dms.aliyuncs.com"].
Lihat izin yang diberikan kepada peran.
1. Di halaman detail peran, klik tab Permissions.
2. Temukan kebijakan AliyunServiceRolePolicyForDMS dan klik namanya.
3. Di tab Policy Document halaman yang muncul, lihat isi kebijakan.
Catatan
Anda tidak dapat langsung melihat izin yang diberikan kepada peran terkait layanan di halaman Kebijakan konsol RAM.

Pemulihan Bencana Data

Setelah peran AliyunServiceRoleForDBS dibuat untuk Pemulihan Bencana Data, Anda dapat melihat detail peran di konsol RAM, termasuk informasi dasar, kebijakan kepercayaan, dan kebijakan izin peran tersebut.

Masuk ke konsol RAM.
Di panel navigasi sisi kiri, pilih Identities > Roles.
Di halaman Roles, cari peran AliyunServiceRoleForDBS dan klik namanya.
Lihat informasi dasar peran.
Di bagian Basic Information halaman detail peran, lihat informasi peran termasuk nama peran, waktu pembuatan, dan Nama Sumber Daya Alibaba Cloud (ARN).
Lihat kebijakan kepercayaan peran.
Di halaman detail peran, klik tab Trust Policy untuk melihat nilai bidang Service. Nilai tersebut menunjukkan layanan cloud yang dapat mengasumsikan peran. Contoh: "Service": ["dbs.aliyuncs.com"].
Lihat kebijakan izin (AliyunServiceRolePolicyForDBS) peran.
1. Di halaman detail peran, klik tab Permissions.
2. Temukan kebijakan AliyunServiceRolePolicyForDBS, lalu klik namanya.
3. Di tab Policy Document halaman yang muncul, lihat isi kebijakan.
Catatan
Anda tidak dapat langsung melihat izin yang diberikan kepada peran terkait layanan di halaman Kebijakan konsol RAM.

Hapus peran terkait layanan

DMS

Sebelum Anda menghapus peran AliyunServiceRoleForDMS, Anda harus menghapus semua instance dari daftar instance di konsol DMS. Untuk informasi lebih lanjut tentang cara menghapus instance dan menghapus peran terkait layanan, lihat Hapus Satu atau Lebih Instance dan Hapus Peran Terkait Layanan.

Pemulihan Bencana Data

Anda dapat menghapus peran AliyunServiceRoleForDBS secara manual di konsol RAM. Untuk informasi lebih lanjut, lihat Hapus Peran RAM.