在您第一次使用DTS时,需要您将名称为AliyunDTSDefaultRole的默认角色授权给DTS使用。经过授权后,DTS可访问当前云账号下的RDS、ECS等云资源,在执行数据迁移、同步或订阅任务的配置时可调用相关云资源信息。
注意事项
如果使用主账号登录数据传输控制台后,没有弹出提示授权的对话框,说明当前主账号已执行过授权,可跳过本文的操作。
权限策略说明
AliyunDTSDefaultRole权限策略是DTS服务默认角色的授权策略,包含RDS、ECS、PolarDB、MongoDB、Redis、DRDS、DataHub、Elasticsearch等云资源的部分管理权限,具体权限定义如下。
{ "Version": "1", "Statement": [ { "Action": [ "rds:Describe*", "rds:CreateDBInstance", "rds:CreateAccount*", "rds:CreateDataBase*", "rds:ModifySecurityIps", "rds:GrantAccountPrivilege" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ecs:DescribeSecurityGroupAttribute", "ecs:DescribeInstances", "ecs:DescribeRegions", "ecs:AuthorizeSecurityGroup" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dhs:ListProject", "dhs:GetProject", "dhs:CreateTopic", "dhs:ListTopic", "dhs:GetTopic", "dhs:UpdateTopic", "dhs:ListShard", "dhs:MergeShard", "dhs:SplitShard", "dhs:PutRecords", "dhs:GetRecords", "dhs:GetCursors" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "elasticsearch:DescribeInstance", "elasticsearch:ListInstance", "elasticsearch:UpdateAdminPwd", "elasticsearch:UpdatePublicNetwork", "elasticsearch:UpdateBlackIps", "elasticsearch:UpdateKibanaIps", "elasticsearch:UpdatePublicIps", "elasticsearch:UpdatePrivateNetworkWhiteIps", "elasticsearch:UpdatePublicWhiteIps", "elasticsearch:UpdateWhiteIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "drds:DescribeDrds*", "drds:ModifyDrdsIpWhiteList", "drds:DescribeRegions", "drds:DescribeRdsList", "drds:CreateDrdsDB", "drds:CreateDrdsAccount", "drds:DescribeShardDBs" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "polardb:DescribeDBClusterIPArrayList", "polardb:DescribeDBClusterNetInfo", "polardb:DescribeDBClusters", "polardb:DescribeRegions", "polardb:DescribeDBClusterEndpoints", "polardb:DescribeDBClusterAccessWhiteList", "polardb:ModifyDBClusterAccessWhitelist", "polardb:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dds:DescribeDBInstanceAttribute", "dds:DescribeReplicaSetRole", "dds:DescribeSecurityIps", "dds:DescribeDBInstances", "dds:ModifySecurityIps", "dds:DescribeShardingNetworkAddress", "dds:DescribeRegions" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kvstore:DescribeSecurityIps", "kvstore:DescribeInstances", "kvstore:DescribeRegions", "kvstore:ModifySecurityIps", "kvstore:DescribeAccounts", "kvstore:CreateAccount", "kvstore:DescribeDBInstanceNetInfoForInner", "kvstore:DescribeDBInstanceNetInfo", "kvstore:AllocateInstancePrivateConnection" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "petadata:DescribeInstanceInfo", "petadata:DescribeSecurityIPs", "petadata:DescribeInstances", "petadata:ModifySecurityIPs" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "adb:DescribeDBClusters", "adb:DescribeDBClusterAttribute", "adb:DescribeRegions", "adb:DescribeDBClusterNetInfo", "adb:DescribeDBClusterAccessWhiteList", "adb:ModifyDBClusterAccessWhiteList", "adb:DescribeDBClusterPerformance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "gpdb:DescribeDBInstanceAttribute", "gpdb:DescribeDBInstances", "gpdb:DescribeRegions", "gpdb:DescribeDBInstanceIPArrayList", "gpdb:DescribeDBClusterIPArrayList", "gpdb:ModifySecurityIps", "gpdb:DescribeDBInstanceNetInfo", "gpdb:DescribeDBClusterPerformance" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "clickhouse:DescribeRegions", "clickhouse:DescribeDBClusters", "clickhouse:DescribeDBClusterAttribute", "clickhouse:DescribeDBClusterNetInfoItems", "clickhouse:DescribeDBClusterAccessWhiteList", "clickhouse:ModifyDBClusterAccessWhiteList", "clickhouse:DescribeAllDataSource" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ots:ListInstance", "ots:GetInstance", "ots:GetRow", "ots:PutRow", "ots:UpdateRow", "ots:DeleteRow", "ots:BatchWriteRow", "ots:BulkImport", "ots:CreateTable", "ots:DescribeTable", "ots:ListTable" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dg:GetUserDatabases", "dg:GetUserGateways" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cen:DeleteRouteServiceInCen", "cen:DescribeCenAttachedChildInstances", "cen:DescribeCens", "cen:DescribeRouteServicesInCen", "cen:ResolveAndRouteServiceInCen" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "polardbx:DescribeDBInstances", "polardbx:DescribeDBInstanceAttribute", "polardbx:DescribeSecurityIps", "polardbx:ModifySecurityIps" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "dms:GetUserActiveTenant", "dms:GetInstance", "dms:GetLogicDatabase", "dms:ListLogicDatabases", "dms:GetDBTopology", "dms:ListLogicTables", "dms:GetTableDBTopology" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "vpc:DescribeVpcs", "vpc:DescribeVpcAttribute" ], "Resource": "*", "Effect": "Allow" } ] }
说明 更多关于权限策略的介绍,请参见权限策略语法和结构。