在您第一次使用DTS时,需要您将名称为AliyunDTSDefaultRole的默认角色授权给DTS使用。经过授权后,DTS可访问当前云账号下的RDS、ECS等云资源,在执行数据迁移、同步或订阅任务的配置时可调用相关云资源信息。
注意事项
如果使用主账号登录数据传输控制台后,没有弹出提示授权的对话框,说明当前主账号已执行过授权,可跳过本文的操作。
权限策略说明
AliyunDTSDefaultRole权限策略是DTS服务默认角色的授权策略,包含RDS、ECS、PolarDB、MongoDB、Redis、DRDS、DataHub、Elasticsearch等云资源的部分管理权限,具体权限定义如下。
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:Describe*",
"rds:CreateDBInstance",
"rds:CreateAccount*",
"rds:CreateDataBase*",
"rds:ModifySecurityIps",
"rds:GrantAccountPrivilege"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeInstances",
"ecs:DescribeRegions",
"ecs:AuthorizeSecurityGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dhs:ListProject",
"dhs:GetProject",
"dhs:CreateTopic",
"dhs:ListTopic",
"dhs:GetTopic",
"dhs:UpdateTopic",
"dhs:ListShard",
"dhs:MergeShard",
"dhs:SplitShard",
"dhs:PutRecords",
"dhs:GetRecords",
"dhs:GetCursors"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticsearch:DescribeInstance",
"elasticsearch:ListInstance",
"elasticsearch:UpdateAdminPwd",
"elasticsearch:UpdatePublicNetwork",
"elasticsearch:UpdateBlackIps",
"elasticsearch:UpdateKibanaIps",
"elasticsearch:UpdatePublicIps",
"elasticsearch:UpdatePrivateNetworkWhiteIps",
"elasticsearch:UpdatePublicWhiteIps",
"elasticsearch:UpdateWhiteIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrds*",
"drds:ModifyDrdsIpWhiteList",
"drds:DescribeRegions",
"drds:DescribeRdsList",
"drds:CreateDrdsDB",
"drds:CreateDrdsAccount",
"drds:DescribeShardDBs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeDBClusterIPArrayList",
"polardb:DescribeDBClusterNetInfo",
"polardb:DescribeDBClusters",
"polardb:DescribeRegions",
"polardb:DescribeDBClusterEndpoints",
"polardb:DescribeDBClusterAccessWhiteList",
"polardb:ModifyDBClusterAccessWhitelist",
"polardb:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstanceAttribute",
"dds:DescribeReplicaSetRole",
"dds:DescribeSecurityIps",
"dds:DescribeDBInstances",
"dds:ModifySecurityIps",
"dds:DescribeShardingNetworkAddress",
"dds:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeSecurityIps",
"kvstore:DescribeInstances",
"kvstore:DescribeRegions",
"kvstore:ModifySecurityIps",
"kvstore:DescribeAccounts",
"kvstore:CreateAccount",
"kvstore:DescribeDBInstanceNetInfoForInner",
"kvstore:DescribeDBInstanceNetInfo",
"kvstore:AllocateInstancePrivateConnection"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"petadata:DescribeInstanceInfo",
"petadata:DescribeSecurityIPs",
"petadata:DescribeInstances",
"petadata:ModifySecurityIPs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"adb:DescribeDBClusters",
"adb:DescribeDBClusterAttribute",
"adb:DescribeRegions",
"adb:DescribeDBClusterNetInfo",
"adb:DescribeDBClusterAccessWhiteList",
"adb:ModifyDBClusterAccessWhiteList",
"adb:DescribeDBClusterPerformance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstanceAttribute",
"gpdb:DescribeDBInstances",
"gpdb:DescribeRegions",
"gpdb:DescribeDBInstanceIPArrayList",
"gpdb:DescribeDBClusterIPArrayList",
"gpdb:ModifySecurityIps",
"gpdb:DescribeDBInstanceNetInfo",
"gpdb:DescribeDBClusterPerformance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"clickhouse:DescribeRegions",
"clickhouse:DescribeDBClusters",
"clickhouse:DescribeDBClusterAttribute",
"clickhouse:DescribeDBClusterNetInfoItems",
"clickhouse:DescribeDBClusterAccessWhiteList",
"clickhouse:ModifyDBClusterAccessWhiteList",
"clickhouse:DescribeAllDataSource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ots:ListInstance",
"ots:GetInstance",
"ots:GetRow",
"ots:PutRow",
"ots:UpdateRow",
"ots:DeleteRow",
"ots:BatchWriteRow",
"ots:BulkImport",
"ots:CreateTable",
"ots:DescribeTable",
"ots:ListTable"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dg:GetUserDatabases",
"dg:GetUserGateways"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:DeleteRouteServiceInCen",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCens",
"cen:DescribeRouteServicesInCen",
"cen:ResolveAndRouteServiceInCen"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardbx:DescribeDBInstances",
"polardbx:DescribeDBInstanceAttribute",
"polardbx:DescribeSecurityIps",
"polardbx:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dms:GetUserActiveTenant",
"dms:GetInstance",
"dms:GetLogicDatabase",
"dms:ListLogicDatabases",
"dms:GetDBTopology",
"dms:ListLogicTables",
"dms:GetTableDBTopology"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVpcAttribute"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
说明 更多关于权限策略的介绍,请参见权限策略语法和结构。
操作步骤
- 在弹出的提示对话框中,单击前往RAM角色授权。
说明 您也可以执行如下操作进行授权:- 登录RAM访问控制台。
- 在创建角色右侧输入AliyunActionTrailDefaultRole并搜索。
- 在目标行的操作列,单击精确授权。
- 在添加权限界面输入策略名称下方,输入AliyunDTSRolePolicy。
- 单击确认。
- 在弹出的云资源访问授权对话框中,单击同意授权。
