数据集成支持RAM角色授权模式。本文为您介绍如何获取DataWorks数据集成相关的RAM角色列表、删除服务关联角色,以及子账号如何创建服务关联角色所需要的权限。

应用场景

当您通过RAM角色授权模式创建DataWorks数据源时,请选择相关的自定义RAM角色来访问数据源,例如OSS。

您需要授权DataWorks服务为AliyunServiceRoleForDataWorksDI服务的关联角色,以获取与DataWorks数据集成相关的RAM角色列表,供您选择。

您还需要授权DataWorks服务为AliyunDIDefaultRole服务的关联角色,以便DataWorks数据集成可以调用相关数据源的OpenAPI。

AliyunServiceRoleForDataWorksDI介绍

  • 角色名称: AliyunServiceRoleForDataWorksDI
  • 角色权限策略: AliyunServiceRolePolicyForDataWorksDI
  • 权限说明:允许DataWorks访问与DataWorks数据集成相关的RAM角色列表。
  • 使用该权限的作用:罗列与DataWorks数据集成相关的RAM角色列表。
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:ListRoles",
                "ram:GetRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

AliyunDIDefaultRole介绍

  • 角色名称:AliyunDIDefaultRole
  • 角色权限策略:AliyunDIRolePolicy
  • 权限说明:允许DataWorks访问当前云账号下的其他云产品资源。包含RDS、Redis、MongoDB、Polardb-X、HybridDB for MySQL、AnalyticDB for PostgreSQL、PolarDB、DMS、DLF等云资源的部分管理权限。
  • 使用该权限的作用:在进行数据源配置、任务配置、数据同步时DataWorks可访问相关资源。
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstances",
        "rds:DescribeRegions",
        "rds:DescribeDatabases",
        "rds:DescribeSecurityGroupConfiguration",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:ModifySecurityGroupConfiguration",
        "rds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeInstances",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:DescribeRegions",
        "kvstore:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeSecurityIps",
        "dds:DescribeRegions",
        "dds:DescribeDBInstances",
        "dds:DescribeReplicaSetRole",
        "dds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "drds:DescribeDrdsInstanceList",
        "drds:DescribeDrdsInstance",
        "drds:DescribeDrdsDbList",
        "drds:DescribeDrdsDb",
        "drds:DescribeLogicTableList",
        "drds:DescribeRegions",
        "drds:ModifyDrdsIpWhiteList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "petadata:DescribeInstanceInfo",
        "petadata:DescribeInstances",
        "petadata:DescribeDatabases",
        "petadata:DescribeTables",
        "petadata:DescribeTableInfo",
        "petadata:DescribeInstancePerformance",
        "petadata:DescribeDatabasePerformance",
        "petadata:DescribeInstanceResourceUsage",
        "petadata:DescribeDatabaseResourceUsage",
        "petadata:DescribeRegions",
        "petadata:DescribeSecurityIPs",
        "petadata:ModifySecurityIPs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "gpdb:DescribeDBInstanceAttribute",
        "gpdb:DescribeDBInstances",
        "gpdb:DescribeResourceUsage",
        "gpdb:DescribeDBInstanceIPArrayList",
        "gpdb:DescribeDBClusterIPArrayList",
        "gpdb:DescribeDBInstancePerformance",
        "gpdb:DescribeDBInstanceNetInfo",
        "gpdb:DescribeRegions",
        "gpdb:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
      "polardb:DescribeClusterInfo",
      "polardb:DescribeDBClusterParameters",
      "polardb:DescribeDBClusterEndpoints",
      "polardb:ModifyDBClusterAccessWhitelist",
      "polardb:DescribeDBClusterAccessWhitelist",
      "polardb:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dms:ListUsers",
      "dms:ListDatabases",
      "dms:ListLogicTables",
      "dms:GetLogicDatabase",
      "dms:SearchDatabase",
      "dms:GetMetaTableDetailInfo",
      "dms:SearchTable",
      "dms:ExecuteScript",
      "dms:ListTables",
      "dms:GetDatabase",
      "dms:ListInstances",
      "dms:GetTableDBTopology"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dlf:GetServiceStatus",
      "dlf:ListDatabases",
      "dlf:CreateDatabase",
      "dlf:CreateTable",
      "dlf:BatchCreateTables",
      "dlf:CreatePartition",
      "dlf:ListTableNames",
      "dlf:GetTable",
      "dlf:UpdateDatabase",
      "dlf:UpdateTable",
      "dlf:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
      ]
    }

删除服务关联角色

  • 您可以随时删除AliyunServiceRoleForDataWorksDI角色。如果您删除了该角色,则相关任务在DataWorks创建数据源时,无法罗列并选择DataWorks数据集成相关的RAM角色。详情请参见删除服务关联角色
  • 您可以随时删除AliyunDIDefaultRole角色。如果您删除了该角色,则在进行数据源配置、任务配置、数据同步时可能无法查询到对应云产品相关信息,造成连通性测试报错、任务配置报错、数据同步报错等。

子账号创建服务关联角色所需要的权限

  • 子账号被授权DataWorksFullAccess策略或如下策略,即可创建服务关联角色AliyunServiceRoleForDataWorksDI
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "dataworks:*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "di.dataworks.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • 子账号添加AliyunDIDefaultRole角色所需要的权限策略如下。
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ram:CreateRole",
                    "ram:AttachPolicyToRole"
                ],
                "Resource": "*"
            }
        ]
    }