在您第一次使用DTS时,需要您创建名称为AliyunDTSDefaultRole的默认角色,并将系统权限策略AliyunDTSRolePolicy授权给该角色。经过授权后,DTS可访问当前云账号下的RDS、ECS等云资源,在执行数据迁移、同步或订阅任务的配置时可调用相关云资源信息。
背景信息
若您未正确授予DTS访问云资源的权限:
- 在进入DTS控制台会有如下错误提示:
- 在配置任务时会有如下错误提示:
注意事项
如果使用阿里云账号(主账号)登录数据传输控制台后,没有弹出提示授权的对话框,说明当前阿里云账号(主账号)已执行过授权,可跳过本文的操作。
操作步骤
- 使用阿里云账号(主账号)登录数据传输控制台。
- 在弹出的错误提示对话框中,单击前往RAM授权。说明 您也可以在RAM访问控制进行授权,详情请参见在RAM访问控制进行授权。
- 在弹出的云资源访问授权对话框中,单击同意授权。
当出现授权成功时,表示授权已完成。
在RAM访问控制进行授权
- 登录RAM访问控制台。
- 在左侧导航栏,选择。
- 在创建角色右侧输入AliyunDTSDefaultRole。
- 在目标行的操作列,单击精确授权。
- 在添加权限界面输入策略名称下方,输入AliyunDTSRolePolicy。
- 单击确认。
查看授权结果
您可以通过此步骤查看默认角色的授权结果。如果您已创建AliyunDTSDefaultRole角色并授权,但系统仍然报错未授权时,您也可以参照此步骤重新授权。
- 使用阿里云账号(主账号)登录RAM访问控制台。
- 在左侧导航栏,选择。
- 在角色页面,输入AliyunDTSDefaultRole。
- 单击角色名称查看AliyunDTSDefaultRole的详细信息。
- 当角色AliyunDTSDefaultRole同时满足如下条件时,表示授权成功。
- 信任策略管理中包含
dts.aliyuncs.com。
- 权限管理中包含系统策略AliyunDTSRolePolicy。
- 信任策略管理中包含
- 当角色AliyunDTSDefaultRole不满足上述条件时,表示授权失败,需要重新授权。
删除角色AliyunDTSDefaultRole,访问授予DTS访问云资源,重新授权。
- 当角色AliyunDTSDefaultRole同时满足如下条件时,表示授权成功。
权限策略说明
DTS服务默认角色AliyunDTSDefaultRole的系统权限策略AliyunDTSRolePolicy,包含RDS、ECS、PolarDB、MongoDB、Redis、DRDS、DataHub、Elasticsearch等云资源的部分管理权限,具体权限定义如下。
AliyunDTSRolePolicy权限策略定义
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:Describe*",
"rds:CreateDBInstance",
"rds:CreateAccount*",
"rds:CreateDataBase*",
"rds:ModifySecurityIps",
"rds:GrantAccountPrivilege",
"rds:ReceiveDBInstance",
"rds:CreateMigrateTask",
"rds:DescribeMigrateTaskById",
"rds:CreateOnlineDatabaseTask"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeInstances",
"ecs:DescribeRegions",
"ecs:AuthorizeSecurityGroup",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroups",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:RevokeSecurityGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dhs:ListProject",
"dhs:GetProject",
"dhs:CreateTopic",
"dhs:ListTopic",
"dhs:GetTopic",
"dhs:UpdateTopic",
"dhs:ListShard",
"dhs:MergeShard",
"dhs:SplitShard",
"dhs:PutRecords",
"dhs:GetRecords",
"dhs:GetCursors"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticsearch:DescribeInstance",
"elasticsearch:ListInstance",
"elasticsearch:UpdateAdminPwd",
"elasticsearch:UpdatePublicNetwork",
"elasticsearch:UpdateBlackIps",
"elasticsearch:UpdateKibanaIps",
"elasticsearch:UpdatePublicIps",
"elasticsearch:UpdatePrivateNetworkWhiteIps",
"elasticsearch:UpdatePublicWhiteIps",
"elasticsearch:UpdateWhiteIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrds*",
"drds:ModifyDrdsIpWhiteList",
"drds:DescribeRegions",
"drds:DescribeRdsList",
"drds:CreateDrdsDB",
"drds:CreateDrdsAccount",
"drds:DescribeShardDBs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeDBClusterIPArrayList",
"polardb:DescribeDBClusterNetInfo",
"polardb:DescribeDBClusters",
"polardb:DescribeRegions",
"polardb:DescribeDBClusterEndpoints",
"polardb:DescribeDBClusterAccessWhiteList",
"polardb:ModifyDBClusterAccessWhitelist",
"polardb:ModifySecurityIps",
"polardb:DescribeDBClusterAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstanceAttribute",
"dds:DescribeReplicaSetRole",
"dds:DescribeSecurityIps",
"dds:DescribeDBInstances",
"dds:ModifySecurityIps",
"dds:DescribeShardingNetworkAddress",
"dds:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeSecurityIps",
"kvstore:DescribeInstances",
"kvstore:DescribeRegions",
"kvstore:ModifySecurityIps",
"kvstore:DescribeAccounts",
"kvstore:CreateAccount",
"kvstore:DescribeDBInstanceNetInfoForInner",
"kvstore:DescribeDBInstanceNetInfo",
"kvstore:AllocateInstancePrivateConnection",
"kvstore:SyncDtsStatus",
"kvstore:GetDbMasterInfo"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"petadata:DescribeInstanceInfo",
"petadata:DescribeSecurityIPs",
"petadata:DescribeInstances",
"petadata:ModifySecurityIPs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"adb:DescribeDBClusters",
"adb:DescribeDBClusterAttribute",
"adb:DescribeRegions",
"adb:DescribeDBClusterNetInfo",
"adb:DescribeDBClusterAccessWhiteList",
"adb:ModifyDBClusterAccessWhiteList",
"adb:DescribeDBClusterPerformance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstanceAttribute",
"gpdb:DescribeDBInstances",
"gpdb:DescribeRegions",
"gpdb:DescribeDBInstanceIPArrayList",
"gpdb:DescribeDBClusterIPArrayList",
"gpdb:ModifySecurityIps",
"gpdb:DescribeDBInstanceNetInfo",
"gpdb:DescribeDBClusterPerformance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"clickhouse:DescribeRegions",
"clickhouse:DescribeDBClusters",
"clickhouse:DescribeDBClusterAttribute",
"clickhouse:DescribeDBClusterNetInfoItems",
"clickhouse:DescribeDBClusterAccessWhiteList",
"clickhouse:ModifyDBClusterAccessWhiteList",
"clickhouse:DescribeAllDataSource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ots:ListInstance",
"ots:GetInstance",
"ots:GetRow",
"ots:PutRow",
"ots:UpdateRow",
"ots:DeleteRow",
"ots:BatchWriteRow",
"ots:BulkImport",
"ots:CreateTable",
"ots:DescribeTable",
"ots:ListTable"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dg:GetUserDatabases",
"dg:GetUserGateways"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cen:DeleteRouteServiceInCen",
"cen:DescribeCenAttachedChildInstances",
"cen:DescribeCens",
"cen:DescribeRouteServicesInCen",
"cen:ResolveAndRouteServiceInCen"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardbx:DescribeDBInstances",
"polardbx:DescribeDBInstanceAttribute",
"polardbx:DescribeSecurityIps",
"polardbx:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dms:GetUserActiveTenant",
"dms:GetInstance",
"dms:GetLogicDatabase",
"dms:ListLogicDatabases",
"dms:GetDBTopology",
"dms:ListLogicTables",
"dms:GetTableDBTopology"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVpcAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lindorm:GetLindormInstanceListForDMS",
"lindorm:GetLindormInstanceForDMS",
"lindorm:UpdateInstanceIpWhiteList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hbase:DescribeClusterConnection",
"hbase:DescribeInstance",
"hbase:DescribeInstances",
"hbase:ModifyIpWhitelist"
],
"Resource": "*",
"Effect": "Allow"
}
]
}说明 更多关于权限策略的介绍,请参见权限策略语法和结构。