在您第一次使用DTS时,需要您将名称为AliyunDTSDefaultRole的权限策略授权给DTS的RAM角色。经过授权后,DTS可访问当前云账号下的RDS、ECS等云资源以进行数据迁移或数据同步。

注意事项

如果您的阿里云账号登陆数据传输服务DTS控制台时,没有提示您授权,说明当前云账号已经授权过。

操作步骤

  1. 使用源实例所属云账号登陆数据传输服务DTS控制台
  2. 在弹出的提示对话框中,单击前往RAM角色授权
    DTS提示未授权
  3. 在弹出的云资源访问授权对话框中,单击同意授权
    授予DTS权限

权限策略说明

AliyunDTSDefaultRole权限策略是DTS服务默认角色的授权策略,包括RDS、ECS、DataHub、Elasticsearch、DRDS、POLARDB、MongoDB、Redis、HybridDB for MySQL的部分管理权限,具体权限定义如下。

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:Describe*",
                "rds:CreateDBInstance",
                "rds:CreateAccount*",
                "rds:CreateDataBase*",
                "rds:ModifySecurityIps",
                "rds:GrantAccountPrivilege"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeInstances",
                "ecs:DescribeRegions",
                "ecs:AuthorizeSecurityGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dhs:ListProject",
                "dhs:GetProject",
                "dhs:CreateTopic",
                "dhs:ListTopic",
                "dhs:GetTopic",
                "dhs:UpdateTopic",
                "dhs:ListShard",
                "dhs:MergeShard",
                "dhs:SplitShard",
                "dhs:PutRecords",
                "dhs:GetRecords",
                "dhs:GetCursors"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "elasticsearch:DescribeInstance",
                "elasticsearch:ListInstance",
                "elasticsearch:UpdateAdminPwd",
                "elasticsearch:UpdatePublicNetwork",
                "elasticsearch:UpdateBlackIps",
                "elasticsearch:UpdateKibanaIps",
                "elasticsearch:UpdatePublicIps",
                "elasticsearch:UpdateWhiteIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrds*",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeRegions",
                "drds:DescribeRdsList",
                "drds:CeateDrdsDB",
                "drds:DescribeShardDBs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterIPArrayList",
                "polardb:DescribeDBClusterNetInfo",
                "polardb:DescribeDBClusters",
                "polardb:DescribeRegions",
                "polardb:ModifySecurityIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dds:DescribeDBInstanceAttribute",
                "dds:DescribeReplicaSetRole",
                "dds:DescribeSecurityIps",
                "dds:DescribeDBInstances",
                "dds:ModifySecurityIps",
                "dds:DescribeRegions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kvstore:DescribeSecurityIps",
                "kvstore:DescribeInstances",
                "kvstore:DescribeRegions",
                "kvstore:ModifySecurityIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "petadata:DescribeInstanceInfo",
                "petadata:DescribeSecurityIPs",
                "petadata:DescribeInstances",
                "petadata:ModifySecurityIPs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}