数据集成支持RAM角色授权模式。本文为您介绍如何获取DataWorks数据集成相关的RAM角色列表、删除服务关联角色,以及子账号如何创建服务关联角色所需要的权限。
应用场景
当您通过RAM角色授权模式创建DataWorks数据源时,请选择相关的自定义RAM角色来访问数据源,例如OSS。
您需要授权DataWorks服务为AliyunServiceRoleForDataWorksDI服务的关联角色,以获取与DataWorks数据集成相关的RAM角色列表,供您选择。
您还需要授权DataWorks服务为AliyunDIDefaultRole服务的关联角色,以便DataWorks数据集成可以调用相关数据源的OpenAPI。
AliyunServiceRoleForDataWorksDI介绍
- 角色名称: AliyunServiceRoleForDataWorksDI
- 角色权限策略: AliyunServiceRolePolicyForDataWorksDI
- 权限说明:允许DataWorks访问与DataWorks数据集成相关的RAM角色列表。
- 使用该权限的作用:罗列与DataWorks数据集成相关的RAM角色列表。
{
"Version": "1",
"Statement": [
{
"Action": [
"ram:ListRoles",
"ram:GetRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunDIDefaultRole介绍
- 角色名称:AliyunDIDefaultRole
- 角色权限策略:AliyunDIRolePolicy
- 权限说明:允许DataWorks访问当前云账号下的其他云产品资源。包含RDS、Redis、MongoDB、Polardb-X、HybridDB for MySQL、AnalyticDB for PostgreSQL、PolarDB、DMS、DLF等云资源的部分管理权限。
- 使用该权限的作用:在进行数据源配置、任务配置、数据同步时DataWorks可访问相关资源。
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeDBInstances",
"rds:DescribeRegions",
"rds:DescribeDatabases",
"rds:DescribeSecurityGroupConfiguration",
"rds:DescribeDBInstanceIPArrayList",
"rds:ModifySecurityGroupConfiguration",
"rds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeInstances",
"kvstore:DescribeInstanceAttribute",
"kvstore:DescribeRegions",
"kvstore:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstanceAttribute",
"dds:DescribeSecurityIps",
"dds:DescribeRegions",
"dds:DescribeDBInstances",
"dds:DescribeReplicaSetRole",
"dds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrdsInstanceList",
"drds:DescribeDrdsInstance",
"drds:DescribeDrdsDbList",
"drds:DescribeDrdsDb",
"drds:DescribeLogicTableList",
"drds:DescribeRegions",
"drds:ModifyDrdsIpWhiteList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"petadata:DescribeInstanceInfo",
"petadata:DescribeInstances",
"petadata:DescribeDatabases",
"petadata:DescribeTables",
"petadata:DescribeTableInfo",
"petadata:DescribeInstancePerformance",
"petadata:DescribeDatabasePerformance",
"petadata:DescribeInstanceResourceUsage",
"petadata:DescribeDatabaseResourceUsage",
"petadata:DescribeRegions",
"petadata:DescribeSecurityIPs",
"petadata:ModifySecurityIPs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstanceAttribute",
"gpdb:DescribeDBInstances",
"gpdb:DescribeResourceUsage",
"gpdb:DescribeDBInstanceIPArrayList",
"gpdb:DescribeDBClusterIPArrayList",
"gpdb:DescribeDBInstancePerformance",
"gpdb:DescribeDBInstanceNetInfo",
"gpdb:DescribeRegions",
"gpdb:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeClusterInfo",
"polardb:DescribeDBClusterParameters",
"polardb:DescribeDBClusterEndpoints",
"polardb:ModifyDBClusterAccessWhitelist",
"polardb:DescribeDBClusterAccessWhitelist",
"polardb:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dms:ListUsers",
"dms:ListDatabases",
"dms:ListLogicTables",
"dms:GetLogicDatabase",
"dms:SearchDatabase",
"dms:GetMetaTableDetailInfo",
"dms:SearchTable",
"dms:ExecuteScript",
"dms:ListTables",
"dms:GetDatabase",
"dms:ListInstances",
"dms:GetTableDBTopology"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dlf:GetServiceStatus",
"dlf:ListDatabases",
"dlf:CreateDatabase",
"dlf:CreateTable",
"dlf:BatchCreateTables",
"dlf:CreatePartition",
"dlf:ListTableNames",
"dlf:GetTable",
"dlf:UpdateDatabase",
"dlf:UpdateTable",
"dlf:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
}
]
}删除服务关联角色
- 您可以随时删除AliyunServiceRoleForDataWorksDI角色。如果您删除了该角色,则相关任务在DataWorks创建数据源时,无法罗列并选择DataWorks数据集成相关的RAM角色。详情请参见删除服务关联角色。
- 您可以随时删除AliyunDIDefaultRole角色。如果您删除了该角色,则在进行数据源配置、任务配置、数据同步时可能无法查询到对应云产品相关信息,造成连通性测试报错、任务配置报错、数据同步报错等。
子账号创建服务关联角色所需要的权限
- 子账号被授权DataWorksFullAccess策略或如下策略,即可创建服务关联角色AliyunServiceRoleForDataWorksDI。
{ "Version": "1", "Statement": [ { "Action": "dataworks:*", "Resource": "*", "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "di.dataworks.aliyuncs.com" } } } ] } - 子账号添加AliyunDIDefaultRole角色所需要的权限策略如下。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateRole", "ram:AttachPolicyToRole" ], "Resource": "*" } ] }