在您第一次使用DTS时,需要您创建名称为AliyunDTSDefaultRole的默认角色,并将系统权限策略AliyunDTSRolePolicy授权给该角色。经过授权后,DTS可访问当前云账号下的RDS、ECS等云资源,在执行数据迁移、同步或订阅任务的配置时可调用相关云资源信息。

注意事项

如果使用主账号登录数据传输控制台后,没有弹出提示授权的对话框,说明当前主账号已执行过授权,可跳过本文的操作。

操作步骤

  1. 使用阿里云主账号登录数据传输控制台
  2. 在弹出的错误提示对话框中,单击前往RAM角色授权
    DTS提示未授权
  3. 在弹出的云资源访问授权对话框中,单击同意授权

    当出现授权成功时,表示授权已完成。

    授予DTS权限

查看授权结果

您可以通过此步骤查看默认角色的授权结果。如果您已创建AliyunDTSDefaultRole角色并授权,但系统仍然报错未授权时,您也可以参照此步骤重新授权。

  1. 使用阿里云主账号登录RAM访问控制台
  2. 在左侧导航栏,选择身份管理 > 角色
  3. 角色页面,输入AliyunDTSDefaultRole并搜索。
  4. 单击角色名称查看AliyunDTSDefaultRole的详细信息。
    • 当角色AliyunDTSDefaultRole同时满足如下条件时,表示的授权成功。
      • 信任策略管理中包含dts.aliyuncs.com信任策略管理
      • 权限管理中包含系统策略AliyunDTSRolePolicy权限管理
    • 当角色AliyunDTSDefaultRole不满足上述条件时,表示的授权失败,需要重新授权。

      删除角色AliyunDTSDefaultRole,访问授予DTS访问云资源,重新授权。

权限策略说明

DTS服务默认角色AliyunDTSDefaultRole的系统权限策略AliyunDTSRolePolicy,包含RDS、ECS、PolarDB、MongoDB、Redis、PolarDB-X 云原生分布式数据库(原)、DataHub、Elasticsearch等云资源的部分管理权限,具体权限定义如下。

AliyunDTSRolePolicy权限策略定义(单击展开)
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:Describe*",
                "rds:CreateDBInstance",
                "rds:CreateAccount*",
                "rds:CreateDataBase*",
                "rds:ModifySecurityIps",
                "rds:GrantAccountPrivilege",
                "rds:ReceiveDBInstance",
                "rds:CreateMigrateTask",
                "rds:DescribeMigrateTaskById",
                "rds:CreateOnlineDatabaseTask"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeInstances",
                "ecs:DescribeRegions",
                "ecs:AuthorizeSecurityGroup",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteSecurityGroup",
                "ecs:DescribeSecurityGroups",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:RevokeSecurityGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dhs:ListProject",
                "dhs:GetProject",
                "dhs:CreateTopic",
                "dhs:ListTopic",
                "dhs:GetTopic",
                "dhs:UpdateTopic",
                "dhs:ListShard",
                "dhs:MergeShard",
                "dhs:SplitShard",
                "dhs:PutRecords",
                "dhs:GetRecords",
                "dhs:GetCursors"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "elasticsearch:DescribeInstance",
                "elasticsearch:ListInstance",
                "elasticsearch:UpdateAdminPwd",
                "elasticsearch:UpdatePublicNetwork",
                "elasticsearch:UpdateBlackIps",
                "elasticsearch:UpdateKibanaIps",
                "elasticsearch:UpdatePublicIps",
                "elasticsearch:UpdatePrivateNetworkWhiteIps",
                "elasticsearch:UpdatePublicWhiteIps",
                "elasticsearch:UpdateWhiteIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrds*",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeRegions",
                "drds:DescribeRdsList",
                "drds:CreateDrdsDB",
                "drds:CreateDrdsAccount",
                "drds:DescribeShardDBs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterIPArrayList",
                "polardb:DescribeDBClusterNetInfo",
                "polardb:DescribeDBClusters",
                "polardb:DescribeRegions",
                "polardb:DescribeDBClusterEndpoints",
                "polardb:DescribeDBClusterAccessWhiteList",
                "polardb:ModifyDBClusterAccessWhitelist",
                "polardb:ModifySecurityIps",
                "polardb:DescribeDBClusterAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dds:DescribeDBInstanceAttribute",
                "dds:DescribeReplicaSetRole",
                "dds:DescribeSecurityIps",
                "dds:DescribeDBInstances",
                "dds:ModifySecurityIps",
                "dds:DescribeShardingNetworkAddress",
                "dds:DescribeRegions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kvstore:DescribeSecurityIps",
                "kvstore:DescribeInstances",
                "kvstore:DescribeRegions",
                "kvstore:ModifySecurityIps",
                "kvstore:DescribeAccounts",
                "kvstore:CreateAccount",
                "kvstore:DescribeDBInstanceNetInfoForInner",
                "kvstore:DescribeDBInstanceNetInfo",
                "kvstore:AllocateInstancePrivateConnection",
                "kvstore:SyncDtsStatus",
                "kvstore:GetDbMasterInfo"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "petadata:DescribeInstanceInfo",
                "petadata:DescribeSecurityIPs",
                "petadata:DescribeInstances",
                "petadata:ModifySecurityIPs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "adb:DescribeDBClusters",
                "adb:DescribeDBClusterAttribute",
                "adb:DescribeRegions",
                "adb:DescribeDBClusterNetInfo",
                "adb:DescribeDBClusterAccessWhiteList",
                "adb:ModifyDBClusterAccessWhiteList",
                "adb:DescribeDBClusterPerformance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "gpdb:DescribeDBInstanceAttribute",
                "gpdb:DescribeDBInstances",
                "gpdb:DescribeRegions",
                "gpdb:DescribeDBInstanceIPArrayList",
                "gpdb:DescribeDBClusterIPArrayList",
                "gpdb:ModifySecurityIps",
                "gpdb:DescribeDBInstanceNetInfo",
                "gpdb:DescribeDBClusterPerformance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "clickhouse:DescribeRegions",
                "clickhouse:DescribeDBClusters",
                "clickhouse:DescribeDBClusterAttribute",
                "clickhouse:DescribeDBClusterNetInfoItems",
                "clickhouse:DescribeDBClusterAccessWhiteList",
                "clickhouse:ModifyDBClusterAccessWhiteList",
                "clickhouse:DescribeAllDataSource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ots:ListInstance",
                "ots:GetInstance",
                "ots:GetRow",
                "ots:PutRow",
                "ots:UpdateRow",
                "ots:DeleteRow",
                "ots:BatchWriteRow",
                "ots:BulkImport",
                "ots:CreateTable",
                "ots:DescribeTable",
                "ots:ListTable"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dg:GetUserDatabases",
                "dg:GetUserGateways"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cen:DeleteRouteServiceInCen",
                "cen:DescribeCenAttachedChildInstances",
                "cen:DescribeCens",
                "cen:DescribeRouteServicesInCen",
                "cen:ResolveAndRouteServiceInCen"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardbx:DescribeDBInstances",
                "polardbx:DescribeDBInstanceAttribute",
                "polardbx:DescribeSecurityIps",
                "polardbx:ModifySecurityIps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dms:GetUserActiveTenant",
                "dms:GetInstance",
                "dms:GetLogicDatabase",
                "dms:ListLogicDatabases",
                "dms:GetDBTopology",
                "dms:ListLogicTables",
                "dms:GetTableDBTopology"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVpcAttribute"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lindorm:GetLindormInstanceListForDMS",
                "lindorm:GetLindormInstanceForDMS",
                "lindorm:UpdateInstanceIpWhiteList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "hbase:DescribeClusterConnection",
                "hbase:DescribeInstance",
                "hbase:DescribeInstances",
                "hbase:ModifyIpWhitelist"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
说明 更多关于权限策略的介绍,请参见权限策略语法和结构