DocsICP FilingConsole
首页 Dataphin Intelligent Data construction and governance Dataphin-sharing mode (fully managed version) User Guide Management Center Member management Dataphin service-linked role

Dataphin service-linked role

更新时间: 2026-01-18 19:15:17

In some scenarios, an Alibaba Cloud service needs to access other Alibaba Cloud services to perform its functions. Alibaba Cloud provides service-linked roles (SLRs) for these scenarios. A service-linked role is a special type of Resource Access Management (RAM) role that can be assumed only by an Alibaba Cloud service. For more information, see RAM Role Overview, Service-Linked Roles.

Limits

Only users with the ram:CreateServiceLinkedRole permission can create service-linked roles. Contact an administrator to grant you the AliyunDataphinFullAccess RAM role or the required permission.

Scenarios for SLRs in Dataphin

  • Scenario 1: Sync Alibaba Cloud account information.

    The Dataphin service uses the AliyunServiceRoleForDataphinOnRAM SLR to sync RAM member information from the current Alibaba Cloud account.

  • Scenario 2: Create MaxCompute compute sources and data sources.

    The Dataphin service uses the AliyunServiceRoleForDataphinOnOdps SLR to access MaxCompute projects in the current Alibaba Cloud account. The main operations include the following:

    • Query all MaxCompute projects in the current Alibaba Cloud account.

    • Create the dp-project-schedule MaxCompute project role in the selected MaxCompute project.

    • Grant the dp-project-schedule permission to the AliyunServiceRoleForDataphinOnOdps SLR.

    Note

    MaxCompute projects created using an SLR support only Python 3.11 for creating Pyodps tasks.

  • Scenario 3: Create Alibaba Cloud data sources.

    The Dataphin service uses the AliyunServiceRoleForDataphinOnDataBase SLR to access specified types of Alibaba Cloud data sources in the current Alibaba Cloud account. The main operations include the following:

    • Query the list of RDS for MySQL and AnalyticDB for MySQL instances in the current Alibaba Cloud account.

    • Query basic information about a specified RDS for MySQL instance, such as its connection address and instance ID.

Detailed permissions of different SLRs

To view SLR permissions: In the Resource Access Management (RAM) console, choose Identity management > Roles from the navigation pane on the left to view the service-linked role information.

Important

Dataphin relies on the following SLRs for its daily operations. Delete these SLRs only after your Dataphin subscription expires.

  • Role name: AliyunServiceRoleForDataphinOnRAM

    Description: Allows Dataphin to query user information in RAM.

    Role Permissions:

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ram:ListUserBasicInfos",
      "Resource": "*"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "ram.dataphin.aliyuncs.com"
        }
      }
    }
  ]
}

  • Role name: AliyunServiceRoleForDataphinOnOdps

    Description: Dataphin uses this role to access your resources in MaxCompute.

    Permissions:

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "odps:CreateRole",
        "odps:UpdateUsersToRole",
        "odps:ListProjects"
      ],
      "Resource": "*"
    }
  ]
}

  • Role name: AliyunServiceRoleForDataphinOnDataBase

    Description: Dataphin uses this role to access your resources in ApsaraDB.

    Permissions:

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstances",
        "rds:DescribeRegions",
        "rds:DescribeDatabases",
        "rds:DescribeSecurityGroupConfiguration",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:ModifySecurityGroupConfiguration",
        "rds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "gpdb:DescribeDBInstanceAttribute",
        "gpdb:DescribeDBInstances",
        "gpdb:DescribeResourceUsage",
        "gpdb:DescribeDBInstanceIPArrayList",
        "gpdb:DescribeDBClusterIPArrayList",
        "gpdb:DescribeDBInstancePerformance",
        "gpdb:DescribeDBInstanceNetInfo",
        "gpdb:DescribeRegions",
        "gpdb:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeClusterInfo",
        "polardb:DescribeDBClusterParameters",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:ModifyDBClusterAccessWhitelist",
        "polardb:DescribeDBClusterAccessWhitelist",
        "polardb:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "adb:DescribeDBClusters",
        "adb:DescribeDBClusterAttribute",
        "adb:DescribeClusterAccessWhiteList",
        "adb:DescribeClusterNetInfo",
        "adb:ModifyClusterAccessWhiteList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}
上一篇: Appendix: Global and project roles and permissions 下一篇: Permission management
阿里云首页 智能数据建设与治理 Dataphin 相关技术圈