DocsICP FilingConsole
官方文档
首页

Grant DTS permissions to access cloud resources

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes how to grant Data Transmission Service (DTS) the required permissions to access cloud resources in your Alibaba Cloud account.

Background information

Why authorization is required

To use DTS, you must create the AliyunDTSDefaultRole default role and grant it the AliyunDTSRolePolicy system policy. This allows DTS to access cloud resources such as ApsaraDB for RDS and Elastic Compute Service (ECS) in your Alibaba Cloud account and retrieve the information required for task configuration. Without these permissions, you cannot configure DTS tasks.

If you do not correctly grant DTS permissions to access cloud resources, the DTS console displays the following error message:

  • Error code: Abnormal.RamCheckUserRole

  • Error message: You have not authorized the DTS default role "AliyunDTSDefaultRole". If your account has write permissions on RAM, perform the authorization on the RAM console. Otherwise, you must use your Alibaba Cloud account to authorize the role on the RAM console, and then refresh this page.

Permission policy

The AliyunDTSRolePolicy system policy for the AliyunDTSDefaultRole default role includes partial management permissions for cloud resources such as ApsaraDB for RDS, Elastic Compute Service (ECS), PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, PolarDB-X, DataHub, and Elasticsearch. For a detailed definition of the permissions, see AliyunDTSRolePolicy.

Note

For more information about permission policies, see Syntax and structure of permission policies.

Procedure

Note

If you log on to the RAM console by using an Alibaba Cloud account and find that the AliyunDTSDefaultRole role already exists, check whether the authorization is correct. For more information, see Verify the authorization.

Method 1: RAM quick authorization (recommended)

Use an Alibaba Cloud account to go to the RAM Quick Authorization page and click Confirm Authorization.

If the EntityAlreadyExists.Role and EntityAlreadyExists.Role.Policy error messages appear after authorization, it means DTS has already been granted the required permissions. You can return to the DTS console to configure your task.

Method 2: Authorization from the error prompt

  1. Use an Alibaba Cloud account to log on to the DTS console.

  2. In the Error Message dialog box, click Authorize in RAM Console.

  3. On the RAM Quick Authorization page that appears, click Confirm Authorization.

  4. After the authorization is complete, return to the DTS console to continue.

    The system automatically completes the following three steps: Create Service Role, Create Custom Policy, and Attach Permission Policy to Role.

Method 3: Authorization on the RAM console

  1. Find the default role.

    1. Use an Alibaba Cloud account to log on to the RAM console.

    2. Optional: In the left-side navigation pane, choose Identities > Roles.

    3. In the search box to the right of Create Role, enter AliyunDTSDefaultRole and search for the role.

      Note

      If the AliyunDTSDefaultRole role does not exist, we recommend that you use Method 1.

  2. In the search results, click AliyunDTSDefaultRole.

  3. Grant precise permissions to the target RAM role.

    1. On the Permissions tab, click Precise Permission.

    2. Optional: In the Precise Permission panel, set Policy Type to System Policy.

    3. In the Policy Name text box, enter AliyunDTSRolePolicy.

    4. Click OK.

      On the Permissions tab, you can click the image refresh icon to check whether the permission is granted.

  4. After the permission is granted, click Close.

Verify the authorization

Note

You can follow these steps to verify the authorization for the default role.

  1. Use an Alibaba Cloud account to log on to the RAM console.

  2. Optional: In the left-side navigation pane, choose Identities > Roles.

  3. In the search box to the right of Create Role, enter AliyunDTSDefaultRole and search for the role.

  4. In the search results, click AliyunDTSDefaultRole.

  5. View the details of the AliyunDTSDefaultRole role.

    • The authorization is successful if the AliyunDTSDefaultRole role meets both of the following conditions:

      • The Trust Policy contains dts.aliyuncs.com.

        Specifically, the Service field in the Principal section of the trust policy JSON contains dts.aliyuncs.com. To modify the trust policy, click Edit Trust Policy.

      • The Permissions tab contains the AliyunDTSRolePolicy system policy.

    • If the AliyunDTSDefaultRole role does not meet these conditions, the authorization has failed, and you must authorize the role again.

      You can delete the AliyunDTSDefaultRole role and authorize it again.

      Note
Previous:RAM-based Access ControlNext:Authorize a RAM user to manage DTS