本文介绍数据管理DMS和数据灾备(DBS)服务关联角色(AliyunServiceRoleForDMS、AliyunServiceRoleForDBS)的应用场景以及如何删除服务关联角色。
背景信息
服务关联角色是一种RAM角色(RAM role)。在某些场景下,该角色可以帮助数据管理DMS和数据灾备(DBS)获取到其他云服务的访问权限,来实现自身的某个功能。更多关于服务关联角色的信息,请参见服务关联角色。
应用场景
数据管理DMS
当DMS部分功能需要访问ECS、VPC、RDS以及各类型数据库或工具相关的资源时,您可以通过DMS服务关联角色获取访问资源的权限。
数据灾备(DBS)
DBS服务关联角色(AliyunServiceRoleForDBS)是具备其他云服务访问权限的RAM角色,DBS接入您在阿里云购买的云数据库(如RDS、MongoDB、 Redis、PolarDB)或阿里云ECS上自建的数据库时,需通过AliyunServiceRoleForDBS获取访问权限。更多信息,请参见服务关联角色。
角色介绍
AliyunServiceRoleForDMS
角色名称:AliyunServiceRoleForDMS
策略名称:AliyunServiceRolePolicyForDMS
权限说明:创建该关联角色后,DMS即可访问ECS、VPC、RDS以及各类型数据库或工具相关的资源。
权限的作用
查询RDS、PolarDB、Lindorm等各类型数据库的资源详情,以便管理云数据库。
查询ECS、VPC的资源详情,以便管理ECS、公网自建数据库。
使用DTS、DBS等云生态工具,进行一站式的数据管理。
策略内容
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DescribeImages",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:RevokeSecurityGroup",
"ecs:DescribeRegions",
"ecs:DescribeInstances",
"ecs:DescribeInstanceAttribute",
"ecs:CreateCommand",
"ecs:DeleteCommand",
"ecs:DescribeInvocationResults"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:InvokeCommand",
"ecs:StopInvocation"
],
"Resource": "acs:ecs:*:*:instance/*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/dms": "script-for-dms"
}
},
"Effect": "Allow"
},
{
"Action": [
"ecs:InvokeCommand",
"ecs:StopInvocation"
],
"Resource": "acs:ecs:*:*:command/*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBInstanceHAConfig",
"rds:DescribeBinlogFiles",
"rds:DescribeDBInstancePerformance",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeSlowLogs",
"rds:DescribeSlowLogRecords",
"rds:DescribeSQLCollectorPolicy",
"rds:ModifySQLCollectorPolicy",
"rds:DescribeSQLLogRecords",
"rds:DescribeSQLLogFiles",
"rds:DescribeResourceUsage",
"rds:DescribeRegions",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:ModifyBackupPolicy",
"rds:DescribeSecurityGroupConfiguration",
"rds:DescribeDBInstanceEncryptionKey",
"rds:DescribeDBInstanceTDE",
"rds:DescribeDBInstanceSSL",
"rds:DescribeCrossRegionBackupDBInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeSecurityIps",
"dds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeSecurityIps",
"kvstore:ModifySecurityIps",
"kvstore:DescribeRegions",
"kvstore:DescribeInstances",
"kvstore:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrdsInstances",
"drds:QueryInstanceInfoByConn",
"drds:DescribeDrdsInstanceList",
"drds:DescribeDrdsDBIpWhiteList",
"drds:ModifyDrdsIpWhiteList",
"drds:DescribeDrdsInstanceVersion"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeRegions",
"polardb:DescribeDBClusters",
"polardb:DescribeDBClusterAttribute",
"polardb:DescribeDBClusterEndpoints"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardbx:DescribeDBInstances",
"polardbx:DescribeSecurityIps",
"polardbx:ModifySecurityIps",
"polardbx:DescribeDBInstanceAttribute",
"polardbx:DescribeBinaryLogList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"petadata:DescribeInstances",
"petadata:DescribeInstanceInfoByConnection",
"petadata:DescribeSecurityIPs",
"petadata:ModifySecurityIPs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hdm:AccessHDMInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dts:CreateMigrationJob",
"dts:ConfigureMigrationJob",
"dts:StartMigrationJob",
"dts:StopMigrationJob",
"dts:DescribeMigrationJobStatus",
"dts:DescribeMigrationJobDetail",
"dts:CreateSynchronizationJob",
"dts:ConfigureSynchronizationJob",
"dts:StartSynchronizationJob",
"dts:SuspendSynchronizationJob",
"dts:DescribeSynchronizationJobStatus",
"dts:ShieldPrecheck",
"dts:CreateDtsInstance",
"dts:ConfigureDtsJob",
"dts:StartDtsJob",
"dts:ModifyDtsJob",
"dts:StopDtsJob",
"dts:DescribeDtsJobDetail",
"dts:DescribeDtsJobs",
"dts:ConfigureEtlJob",
"dts:SaveEtlJob",
"dts:SuspendDtsJob",
"dts:DeleteDtsJob",
"dts:ModifyDtsJobName",
"dts:SkipPreCheck",
"dts:DescribeDtsEtlJobVersionInfo",
"dts:DescribeEtlJobLogs",
"dts:PreviewSql",
"dts:DescribePreCheckStatus",
"dts:DescribeDtsJobLogs",
"dts:DescribeJobMonitorRule",
"dts:CreateJobMonitorRule",
"dts:DescribeConfigRelations",
"dts:DescribeFormInfo",
"dts:DescribeDmsInstanceDetail",
"dts:DescribeSchemaList",
"dts:DescribeColumns",
"dts:DescribeStruct",
"dts:DescribeDtsInstancePrice",
"dts:DescribeRegions",
"dts:DescribeInstanceInventory",
"dts:CreateCheckJob",
"dts:DescribeCheckJobDiffDetails",
"dts:EtlMockData",
"dts:EtlMockResult",
"dts:DescribeCheckJobStatus",
"dts:Ping"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"apigateway:CreateApiGroup",
"apigateway:ModifyApiGroup",
"apigateway:DeleteApiGroup",
"apigateway:DescribeApiGroups",
"apigateway:CreateApi",
"apigateway:ModifyApi",
"apigateway:DeployApi",
"apigateway:AbolishApi",
"apigateway:DeleteApi",
"apigateway:DescribeApi",
"apigateway:DescribeApis",
"apigateway:CreateApp",
"apigateway:ModifyApp",
"apigateway:DeleteApp",
"apigateway:DescribeAppSecurity",
"apigateway:ResetAppCode",
"apigateway:ResetAppSecret",
"apigateway:DescribeAppAttributes",
"apigateway:SetApisAuthorities",
"apigateway:DescribeAuthorizedApps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dg:GetUserGateways",
"dg:GetUserDatabases"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"openanalytics:QueryBucketList",
"openanalytics:QueryDirectoryList",
"openanalytics:ListVirtualClusters",
"openanalytics:SubmitSparkJob",
"openanalytics:KillSparkJob",
"openanalytics:GetJobLog",
"openanalytics:GetJobDetail",
"openanalytics:GetJobStatus",
"openanalytics:ExecuteService",
"openanalytics:QueryService",
"openanalytics:ExecuteOnVirtualCluster"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dbs:DescribeBackupPlanList",
"dbs:DescribeFullBackupList",
"dbs:CreateBackupPlan",
"dbs:ConfigureBackupPlan",
"dbs:ModifyBackupObjects",
"dbs:StartBackupPlan",
"dbs:ModifyBackupSourceEndpoint",
"dbs:StartTask",
"dbs:StopBackupPlan",
"dbs:CreateRestoreTask",
"dbs:StartRestoreTask",
"dbs:DescribeRestoreTaskList",
"dbs:DescribeRestoreRangeInfo",
"dbs:CreateDLAService",
"dbs:DescribeDLAService",
"dbs:CloseDLAService",
"dbs:CreateAndStartBackupPlan",
"dbs:DescribeFullBackupSet",
"dbs:DescribeDataSourceQueryableAttribute",
"dbs:DescribeDataSourceQueryableAttributeDetail",
"dbs:GetTimeTravelInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oceanbase:DescribeAllTenantsConnectionInfo",
"oceanbase:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dms.aliyuncs.com"
}
}
},
{
"Action": [
"hbase:DescribeInstances",
"hbase:DescribeInstance",
"hbase:DescribeEndpoints",
"hbase:DescribeIpWhitelist",
"hbase:ModifyIpWhitelist"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cassandra:DescribeClusters",
"cassandra:DescribeCluster",
"cassandra:DescribeDataCenters",
"cassandra:DescribeIpWhitelistGroups",
"cassandra:ModifyIpWhitelistGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lindorm:GetLindormInstanceList",
"lindorm:GetLindormInstance",
"lindorm:GetLindormInstanceEngineList",
"lindorm:GetLindormInstanceListForDMS",
"lindorm:GetLindormInstanceForDMS",
"lindorm:GetLindormInstanceForDMSByConnStr",
"lindorm:GetInstanceIpWhiteList",
"lindorm:UpdateInstanceIpWhiteList",
"lindorm:CreateComputeEngineJob",
"lindorm:GetComputeEngineJobDetail",
"lindorm:GetComputeEngineJobLog",
"lindorm:ReleaseLindormComputeJob"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"adb:CreateDBCluster",
"adb:CreateAccount",
"adb:DescribeDBClusters",
"adb:DescribeDBClusterNetInfo",
"adb:SubmitSparkApp",
"adb:KillSparkApp",
"adb:ListSparkApps",
"adb:GetSparkAppLog",
"adb:GetSparkAppInfo",
"adb:GetSparkAppState",
"adb:GetSparkAppAttemptLog",
"adb:GetSparkAppWebUiAddress",
"adb:ListSparkAppAttempts",
"adb:DescribeDBResourceGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstances",
"gpdb:ResumeInstance",
"gpdb:PauseInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
AliyunServiceRoleForDBS
角色名称:AliyunServiceRoleForDBS
策略名称:AliyunServiceRolePolicyForDBS
权限说明:创建该关联角色后,数据灾备(DBS)即可接入您在阿里云购买的云数据库(如RDS、MongoDB、 Redis、PolarDB)或阿里云ECS上自建的数据库。
策略内容
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeDBInstanceNetInfoForChannel",
"rds:DescribeTasks",
"rds:DescribeDBInstances",
"rds:DescribeFilesForSQLServer",
"rds:DescribeImportsForSQLServer",
"rds:DescribeSlowLogRecords",
"rds:DescribeBinlogFiles",
"rds:DescribeSQLLogRecords",
"rds:DescribeParameters",
"rds:DescribeParameterTemplates",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDatabases",
"rds:DescribeAccounts",
"rds:DescribeSecurityIPList",
"rds:DescribeSecurityIps",
"rds:DescribeDBInstanceIPArray",
"rds:DescribeDBInstanceIPArrayList",
"rds:DescribeDBInstanceSSL",
"rds:DescribeDBInstanceTDE",
"rds:CreateDBInstance",
"rds:CreateAccount",
"rds:CreateDatabase",
"rds:ModifySecurityIps",
"rds:GrantAccountPrivilege",
"rds:CreateMigrateTask",
"rds:CreateOnlineDatabaseTask",
"rds:DescribeMigrateTasks",
"rds:DescribeOssDownloads",
"rds:CreateBackup",
"rds:DescribeBackups",
"rds:DescribeBackupPolicy",
"rds:ModifyBackupPolicy",
"rds:DescribeBackupTasks",
"rds:DescribeBinlogFiles",
"rds:DescribeResourceUsage",
"rds:DescribeAvailableZones",
"rds:DescribeAvailableClasses",
"rds:ListClasses",
"rds:CreateDdrInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:DescribeInstance",
"ecs:DescribeInstances",
"ecs:DescribeVpcs",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupAttribute",
"ecs:AuthorizeSecurityGroup",
"ecs:JoinSecurityGroup",
"ecs:RevokeSecurityGroup",
"ecs:DescribeSnapshotLinks",
"ecs:DescribeSnapshots",
"ecs:ModifySnapshotAttribute",
"ecs:ResizeDisk",
"ecs:CreateSecurityGroup",
"ecs:ModifySecurityGroupPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kms:ListKeys"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cms:PutEventRule",
"cms:PutEventTargets",
"cms:ListEventRules",
"cms:ListEventTargetsByRule",
"cms:DeleteEventRule",
"cms:DeleteEventTargets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeDBClusterAttribute",
"polardb:DescribeDBClusterIPArrayList",
"polardb:DescribeDBClusterNetInfo",
"polardb:DescribeDBClusters",
"polardb:ModifySecurityIps",
"polardb:DescribeDBClusterEndpoints",
"polardb:DescribeDBClusterAccessWhitelist",
"polardb:ModifyDBClusterAccessWhitelist"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstanceAttribute",
"dds:DescribeReplicaSetRole",
"dds:DescribeShardingNetworkAddress",
"dds:DescribeSecurityIps",
"dds:DescribeDBInstances",
"dds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeSecurityIps",
"kvstore:DescribeInstances",
"kvstore:DescribeAccounts",
"kvstore:DescribeDBInstanceNetInfo",
"kvstore:CreateAccount",
"kvstore:ModifySecurityIps",
"kvstore:DescribeInstanceAttribute",
"kvstore:AllocateInstancePrivateConnection",
"kvstore:DescribeLogicInstanceTopology"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrdsDB",
"drds:DescribeDrdsDBs",
"drds:DescribeDrdsDbInstance",
"drds:DescribeDrdsDbInstances",
"drds:DescribeDrdsDBIpWhiteList",
"drds:DescribeDrdsInstances",
"drds:ModifyDrdsIpWhiteList",
"drds:CreateDrdsDB",
"drds:DescribeTable",
"drds:DescribeTables",
"drds:ModifyRdsReadWeight",
"drds:ChangeAccountPassword",
"drds:CreateDrdsInstance",
"drds:CreateInstanceInternetAddress",
"drds:DescribeInstanceAccounts",
"drds:DescribeBackupSets",
"drds:DescribeDbInstances",
"drds:DescribeDrdsCrossRegionBackups",
"drds:DescribeCrossBackupMetadata",
"drds:RegisterCrossRegionBackupSet",
"drds:DeleteCrossRegionBackupSet",
"drds:DescribeDrdsRdsInstances",
"drds:CreateDrdsCrossInstance",
"drds:DescribeDrdsInstanceLevelTasks"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"privatelink:CreateVpcEndpoint",
"privatelink:ListVpcEndpoints",
"privatelink:AddZoneToVpcEndpoint",
"privatelink:ListVpcEndpointZones",
"privatelink:RemoveZoneFromVpcEndpoint",
"privatelink:GetVpcEndpointAttribute",
"privatelink:DeleteVpcEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"bssapi:QueryResourcePackageInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "hdm:AddHDMInstance",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dbs.aliyuncs.com"
}
}
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "privatelink.aliyuncs.com"
}
}
},
{
"Action": [
"dg:GetUserGateways",
"dg:GetUserDatabases",
"dg:AddDatabase",
"dg:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
创建服务关联角色所需的权限
数据管理DMS
您需要拥有指定的权限,才能创建DMS服务关联角色。
若您的RAM用户权限不足,则需要添加如下权限后再执行为RAM用户授权操作。添加权限和授权的具体操作,请参见创建自定义权限策略和为RAM用户授权。
权限策略示例:允许为DMS创建服务关联角色。
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName": "dms.aliyuncs.com"
}
}
}
数据灾备(DBS)
您需要拥有指定的权限,才能创建数据灾备(DBS)服务关联角色。
若您的RAM用户权限不足,则需要添加如下权限后再执行为RAM用户授权操作。添加权限和授权的具体操作,请参见创建自定义权限策略和为RAM用户授权。
权限策略示例:允许为数据灾备(DBS)创建服务关联角色。
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName": "dms.aliyuncs.com"
}
}
}
创建服务关联角色
数据管理DMS
若您的RAM用户已添加DMS创建服务关联角色权限,则需要登录DMS控制台,并且在弹出的DMS服务关联角色对话框中,单击确认,系统将自动为您创建DMS服务关联角色。更多创建服务关联角色信息,请参见创建服务关联角色。
数据灾备(DBS)
当您初次使用数据灾备(DBS)时,系统会自动创建该服务关联角色。在使用数据灾备(DBS)之前,您需要将服务关联角色(AliyunServiceRoleForDBS)授权给数据灾备(DBS),以确保数据灾备(DBS)具备访问您的数据库的权限。
查看服务关联角色
数据管理DMS
当数据管理DMS服务关联角色(AliyunServiceRoleForDMS)创建成功后,您可以在RAM控制台查看该角色。包括角色基本信息、角色的信任策略和角色的权限策略(AliyunServiceRolePolicyForDMS)。
登录RAM控制台。
在左侧导航栏,选择身份管理 > 角色。
在角色页面,搜索并单击AliyunServiceRoleForDMS。
查看角色的基本信息。
在角色详情页面的基本信息区域,查看RAM角色名称、创建时间和ARN等信息。
查看角色的信任策略。
在角色详情页面,单击信任策略页签,通过
Service
字段查看可以使用该角色的云服务。例如:"Service": ["dms.aliyuncs.com"]
。查看角色的权限策略(AliyunServiceRolePolicyForDMS)。
在角色详情页面,单击权限管理页签。
单击权限策略名称AliyunServiceRolePolicyForDMS。
在策略内容页签中,查看权限策略具体内容。
说明不支持在RAM的权限策略列表中直接查看服务关联角色的权限策略。
数据灾备(DBS)
当数据灾备(DBS)服务关联角色(AliyunServiceRoleForDBS)创建成功后,您可以在RAM控制台查看该角色。包括角色基本信息、角色的信任策略和角色的权限策略(AliyunServiceRolePolicyForDBS)。
登录RAM控制台。
在左侧导航栏,选择身份管理 > 角色。
在角色页面,搜索并单击AliyunServiceRoleForDBS。
查看角色的基本信息。
在角色详情页面的基本信息区域,查看RAM角色名称、创建时间和ARN等信息。
查看角色的信任策略。
在角色详情页面,单击信任策略页签,通过
Service
字段查看可以使用该角色的云服务。例如:"Service": ["dbs.aliyuncs.com"]
。查看角色的权限策略(AliyunServiceRolePolicyForDBS)。
在角色详情页面,单击权限管理页签。
单击权限策略名称AliyunServiceRolePolicyForDBS。
在策略内容页签中,查看权限策略具体内容。
说明不支持在RAM的权限策略列表中直接查看服务关联角色的权限策略。
删除服务关联角色
数据管理DMS
若您需要删除服务关联角色(AliyunServiceRoleForDMS),需要在DMS控制台上移除实例列表中的所有实例,移除后再尝试删除该服务关联角色。移除实例和服务关联角色的具体操作,请参见删除实例和删除服务关联角色。
数据灾备(DBS)
您可以在RAM控制台手动删除服务关联角色(AliyunServiceRoleForDBS)。具体操作,请参见删除RAM角色。