文档

配置数据源(RDS/PolarDB)报错

更新时间:

子账号权限不足解决方案

出现的问题

用户在使用子账号配置RDS数据源时有报错:

image

背景:在OpenSearch上配置数据源,需要OpenSearch访问云服务Rds/PolarDB/DRDS的资源,但是访问这些资源需要一些权限校验,为了方便用户配置,这里可以通过服务关联角色功能获取访问权限。详情可参考OpenSearch服务关联角色

上述案例的解决方法:可以通过主账号添加AliyunServiceRoleForOpenSearch 角色,获取访问RDS数据源的权限。操作步骤如下:

  1. 首先通过主账号登录阿里云,并且进入访问控制

image
  1. 在角色中搜索AliyunServiceRoleForOpenSearch

如果已存在,直接添加此角色即可:

image

如果不存在,需要手动创建:

  1. 手动创建AliyunServiceRoleForOpenSearch 角色:(可选)

3.1.身份管理>角色>创建角色

image

3.2.选择阿里云服务点击下一步:

image

3.3.选择服务关联角色,搜索开放搜索,点击完成

image
  1. 创建完成后,就可以在角色中搜索到AliyunServiceRoleForOpenSearch :

image

其中该角色的权限就是关于数据源相关操作的:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeDBInstances",
                "rds:DescribeDatabases",
                "rds:DescribeDBInstanceIPArrayList",
                "rds:DescribeAccounts",
                "rds:DescribeAbnormalDBInstances",
                "rds:ModifySecurityIps",
                "rds:DescribeResourceUsage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeDBClusterAttribute",
                "polardb:DescribeDBClusterEndpoints",
                "polardb:ModifyDBClusterAccessWhitelist",
                "polardb:DescribeDBClusterAccessWhitelist",
                "polardb:DescribeDBClusterParameters"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrdsInstance",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeDrdsDBIpWhiteList",
                "drds:DescribeRdsList",
                "drds:DescribeDrdsDB"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dts:ConfigureSubscriptionInstance",
                "dts:CreateConsumerGroup",
                "dts:StartSubscriptionInstance",
                "dts:DescribeSubscriptionInstanceStatus",
                "dts:DescribeConsumerGroup",
                "dts:DeleteConsumerGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "opensearch.aliyuncs.com"
                }
            }
        }
    ]
}