DataWorks Data Integration supports RAM role-based authorization. This topic describes how to obtain Data Integration-related RAM roles, delete the service-linked roles of Data Integration, and allow a RAM user to create the service-linked roles of Data Integration.

Scenarios

When you add a data source, such as an Object Storage Service (OSS) data source, you can specify Data Integration to assume a custom RAM role to connect to the data source.

You need to enable Data Integration to assume the service-linked role AliyunServiceRoleForDataWorksDI to obtain custom RAM roles.

You also need to enable Data Integration to assume the service-linked role AliyunDIDefaultRole to ensure that Data Integration can call the API operations of the data source.

Description of the AliyunServiceRoleForDataWorksDI role

  • Role name: AliyunServiceRoleForDataWorksDI
  • Policy name: AliyunServiceRolePolicyForDataWorksDI
  • Permission description: This policy grants Data Integration the permission to obtain custom RAM roles.
  • Role description: Data Integration can assume this role to obtain custom RAM roles.
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:ListRoles",
                "ram:GetRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Description of the AliyunDIDefaultRole role

  • Role name: AliyunDIDefaultRole
  • Policy name: AliyunDIRolePolicy
  • Permission description: This policy grants Data Integration the permission to access the resources of other services activated by the current account. The services include ApsaraDB RDS, ApsaraDB for Redis, ApsaraDB for MongoDB, PolarDB-X, HybridDB for MySQL, AnalyticDB for PostgreSQL, PolarDB, Data Management (DMS), and Data Lake Formation (DLF).
  • Role description: Data Integration can assume this role to access the related resources during data source configuration, node configuration, and data synchronization.
{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstances",
        "rds:DescribeRegions",
        "rds:DescribeDatabases",
        "rds:DescribeSecurityGroupConfiguration",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:ModifySecurityGroupConfiguration",
        "rds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeInstances",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:DescribeRegions",
        "kvstore:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeSecurityIps",
        "dds:DescribeRegions",
        "dds:DescribeDBInstances",
        "dds:DescribeReplicaSetRole",
        "dds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "drds:DescribeDrdsInstanceList",
        "drds:DescribeDrdsInstance",
        "drds:DescribeDrdsDbList",
        "drds:DescribeDrdsDb",
        "drds:DescribeLogicTableList",
        "drds:DescribeRegions",
        "drds:ModifyDrdsIpWhiteList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "petadata:DescribeInstanceInfo",
        "petadata:DescribeInstances",
        "petadata:DescribeDatabases",
        "petadata:DescribeTables",
        "petadata:DescribeTableInfo",
        "petadata:DescribeInstancePerformance",
        "petadata:DescribeDatabasePerformance",
        "petadata:DescribeInstanceResourceUsage",
        "petadata:DescribeDatabaseResourceUsage",
        "petadata:DescribeRegions",
        "petadata:DescribeSecurityIPs",
        "petadata:ModifySecurityIPs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "gpdb:DescribeDBInstanceAttribute",
        "gpdb:DescribeDBInstances",
        "gpdb:DescribeResourceUsage",
        "gpdb:DescribeDBInstanceIPArrayList",
        "gpdb:DescribeDBClusterIPArrayList",
        "gpdb:DescribeDBInstancePerformance",
        "gpdb:DescribeDBInstanceNetInfo",
        "gpdb:DescribeRegions",
        "gpdb:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
      "polardb:DescribeClusterInfo",
      "polardb:DescribeDBClusterParameters",
      "polardb:DescribeDBClusterEndpoints",
      "polardb:ModifyDBClusterAccessWhitelist",
      "polardb:DescribeDBClusterAccessWhitelist",
      "polardb:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dms:ListUsers",
      "dms:ListDatabases",
      "dms:ListLogicTables",
      "dms:GetLogicDatabase",
      "dms:SearchDatabase",
      "dms:GetMetaTableDetailInfo",
      "dms:SearchTable",
      "dms:ExecuteScript",
      "dms:ListTables",
      "dms:GetDatabase",
      "dms:ListInstances",
      "dms:GetTableDBTopology"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dlf:GetServiceStatus",
      "dlf:ListDatabases",
      "dlf:CreateDatabase",
      "dlf:CreateTable",
      "dlf:BatchCreateTables",
      "dlf:CreatePartition",
      "dlf:ListTableNames",
      "dlf:GetTable",
      "dlf:UpdateDatabase",
      "dlf:UpdateTable",
      "dlf:DescribeRegions"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
      ]
    }

Delete a service-linked role

  • You can delete the AliyunServiceRoleForDataWorksDI role at any time. If you delete this role, Data Integration cannot obtain custom RAM roles, and you cannot select RAM roles when you add a data source. For more information, see Delete a service-linked role.
  • You can delete the AliyunDIDefaultRole role at any time. If you delete the role, Data Integration may not be able to query the information about the related service during data source configuration, node configuration, or data synchronization. As a result, a connectivity test error, node configuration error, or data synchronization error may occur.

Permissions required for a RAM user to create a service-linked role

  • To allow a RAM user to create the AliyunServiceRoleForDataWorksDI role, you must attach the DataWorksFullAccess policy or the following policy to the RAM user:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "dataworks:*",
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": "ram:CreateServiceLinkedRole",
                "Resource": "*",
                "Effect": "Allow",
                "Condition": {
                    "StringEquals": {
                        "ram:ServiceName": "di.dataworks.aliyuncs.com"
                    }
                }
            }
        ]
    }
  • To allow a RAM user to create the AliyunDIDefaultRole role, you must attach the following policy to the RAM user:
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ram:CreateRole",
                    "ram:AttachPolicyToRole"
                ],
                "Resource": "*"
            }
        ]
    }