All Products
Search

This Product

    Database Backup:How do I activate DBS?

    Document Center

    Database Backup:How do I activate DBS?

    Last Updated:Oct 08, 2024

    If you use Database Backup (DBS) for the first time, you must assign the AliyunDBSDefaultRole role to DBS and activate Object Storage Service (OSS) to allow DBS to access, query, and manage your databases and back up your databases to OSS in real time. This authorization operation ensures that the backup and restoration features of DBS run as expected without affecting the performance of your DBS backup schedules.

    Prerequisites

    An Alibaba Cloud account is created. For more information, see Create an Alibaba Cloud account.

    Step 1: Assign the AliyunServiceRoleForDBS role to DBS

    The AliyunServiceRoleForDBS role is a Resource Access Management (RAM) role that allows DBS to access other cloud services. Before DBS accesses Alibaba Cloud databases that you purchase, such as ApsaraDB RDS instances, ApsaraDB for MongoDB instances, ApsaraDB for Redis instances, and PolarDB databases, or self-managed databases hosted on Elastic Compute Service (ECS) instances, the AliyunServiceRoleForDBS role must be assigned to DBS. For more information, see Service-linked roles.

    If you use DBS for the first time, you must assign the AliyunServiceRoleForDBS role to DBS. For more information about the permissions of the role, see the AliyunServiceRoleForDBS section of this topic.

    1. Log on to the Database Backup (DBS) console.

    2. In the Information dialog box, click Authorize DBS SLR.

      Note

      If the Information dialog box does not appear after you log on to the DBS console, you can skip the subsequent steps and create a backup schedule.

    3. In the DBS Service Linked Role dialog box, click OK.

      The AliyunServiceRoleForDBS role is created for DBS. You can delete the role based on your business requirements. For more information, see Delete a RAM role.

    Step 2: Activate OSS

    You are not charged for activating OSS. After you activate OSS, the backup data generated by DBS can be stored in OSS.

    1. Log on to the Database Backup (DBS) console.

    2. In the dialog box that appears, click Activate OSS Now.

    3. In the dialog box that appears, click Activate Now.

    4. On the OSS page, read and agree to the service agreement by selecting the check box and click Activate Now.

    After you perform the preceding steps, DBS is activated.

    AliyunServiceRoleForDBS

    Role name: AliyunServiceRoleForDBS

    Policy attached to the role: AliyunServiceRolePolicyForDBS

    Permissions:

    {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceNetInfoForChannel",
        "rds:DescribeTasks",
        "rds:DescribeDBInstances",
        "rds:DescribeFilesForSQLServer",
        "rds:DescribeImportsForSQLServer",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeBinlogFiles",
        "rds:DescribeSQLLogRecords",
        "rds:DescribeParameters",
        "rds:DescribeParameterTemplates",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDatabases",
        "rds:DescribeAccounts",
        "rds:DescribeSecurityIPList",
        "rds:DescribeSecurityIps",
        "rds:DescribeDBInstanceIPArray",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:DescribeDBInstanceSSL",
        "rds:DescribeDBInstanceTDE",
        "rds:CreateDBInstance",
        "rds:CreateAccount",
        "rds:CreateDatabase",
        "rds:ModifySecurityIps",
        "rds:GrantAccountPrivilege",
        "rds:CreateMigrateTask",
        "rds:CreateOnlineDatabaseTask",
        "rds:DescribeMigrateTasks",
        "rds:DescribeOssDownloads",
        "rds:CreateBackup",
        "rds:DescribeBackups",
        "rds:DescribeBackupPolicy",
        "rds:ModifyBackupPolicy",
        "rds:DescribeBackupTasks",
        "rds:DescribeBinlogFiles"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:DescribeInstance",
        "ecs:DescribeInstances",
        "ecs:DescribeVpcs",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:AuthorizeSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:RevokerSecurityGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:ListKeys"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:PutEventRule",
        "cms:PutEventTargets",
        "cms:ListEventRules",
        "cms:ListEventTargetsByRule",
        "cms:DeleteEventRule",
        "cms:DeleteEventTargets"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeDBClusterIPArrayList",
        "polardb:DescribeDBClusterNetInfo",
        "polardb:DescribeDBClusters",
        "polardb:ModifySecurityIps",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:DescribeDBClusterAccessWhitelist",
        "polardb:ModifyDBClusterAccessWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeReplicaSetRole",
        "dds:DescribeSecurityIps",
        "dds:DescribeDBInstances",
        "dds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeSecurityIps",
        "kvstore:DescribeInstances",
        "kvstore:DescribeAccounts",
        "kvstore:DescribeDBInstanceNetInfo",
        "kvstore:CreateAccount",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:AllocateInstancePrivateConnection",
        "kvstore:DescribeLogicInstanceTopology"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "drds:DescribeDrdsDB",
        "drds:DescribeDrdsDBs",
        "drds:DescribeDrdsDbInstance",
        "drds:DescribeDrdsDbInstances",
        "drds:DescribeDrdsDBIpWhiteList",
        "drds:DescribeDrdsInstances",
        "drds:ModifyDrdsIpWhiteList",
        "drds:CreateDrdsDB",
        "drds:DescribeTable",
        "drds:DescribeTables",
        "drds:ModifyRdsReadWeight",
        "drds:ChangeAccountPassword",
        "drds:CreateDrdsInstance",
        "drds:CreateInstanceAccount",
        "drds:CreateInstanceInternetAddress",
        "drds:DescribeInstanceAccounts"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },    
    {
       "Action": [
         "bssapi:QueryResourcePackageInstances"
      ],
       "Resource": "*",
       "Effect": "Allow"
    },
    {
      "Action": "hdm:AddHDMInstance",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
          "StringEquals": {
              "ram:ServiceName": "dbs.aliyuncs.com"
          }
        }
    }
  ]
}

    References

    • For more information about the database engine versions, database objects, granularity of backup and restoration, and features that are supported by DBS, see Database engines and features.

    • For more information about the issues related to the billing of DBS backup schedules, see Billing FAQ.

    • After the authorization is complete, you can directly create a backup schedule or create, configure, and start a backup schedule by calling API operations. For more information, see CreateBackupPlan or CreateAndStartBackupPlan.