All Products
Search
Document Center

Data Management:Service-linked role

Last Updated:Jun 28, 2023

AliyunServiceRoleForDMS is the service-linked role for Data Management. This topic describes what the service-linked role can do and how to create and delete the service-linked role.

Background information

DMS service-linked role is a Resource Access Management (RAM) role. DMS can assume this role to access other cloud services and implement certain features. For more information about service-linked roles, see Service-linked roles.

Scenarios

DMS can assume the service-linked role to access Elastic Compute Service (ECS) instances, virtual private clouds (VPCs), RDS instances, and resources related to various databases and tools and implement certain features.

Description of the AliyunServiceRoleForDMS role

Role name: AliyunServiceRoleForDMS.

Policy name: AliyunServiceRolePolicyForDMS.

Role description: The service-linked role allows DMS to access ECS instances, VPCs, RDS instances, and resources related to various databases and tools.

Operations that can be performed:

  • Query the details of RDS, PolarDB, ApsaraDB for Lindorm, and other database resources to manage ApsaraDB instances.

  • Query the details of ECS instances and VPCs to manage self-managed databases hosted on ECS instances and the Internet.

  • Use Alibaba Cloud services such as Data Transmission Service (DTS) and Database Backup (DBS) to manage data centrally.

Policy content

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:DescribeInstances",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DescribeImages",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeRegions",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceAttribute",
        "ecs:CreateCommand",
        "ecs:DeleteCommand",
        "ecs:DescribeInvocationResults"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:InvokeCommand",
        "ecs:StopInvocation"
      ],
      "Resource": "acs:ecs:*:*:instance/*",
      "Condition": {
        "StringEquals": {
          "acs:ResourceTag/dms": "script-for-dms"
        }
      },
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:InvokeCommand",
        "ecs:StopInvocation"
      ],
      "Resource": "acs:ecs:*:*:command/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "rds:DescribeDBInstanceHAConfig",
        "rds:DescribeBinlogFiles",
        "rds:DescribeDBInstancePerformance",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeSlowLogs",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeSQLCollectorPolicy",
        "rds:ModifySQLCollectorPolicy",
        "rds:DescribeSQLLogRecords",
        "rds:DescribeSQLLogFiles",
        "rds:DescribeResourceUsage",
        "rds:DescribeRegions",
        "rds:DescribeDBInstances",
        "rds:DescribeDBInstanceAttribute",
        "rds:ModifyBackupPolicy",
        "rds:DescribeSecurityGroupConfiguration",
        "rds:DescribeDBInstanceEncryptionKey",
        "rds:DescribeDBInstanceTDE",
        "rds:DescribeDBInstanceSSL",
        "rds:DescribeCrossRegionBackupDBInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeSecurityIps",
        "dds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeSecurityIps",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeRegions",
        "kvstore:DescribeInstances",
        "kvstore:DescribeInstanceAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "drds:DescribeDrdsInstances",
        "drds:QueryInstanceInfoByConn",
        "drds:DescribeDrdsInstanceList",
        "drds:DescribeDrdsDBIpWhiteList",
        "drds:ModifyDrdsIpWhiteList",
        "drds:DescribeDrdsInstanceVersion"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeRegions",
        "polardb:DescribeDBClusters",
        "polardb:DescribeDBClusterAttribute",
        "polardb:DescribeDBClusterEndpoints"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
      "polardbx:DescribeDBInstances",
      "polardbx:DescribeSecurityIps",
      "polardbx:ModifySecurityIps",
      "polardbx:DescribeDBInstanceAttribute",
      "polardbx:DescribeBinaryLogList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "petadata:DescribeInstances",
      "petadata:DescribeInstanceInfoByConnection",
      "petadata:DescribeSecurityIPs",
      "petadata:ModifySecurityIPs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "hdm:AccessHDMInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dts:CreateMigrationJob",
      "dts:ConfigureMigrationJob",
      "dts:StartMigrationJob",
      "dts:StopMigrationJob",
      "dts:DescribeMigrationJobStatus",
      "dts:DescribeMigrationJobDetail",
      "dts:CreateSynchronizationJob",
      "dts:ConfigureSynchronizationJob",
      "dts:StartSynchronizationJob",
      "dts:SuspendSynchronizationJob",
      "dts:DescribeSynchronizationJobStatus",
      "dts:ShieldPrecheck",
      "dts:CreateDtsInstance",
      "dts:ConfigureDtsJob",
      "dts:StartDtsJob",
      "dts:ModifyDtsJob",
      "dts:StopDtsJob",
      "dts:DescribeDtsJobDetail",
      "dts:DescribeDtsJobs",
      "dts:ConfigureEtlJob",
      "dts:SaveEtlJob",
      "dts:SuspendDtsJob",
      "dts:DeleteDtsJob",
      "dts:ModifyDtsJobName",
      "dts:SkipPreCheck",
      "dts:DescribeDtsEtlJobVersionInfo",
      "dts:DescribeEtlJobLogs",
      "dts:PreviewSql",
      "dts:DescribePreCheckStatus",
      "dts:DescribeDtsJobLogs",
      "dts:DescribeJobMonitorRule",
      "dts:CreateJobMonitorRule",
      "dts:DescribeConfigRelations",
      "dts:DescribeFormInfo",
      "dts:DescribeDmsInstanceDetail",
      "dts:DescribeSchemaList",
      "dts:DescribeColumns",
      "dts:DescribeStruct",
      "dts:DescribeDtsInstancePrice",
      "dts:DescribeRegions",
      "dts:DescribeInstanceInventory",
      "dts:CreateCheckJob",
      "dts:DescribeCheckJobDiffDetails",
      "dts:EtlMockData",
      "dts:EtlMockResult",
      "dts:DescribeCheckJobStatus",
      "dts:Ping"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "apigateway:CreateApiGroup",
      "apigateway:ModifyApiGroup",
      "apigateway:DeleteApiGroup",
      "apigateway:DescribeApiGroups",
      "apigateway:CreateApi",
      "apigateway:ModifyApi",
      "apigateway:DeployApi",
      "apigateway:AbolishApi",
      "apigateway:DeleteApi",
      "apigateway:DescribeApi",
      "apigateway:DescribeApis",
      "apigateway:CreateApp",
      "apigateway:ModifyApp",
      "apigateway:DeleteApp",
      "apigateway:DescribeAppSecurity",
      "apigateway:ResetAppCode",
      "apigateway:ResetAppSecret",
      "apigateway:DescribeAppAttributes",
      "apigateway:SetApisAuthorities",
      "apigateway:DescribeAuthorizedApps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dg:GetUserGateways",
      "dg:GetUserDatabases"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "openanalytics:QueryBucketList",
      "openanalytics:QueryDirectoryList",
      "openanalytics:ListVirtualClusters",
      "openanalytics:SubmitSparkJob",
      "openanalytics:KillSparkJob",
      "openanalytics:GetJobLog",
      "openanalytics:GetJobDetail",
      "openanalytics:GetJobStatus",
      "openanalytics:ExecuteService",
      "openanalytics:QueryService",
      "openanalytics:ExecuteOnVirtualCluster"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dbs:DescribeBackupPlanList",
      "dbs:DescribeFullBackupList",
      "dbs:CreateBackupPlan",
      "dbs:ConfigureBackupPlan",
      "dbs:ModifyBackupObjects",
      "dbs:StartBackupPlan",
      "dbs:ModifyBackupSourceEndpoint",
      "dbs:StartTask",
      "dbs:StopBackupPlan",
      "dbs:CreateRestoreTask",
      "dbs:StartRestoreTask",
      "dbs:DescribeRestoreTaskList",
      "dbs:DescribeRestoreRangeInfo",
      "dbs:CreateDLAService",
      "dbs:DescribeDLAService",
      "dbs:CloseDLAService",
      "dbs:CreateAndStartBackupPlan",
      "dbs:DescribeFullBackupSet",
      "dbs:DescribeDataSourceQueryableAttribute",
      "dbs:DescribeDataSourceQueryableAttributeDetail",
      "dbs:GetTimeTravelInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "oceanbase:DescribeAllTenantsConnectionInfo",
      "oceanbase:DescribeInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
      "StringEquals": {
      "ram:ServiceName": "dms.aliyuncs.com"
    }
    }
    },
      {
      "Action": [
      "hbase:DescribeInstances",
      "hbase:DescribeInstance",
      "hbase:DescribeEndpoints",
      "hbase:DescribeIpWhitelist",
      "hbase:ModifyIpWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "cassandra:DescribeClusters",
      "cassandra:DescribeCluster",
      "cassandra:DescribeDataCenters",
      "cassandra:DescribeIpWhitelistGroups",
      "cassandra:ModifyIpWhitelistGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "lindorm:GetLindormInstanceList",
      "lindorm:GetLindormInstance",
      "lindorm:GetLindormInstanceEngineList",
      "lindorm:GetLindormInstanceListForDMS",
      "lindorm:GetLindormInstanceForDMS",
      "lindorm:GetLindormInstanceForDMSByConnStr",
      "lindorm:GetInstanceIpWhiteList",
      "lindorm:UpdateInstanceIpWhiteList",
      "lindorm:CreateComputeEngineJob",
      "lindorm:GetComputeEngineJobDetail",
      "lindorm:GetComputeEngineJobLog",
      "lindorm:ReleaseLindormComputeJob"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "adb:CreateDBCluster",
      "adb:CreateAccount",
      "adb:DescribeDBClusters",
      "adb:DescribeDBClusterNetInfo",
      "adb:SubmitSparkApp",
      "adb:KillSparkApp",
      "adb:ListSparkApps",
      "adb:GetSparkAppLog",
      "adb:GetSparkAppInfo",
      "adb:GetSparkAppState",
      "adb:GetSparkAppAttemptLog",
      "adb:GetSparkAppWebUiAddress",
      "adb:ListSparkAppAttempts",
      "adb:DescribeDBResourceGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "gpdb:DescribeDBInstances",
      "gpdb:ResumeInstance",
      "gpdb:PauseInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "vpc:DescribeVpcs",
      "vpc:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
      ]
    }

Permissions required to create the service-linked role

RAM identities must be granted the required permissions before the RAM identities can create the service-linked role for DMS.

If your RAM user does not have the required permissions, you must add the following policy and grant permissions to the RAM user. For more information about how to add a policy and how to grant permissions to a RAM user, see Create a custom policy and Grant permissions to the RAM user.

The following code shows the policy that allows authorized RAM identities to create the service-linked role for DMS:

{
  "Action":"ram:CreateServiceLinkedRole",
  "Resource":"*",
  "Effect":"Allow",
  "Condition":{
  "StringEquals":{
    "ram:ServiceName": "dms.aliyuncs.com"
    }
  }
}

Create the service-linked role

If your RAM user already has the required permissions, you can directly create the service-linked role for DMS. Log on to the DMS console, and in the DMS Service-linked Role dialog box, click OK. Then, the system can automatically create the service-linked role for DMS. For more information about how to create a service-linked role, see Create a service-linked role.

Delete the service-linked role

Before you delete the AliyunServiceRoleForDMS role, you must remove all instances from the instance list in the DMS console. For more information about how to remove an instance and how to delete a service-linked role, see Remove database instances and Delete a service-linked role.