All Products
Search

This Product

    Data Management:Service-linked role of DMS

    Document Center

    Data Management:Service-linked role of DMS

    Last Updated:Dec 25, 2024

    This topic describes the service-linked role of Data Management (DMS)named AliyunServiceRoleForDMS.

    Background information

    A service-linked role is a Resource Access Management (RAM) role. For more information, see RAM role overview. The service-linked role allows DMS to access other cloud services and implement certain features in some scenarios. For more information, see Service-linked roles.

    Scenarios

    DMS

    You can assume the service-linked role of DMS to allow certain DMS features to access Elastic Compute Service (ECS) instances, virtual private clouds (VPCs), RDS instances, and resources related to various databases and tools.

    Service-linked role

    AliyunServiceRoleForDMS

    Role name: AliyunServiceRoleForDMS.

    Policy name: AliyunServiceRolePolicyForDMS.

    Role description: The service-linked role allows DMS to access ECS instances, VPCs, RDS instances, and resources related to various databases and tools.

    Operations that can be performed:

    • Query the details of RDS, PolarDB, Lindorm, and other database resources to manage ApsaraDB instances.

    • Query the details of ECS instances and VPCs to manage self-managed databases hosted on ECS instances and the Internet.

    • Use Alibaba Cloud services such as Data Transmission Service (DTS) and Database Backup (DBS) to manage data centrally.

    Policy content

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:DescribeImages",
                "ecs:CreateSecurityGroup",
                "ecs:AuthorizeSecurityGroup",
                "ecs:DescribeSecurityGroupAttribute",
                "ecs:DescribeSecurityGroups",
                "ecs:RevokeSecurityGroup",
                "ecs:DescribeRegions",
                "ecs:DescribeInstances",
                "ecs:DescribeInstanceAttribute",
                "ecs:CreateCommand",
                "ecs:DeleteCommand",
                "ecs:DescribeInvocationResults"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:InvokeCommand",
                "ecs:StopInvocation"
            ],
            "Resource": "acs:ecs:*:*:instance/*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/dms": "script-for-dms"
                }
            },
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:InvokeCommand",
                "ecs:StopInvocation"
            ],
            "Resource": "acs:ecs:*:*:command/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:DescribeDBInstanceHAConfig",
                "rds:DescribeBinlogFiles",
                "rds:DescribeDBInstancePerformance",
                "rds:DescribeDBInstanceAttribute",
                "rds:DescribeSlowLogs",
                "rds:DescribeSlowLogRecords",
                "rds:DescribeSQLCollectorPolicy",
                "rds:ModifySQLCollectorPolicy",
                "rds:DescribeSQLLogRecords",
                "rds:DescribeSQLLogFiles",
                "rds:DescribeResourceUsage",
                "rds:DescribeRegions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBInstanceAttribute",
                "rds:ModifyBackupPolicy",
                "rds:DescribeSecurityGroupConfiguration",
                "rds:DescribeDBInstanceEncryptionKey",
                "rds:DescribeDBInstanceTDE",
                "rds:DescribeDBInstanceSSL",
                "rds:DescribeCrossRegionBackupDBInstance",
                "rds:DescribeSQLCollectorRetention",
                "rds:TagResources",
                "rds:UntagResources",
                "rds:ListTagResources",
                "rds:DescribeDBInstanceByTags",
                "rds:DescribeDatabases"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dds:DescribeSecurityIps",
                "dds:ModifySecurityIps",
                "dds:DescribeDBInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kvstore:DescribeSecurityIps",
                "kvstore:ModifySecurityIps",
                "kvstore:DescribeRegions",
                "kvstore:DescribeInstances",
                "kvstore:DescribeInstanceAttribute",
                "kvstore:DescribeInstanceConfig"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "drds:DescribeDrdsInstances",
                "drds:QueryInstanceInfoByConn",
                "drds:DescribeDrdsInstanceList",
                "drds:DescribeDrdsDBIpWhiteList",
                "drds:ModifyDrdsIpWhiteList",
                "drds:DescribeDrdsInstanceVersion"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardb:DescribeRegions",
                "polardb:DescribeDBClusters",
                "polardb:DescribeDBClusterAttribute",
                "polardb:DescribeDBClusterEndpoints",
                "polardb:DescribeMaskingRules",
                "polardb:ModifyMaskingRules",
                "polardb:DeleteMaskingRules",
                "polardb:DescribeDBClusterVersion",
                "polardb:DescribeDBClusterAuditLogCollector"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "polardbx:DescribeDBInstances",
                "polardbx:DescribeSecurityIps",
                "polardbx:ModifySecurityIps",
                "polardbx:DescribeDBInstanceAttribute",
                "polardbx:DescribeBinaryLogList",
                "polardbx:DescribeDBInstanceViaEndpoint"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "petadata:DescribeInstances",
                "petadata:DescribeInstanceInfoByConnection",
                "petadata:DescribeSecurityIPs",
                "petadata:ModifySecurityIPs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "hdm:AccessHDMInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dts:CreateMigrationJob",
                "dts:ConfigureMigrationJob",
                "dts:StartMigrationJob",
                "dts:StopMigrationJob",
                "dts:DescribeMigrationJobStatus",
                "dts:DescribeMigrationJobDetail",
                "dts:CreateSynchronizationJob",
                "dts:ConfigureSynchronizationJob",
                "dts:StartSynchronizationJob",
                "dts:SuspendSynchronizationJob",
                "dts:DescribeSynchronizationJobStatus",
                "dts:ShieldPrecheck",
                "dts:CreateDtsInstance",
                "dts:ConfigureDtsJob",
                "dts:StartDtsJob",
                "dts:ModifyDtsJob",
                "dts:StopDtsJob",
                "dts:DescribeDtsJobDetail",
                "dts:DescribeDtsJobs",
                "dts:ConfigureEtlJob",
                "dts:SaveEtlJob",
                "dts:SuspendDtsJob",
                "dts:DeleteDtsJob",
                "dts:ModifyDtsJobName",
                "dts:SkipPreCheck",
                "dts:DescribeDtsEtlJobVersionInfo",
                "dts:DescribeEtlJobLogs",
                "dts:PreviewSql",
                "dts:DescribePreCheckStatus",
                "dts:DescribeDtsJobLogs",
                "dts:DescribeJobMonitorRule",
                "dts:CreateJobMonitorRule",
                "dts:DescribeConfigRelations",
                "dts:DescribeFormInfo",
                "dts:DescribeDmsInstanceDetail",
                "dts:DescribeSchemaList",
                "dts:DescribeColumns",
                "dts:DescribeStruct",
                "dts:DescribeDtsInstancePrice",
                "dts:DescribeRegions",
                "dts:DescribeInstanceInventory",
                "dts:CreateCheckJob",
                "dts:DescribeCheckJobDiffDetails",
                "dts:EtlMockData",
                "dts:EtlMockResult",
                "dts:DescribeCheckJobStatus",
                "dts:DescribeDtsJobStatistics",
                "dts:Ping",
                "dts:DescribeUploadPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "apigateway:CreateApiGroup",
                "apigateway:ModifyApiGroup",
                "apigateway:DeleteApiGroup",
                "apigateway:DescribeApiGroups",
                "apigateway:CreateApi",
                "apigateway:ModifyApi",
                "apigateway:DeployApi",
                "apigateway:AbolishApi",
                "apigateway:DeleteApi",
                "apigateway:DescribeApi",
                "apigateway:DescribeApis",
                "apigateway:CreateApp",
                "apigateway:ModifyApp",
                "apigateway:DeleteApp",
                "apigateway:DescribeAppSecurity",
                "apigateway:ResetAppCode",
                "apigateway:ResetAppSecret",
                "apigateway:DescribeAppAttributes",
                "apigateway:SetApisAuthorities",
                "apigateway:DescribeAuthorizedApps"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dg:GetUserGateways",
                "dg:GetUserDatabases",
                "dg:GetUserGatewayInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "openanalytics:QueryBucketList",
                "openanalytics:QueryDirectoryList",
                "openanalytics:ListVirtualClusters",
                "openanalytics:SubmitSparkJob",
                "openanalytics:KillSparkJob",
                "openanalytics:GetJobLog",
                "openanalytics:GetJobDetail",
                "openanalytics:GetJobStatus",
                "openanalytics:ExecuteService",
                "openanalytics:QueryService",
                "openanalytics:ExecuteOnVirtualCluster"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dbs:DescribeBackupPlanList",
                "dbs:DescribeFullBackupList",
                "dbs:CreateBackupPlan",
                "dbs:ConfigureBackupPlan",
                "dbs:ModifyBackupObjects",
                "dbs:StartBackupPlan",
                "dbs:ModifyBackupSourceEndpoint",
                "dbs:StartTask",
                "dbs:StopBackupPlan",
                "dbs:CreateRestoreTask",
                "dbs:StartRestoreTask",
                "dbs:DescribeRestoreTaskList",
                "dbs:DescribeRestoreRangeInfo",
                "dbs:CreateDLAService",
                "dbs:DescribeDLAService",
                "dbs:CloseDLAService",
                "dbs:CreateAndStartBackupPlan",
                "dbs:DescribeFullBackupSet",
                "dbs:DescribeDataSourceQueryableAttribute",
                "dbs:DescribeDataSourceQueryableAttributeDetail",
                "dbs:GetTimeTravelInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "oceanbase:DescribeAllTenantsConnectionInfo",
                "oceanbase:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:DeleteServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "dms.aliyuncs.com"
                }
            }
        },
        {
            "Action": [
                "hbase:DescribeInstances",
                "hbase:DescribeInstance",
                "hbase:DescribeEndpoints",
                "hbase:DescribeIpWhitelist",
                "hbase:ModifyIpWhitelist"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cassandra:DescribeClusters",
                "cassandra:DescribeCluster",
                "cassandra:DescribeDataCenters",
                "cassandra:DescribeIpWhitelistGroups",
                "cassandra:ModifyIpWhitelistGroup"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lindorm:GetLindormInstanceList",
                "lindorm:GetLindormInstance",
                "lindorm:GetLindormInstanceEngineList",
                "lindorm:GetLindormInstanceListForDMS",
                "lindorm:GetLindormInstanceForDMS",
                "lindorm:GetLindormInstanceForDMSByConnStr",
                "lindorm:GetInstanceIpWhiteList",
                "lindorm:UpdateInstanceIpWhiteList",
                "lindorm:CreateComputeEngineJob",
                "lindorm:GetComputeEngineJobDetail",
                "lindorm:GetComputeEngineJobLog",
                "lindorm:ReleaseLindormComputeJob"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "adb:CreateDBCluster",
                "adb:CreateAccount",
                "adb:DescribeDBClusters",
                "adb:DescribeDBClusterNetInfo",
                "adb:SubmitSparkApp",
                "adb:KillSparkApp",
                "adb:ListSparkApps",
                "adb:GetSparkAppLog",
                "adb:GetSparkAppInfo",
                "adb:GetSparkAppState",
                "adb:GetSparkAppAttemptLog",
                "adb:GetSparkAppWebUiAddress",
                "adb:ListSparkAppAttempts",
                "adb:DescribeDBClusterAttribute",
                "adb:DescribeDBResourceGroup",
                "adb:ExecuteSparkWarehouseBatchSQL",
                "adb:CancelSparkWarehouseBatchSQL",
                "adb:GetSparkWarehouseBatchSQL"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "gpdb:DescribeDBInstances",
                "gpdb:ResumeInstance",
                "gpdb:PauseInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "hologram:GetInstance",
                "hologram:ListInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "gdb:DescribeDbInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "oss:ListBuckets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "selectdb:DescribeDBInstances",
                "selectdb:DescribeDBInstanceAttribute",
                "selectdb:DescribeDBInstanceNetInfo",
                "selectdb:DescribeSecurityIPList",
                "selectdb:ModifySecurityIPList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "clickhouse:DescribeDBClusters",
                "clickhouse:DescribeDBInstances",
                "clickhouse:DescribeDBInstanceAttribute",
                "clickhouse:DescribeEndpoints",
                "clickhouse:DescribeSecurityIPList",
                "clickhouse:ModifySecurityIPList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "sr:ListInstances",
                "sr:GetInstanceDetail",
                "sr:DescribeRegions",
                "sr:GetDmsConnectionInfo",
                "sr:GetNetworkMappingIp"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dbs-inner:DescribeDataSourceQueryableAttribute",
                "dbs-inner:DescribeDataSourceQueryableAttributeDetail",
                "dbs-inner:GetTimeTravelInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:ListSecrets",
                "kms:GetSecretValue",
                "kms:Decrypt",
                "kms:ListKmsInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rds:CreateAccount",
                "rds:DeleteAccount",
                "rds:ResetAccountPassword",
                "rds:GrantAccountPrivilege",
                "rds:RevokeAccountPrivilege",
                "rds:CheckAccountNameAvailable"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "rds:tag/dms": "account-management"
                }
            },
            "Effect": "Allow"
        },
        {
            "Action": [
                "ots:ListInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    Permissions required to create the AliyunServiceRoleForDMS role

    DMS

    Your RAM user must be granted the required permissions before the AliyunServiceRoleForDMS role is created for DMS.

    If your RAM user does not have the required permissions, you must add the following policy and grant permissions to the RAM user. For more information, see Create custom policies and Grant permissions to a RAM user.

    The following code shows the policy that allows authorized RAM users to create the AliyunServiceRoleForDMS role for DMS: 

    {
  "Action":"ram:CreateServiceLinkedRole",
  "Resource":"*",
  "Effect":"Allow",
  "Condition":{
    "StringEquals":{
    "ram:ServiceName": "dms.aliyuncs.com"
    }
  }
}

    Create the AliyunServiceRoleForDMS role

    DMS

    If your RAM user already has the required permissions to create the AliyunServiceRoleForDMS role for DMS, you can log on to the DMS console and click OK in the DMS Service-linked Role dialog box. This way, the system can automatically create the AliyunServiceRoleForDMS role for DMS. For more information, see the Create a service-linked role section of the "Service-linked roles" topic.

    View the details of the AliyunServiceRoleForDMS role

    DMS

    After the AliyunServiceRoleForDMS role is created for DMS, you can view the role details in the RAM console, including the basic information, trust policy, and permissions of the AliyunServiceRoleForDMS role.

    1. Log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, search for the AliyunServiceRoleForDBS role and then click its name.

    4. View the basic information of the role.

      In the Basic Information section of the role details page, view the role information including the role name, creation time, and Alibaba Cloud Resource Name (ARN).

    5. View the trust policy of the role.

      On the role details page, click the Trust Policy tab to view the value of the Service field. The value indicates the cloud service that can assume the role. Example: Service": ["dms.aliyuncs.com"].

    6. View the permissions that are granted to the role.

      1. On the role details page, click the Permissions tab.

      2. Click the AliyunServiceRolePolicyForDMS policy name.

      3. On the Policy Document tab of the page that appears, view the policy content.

      Note

      You cannot directly view the permissions that are granted to a service-linked role on the Policies page of the RAM console.

    Delete the AliyunServiceRoleForDMS role

    DMS

    Before you delete the AliyunServiceRoleForDMS role, you must remove all instances from the instance list in the DMS console. For more information about how to remove an instance and delete a service-linked role, see Remove one or more instances and Delete a service-linked role.