By default, an Alibaba Cloud account has full permissions on its resources. You can grant the permissions on Data Transmission Service (DTS) resources to specific Resource Access Management (RAM) users that belong to the Alibaba Cloud account.
Precautions
To ensure that RAM authentication works, we recommend that you upgrade the SDK to version 2.0.18 or later. For more information, see DTS SDK for Java.
Limits
Only resource-level authorization is supported. Action-level authorization is not supported.
Authentication rules
When you use a RAM user or a Security Token Service (STS) token to call an API operation of DTS, RAM checks whether you have the required permissions based on the semantics of the operation and the relevant resource.
Resource types that can be authorized
| Resource type | Syntax of authorization policy | Example |
|---|---|---|
| Instance |
acs:dts:$regionid:$accountid:instance/$instanceid acs:dts:$regionid:$accountid:instance/* |
acs:dts:cn-hangzhou:1234567890123:instance/* |
- $regionid: the region ID. You can replace this parameter with an asterisk (
*) for fuzzy match. - $instanceid: the instance ID. You can replace this parameter with an asterisk (
*) for fuzzy match. - $accountid: the ID of your Alibaba Cloud account. You can replace this parameter with
an asterisk (
*) for fuzzy match.
New request parameter
The AccountId parameter is added to each API operation of SDK version 2.0.18 and later.
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| AccountId | String | No | 1234567890123 | The ID of the Alibaba Cloud account that owns the resource accessed by using the STS
token.
Note If the account ID is configured in the permission policy, you must specify the AccountId
parameter.
|