If you use Data Transmission Service (DTS) for the first time, you must assign the default role AliyunDTSDefaultRole to DTS and attach the AliyunDTSRolePolicy policy to the role. After the authorization is complete, DTS can access Alibaba Cloud resources such as ApsaraDB for RDS and Elastic Compute Service (ECS) instances within the current Alibaba Cloud account. When you configure data migration, data synchronization, or change tracking tasks, you can specify relevant Alibaba Cloud resources to be accessed by DTS.
Background information
If you do not authorize DTS to access Alibaba Cloud resources,
the following error message is displayed when you log on to the DTS console.
the following error message is displayed when you configure a task.
Usage notes
If the current Alibaba Cloud account has been authorized, no message is displayed to prompt authorization when you log on to the DTS console. You can skip the steps that are described in the "Authorize DTS to access Alibaba Cloud resources in the Cloud Resource Access Authorization message" and "Authorize DTS to access Alibaba Cloud resources in the RAM console" sections of this topic.
Authorize DTS to access Alibaba Cloud resources in the Cloud Resource Access Authorization message
Log on to the DTS console by using an Alibaba Cloud account.
In the Error Message message, click Authorize Role in RAM Console.
NoteYou can also authorize DTS to access Alibaba Cloud resources in the Resource Access Management (RAM) console. For more information, see the Authorize DTS to access Alibaba Cloud resources in the RAM console section of this topic.
In the Cloud Resource Access Authorization message, click Confirm Authorization Policy.
If the "Cloud resource access authorization successful" message appears, the authorization is complete.
Authorize DTS to access Alibaba Cloud resources in the RAM console
Find the default role.
Log on to the RAM console.
In the left-side navigation pane, choose .
To the right of Create Role, enter AliyunDTSDefaultRole in the search box.
Find the role AliyunDTSDefaultRole and click it name.
Grant the required permissions to the RAM role.
On the Permissions tab, click Precise Permission.
Optional. In the Precise Permission panel, select System Policy for the Type parameter.
In the Policy Name field, enter AliyunDTSRolePolicy.
Click OK.
After you grant the required permissions, click Close.
View the authorization result
You can perform the following steps to view the result of authorization by using the default role. If you have created the role AliyunDTSDefaultRole and assigned the role to DTS, but the system still prompts that DTS is not authorized to access Alibaba Cloud resources, you can also see the following steps to grant the permissions to DTS again.
Log on to the RAM console by using an Alibaba Cloud account.
In the left-side navigation pane, choose .
In the left-side navigation pane, choose Identities > Roles. On the page that appears, enter AliyunDTSDefaultRole in the search box to the right of Create Role.
Find the role AliyunDTSDefaultRole and click it name.
Click the role AliyunDTSDefaultRole to view the role details.
If both of the following conditions are met, the authorization is successful:
On the Trust Policy tab,
dts.aliyuncs.comis included in the Service field.
On the Permissions tab, the AliyunDTSRolePolicy policy exists.
If one of the preceding conditions is not met, the authorization fails. You must grant the permissions again.
Delete the role AliyunDTSDefaultRole and go to the Cloud Resource Access Authorization page to authorize DTS to access Alibaba Cloud resources.
Policy description
The AliyunDTSRolePolicy policy is used to grant permissions to the default role AliyunDTSDefaultRole. These permissions allow DTS to manage multiple cloud resources such as ApsaraDB for RDS, ECS, PolarDB, ApsaraDB for MongoDB, ApsaraDB for Redis, PolarDB-X, DataHub, and Elasticsearch. For more information, see AliyunDTSRolePolicy.
For more information about the policy, see Policy structure and syntax.