Data Integration支援RAM角色授權模式。本文為您介紹如何擷取DataWorksData Integration相關的RAM角色列表、刪除服務關聯角色,以及子帳號如何建立服務關聯角色所需要的許可權。
應用情境
當您通過RAM角色授權模式建立DataWorks資料來源時,請選擇相關的自訂RAM角色來訪問資料來源,例如OSS。
您需要授權DataWorks服務為AliyunServiceRoleForDataWorksDI服務的關聯角色,以擷取與DataWorksData Integration相關的RAM角色列表,供您選擇。
您還需要授權DataWorks服務為AliyunDIDefaultRole服務的關聯角色,以便DataWorksData Integration可以調用相關資料來源的OpenAPI。
AliyunServiceRoleForDataWorksDI介紹
- 角色名稱: AliyunServiceRoleForDataWorksDI
- 角色權限原則: AliyunServiceRolePolicyForDataWorksDI
- 許可權說明:允許DataWorks訪問與DataWorksData Integration相關的RAM角色列表。
- 使用該許可權的作用:羅列與DataWorksData Integration相關的RAM角色列表。
{
"Version": "1",
"Statement": [
{
"Action": [
"ram:ListRoles",
"ram:GetRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunDIDefaultRole介紹
- 角色名稱:AliyunDIDefaultRole
- 角色權限原則:AliyunDIRolePolicy
- 許可權說明:允許DataWorks訪問當前雲帳號下的其他雲產品資源。包含RDS、Redis、MongoDB、Polardb-X、HybridDBforMySQL、AnalyticDBforPostgreSQL、PolarDB、DMS、DLF等雲資源的部分系統管理權限。
- 使用該許可權的作用:在進行資料來源配置、任務配置、資料同步時DataWorks可訪問相關資源。
{
"Version": "1",
"Statement": [
{
"Action": [
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeDBInstances",
"rds:DescribeRegions",
"rds:DescribeDatabases",
"rds:DescribeSecurityGroupConfiguration",
"rds:DescribeDBInstanceIPArrayList",
"rds:ModifySecurityGroupConfiguration",
"rds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeInstances",
"kvstore:DescribeInstanceAttribute",
"kvstore:DescribeRegions",
"kvstore:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeDBInstanceAttribute",
"dds:DescribeSecurityIps",
"dds:DescribeRegions",
"dds:DescribeDBInstances",
"dds:DescribeReplicaSetRole",
"dds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrdsInstanceList",
"drds:DescribeDrdsInstance",
"drds:DescribeDrdsDbList",
"drds:DescribeDrdsDb",
"drds:DescribeLogicTableList",
"drds:DescribeRegions",
"drds:ModifyDrdsIpWhiteList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"petadata:DescribeInstanceInfo",
"petadata:DescribeInstances",
"petadata:DescribeDatabases",
"petadata:DescribeTables",
"petadata:DescribeTableInfo",
"petadata:DescribeInstancePerformance",
"petadata:DescribeDatabasePerformance",
"petadata:DescribeInstanceResourceUsage",
"petadata:DescribeDatabaseResourceUsage",
"petadata:DescribeRegions",
"petadata:DescribeSecurityIPs",
"petadata:ModifySecurityIPs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstanceAttribute",
"gpdb:DescribeDBInstances",
"gpdb:DescribeResourceUsage",
"gpdb:DescribeDBInstanceIPArrayList",
"gpdb:DescribeDBClusterIPArrayList",
"gpdb:DescribeDBInstancePerformance",
"gpdb:DescribeDBInstanceNetInfo",
"gpdb:DescribeRegions",
"gpdb:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeClusterInfo",
"polardb:DescribeDBClusterParameters",
"polardb:DescribeDBClusterEndpoints",
"polardb:ModifyDBClusterAccessWhitelist",
"polardb:DescribeDBClusterAccessWhitelist",
"polardb:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dms:ListUsers",
"dms:ListDatabases",
"dms:ListLogicTables",
"dms:GetLogicDatabase",
"dms:SearchDatabase",
"dms:GetMetaTableDetailInfo",
"dms:SearchTable",
"dms:ExecuteScript",
"dms:ListTables",
"dms:GetDatabase",
"dms:ListInstances",
"dms:GetTableDBTopology"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dlf:GetServiceStatus",
"dlf:ListDatabases",
"dlf:CreateDatabase",
"dlf:CreateTable",
"dlf:BatchCreateTables",
"dlf:CreatePartition",
"dlf:ListTableNames",
"dlf:GetTable",
"dlf:UpdateDatabase",
"dlf:UpdateTable",
"dlf:DescribeRegions"
],
"Resource": "*",
"Effect": "Allow"
}
]
}刪除服務關聯角色
- 您可以隨時刪除AliyunServiceRoleForDataWorksDI角色。如果您刪除了該角色,則相關任務在DataWorks建立資料來源時,無法羅列並選擇DataWorksData Integration相關的RAM角色。詳情請參見刪除服務關聯角色。
- 您可以隨時刪除AliyunDIDefaultRole角色。如果您刪除了該角色,則在進行資料來源配置、任務配置、資料同步時可能無法查詢到對應雲產品相關資訊,造成連通性測試報錯、任務配置報錯、資料同步報錯等。
子帳號建立服務關聯角色所需要的許可權
- 子帳號被授權DataWorksFullAccess策略或如下策略,即可建立服務關聯角色AliyunServiceRoleForDataWorksDI。
{ "Version": "1", "Statement": [ { "Action": "dataworks:*", "Resource": "*", "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "di.dataworks.aliyuncs.com" } } } ] } - 子帳號添加AliyunDIDefaultRole角色所需要的權限原則如下。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateRole", "ram:AttachPolicyToRole" ], "Resource": "*" } ] }