本文介紹Data Management服務關聯角色(AliyunServiceRoleForDMS)的應用情境以及如何刪除服務關聯角色。
背景資訊
DMS服務關聯角色是一種RAM角色(RAM role)。在某些情境下,該角色可以協助DMS擷取到其他雲端服務的存取權限,來實現自身的某個功能。更多關於服務關聯角色的資訊,請參見服務關聯角色。
應用情境
當DMS部分功能需要訪問ECS、VPC、RDS以及各類型資料庫或工具相關的資源時,您可以通過DMS服務關聯角色擷取訪問資源的許可權。
AliyunServiceRoleForDMS介紹
角色名稱:AliyunServiceRoleForDMS。
策略名稱稱:AliyunServiceRolePolicyForDMS。
許可權說明:建立該關聯角色後,DMS即可訪問ECS、VPC、RDS以及各類型資料庫或工具相關的資源。
許可權的作用
查詢RDS、PolarDB、Lindorm等各類型資料庫的資源詳情,以便管理雲資料庫。
查詢ECS、VPC的資源詳情,以便管理ECS、公網自建資料庫。
使用DTS、DBS等雲生態工具,進行一站式的資料管理。
策略內容
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DescribeImages",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:RevokeSecurityGroup",
"ecs:DescribeRegions",
"ecs:DescribeInstances",
"ecs:DescribeInstanceAttribute",
"ecs:CreateCommand",
"ecs:DeleteCommand",
"ecs:DescribeInvocationResults"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:InvokeCommand",
"ecs:StopInvocation"
],
"Resource": "acs:ecs:*:*:instance/*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/dms": "script-for-dms"
}
},
"Effect": "Allow"
},
{
"Action": [
"ecs:InvokeCommand",
"ecs:StopInvocation"
],
"Resource": "acs:ecs:*:*:command/*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBInstanceHAConfig",
"rds:DescribeBinlogFiles",
"rds:DescribeDBInstancePerformance",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeSlowLogs",
"rds:DescribeSlowLogRecords",
"rds:DescribeSQLCollectorPolicy",
"rds:ModifySQLCollectorPolicy",
"rds:DescribeSQLLogRecords",
"rds:DescribeSQLLogFiles",
"rds:DescribeResourceUsage",
"rds:DescribeRegions",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:ModifyBackupPolicy",
"rds:DescribeSecurityGroupConfiguration",
"rds:DescribeDBInstanceEncryptionKey",
"rds:DescribeDBInstanceTDE",
"rds:DescribeDBInstanceSSL",
"rds:DescribeCrossRegionBackupDBInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeSecurityIps",
"dds:ModifySecurityIps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeSecurityIps",
"kvstore:ModifySecurityIps",
"kvstore:DescribeRegions",
"kvstore:DescribeInstances",
"kvstore:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrdsInstances",
"drds:QueryInstanceInfoByConn",
"drds:DescribeDrdsInstanceList",
"drds:DescribeDrdsDBIpWhiteList",
"drds:ModifyDrdsIpWhiteList",
"drds:DescribeDrdsInstanceVersion"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeRegions",
"polardb:DescribeDBClusters",
"polardb:DescribeDBClusterAttribute",
"polardb:DescribeDBClusterEndpoints"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardbx:DescribeDBInstances",
"polardbx:DescribeSecurityIps",
"polardbx:ModifySecurityIps",
"polardbx:DescribeDBInstanceAttribute",
"polardbx:DescribeBinaryLogList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"petadata:DescribeInstances",
"petadata:DescribeInstanceInfoByConnection",
"petadata:DescribeSecurityIPs",
"petadata:ModifySecurityIPs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hdm:AccessHDMInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dts:CreateMigrationJob",
"dts:ConfigureMigrationJob",
"dts:StartMigrationJob",
"dts:StopMigrationJob",
"dts:DescribeMigrationJobStatus",
"dts:DescribeMigrationJobDetail",
"dts:CreateSynchronizationJob",
"dts:ConfigureSynchronizationJob",
"dts:StartSynchronizationJob",
"dts:SuspendSynchronizationJob",
"dts:DescribeSynchronizationJobStatus",
"dts:ShieldPrecheck",
"dts:CreateDtsInstance",
"dts:ConfigureDtsJob",
"dts:StartDtsJob",
"dts:ModifyDtsJob",
"dts:StopDtsJob",
"dts:DescribeDtsJobDetail",
"dts:DescribeDtsJobs",
"dts:ConfigureEtlJob",
"dts:SaveEtlJob",
"dts:SuspendDtsJob",
"dts:DeleteDtsJob",
"dts:ModifyDtsJobName",
"dts:SkipPreCheck",
"dts:DescribeDtsEtlJobVersionInfo",
"dts:DescribeEtlJobLogs",
"dts:PreviewSql",
"dts:DescribePreCheckStatus",
"dts:DescribeDtsJobLogs",
"dts:DescribeJobMonitorRule",
"dts:CreateJobMonitorRule",
"dts:DescribeConfigRelations",
"dts:DescribeFormInfo",
"dts:DescribeDmsInstanceDetail",
"dts:DescribeSchemaList",
"dts:DescribeColumns",
"dts:DescribeStruct",
"dts:DescribeDtsInstancePrice",
"dts:DescribeRegions",
"dts:DescribeInstanceInventory",
"dts:CreateCheckJob",
"dts:DescribeCheckJobDiffDetails",
"dts:EtlMockData",
"dts:EtlMockResult",
"dts:DescribeCheckJobStatus",
"dts:Ping"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"apigateway:CreateApiGroup",
"apigateway:ModifyApiGroup",
"apigateway:DeleteApiGroup",
"apigateway:DescribeApiGroups",
"apigateway:CreateApi",
"apigateway:ModifyApi",
"apigateway:DeployApi",
"apigateway:AbolishApi",
"apigateway:DeleteApi",
"apigateway:DescribeApi",
"apigateway:DescribeApis",
"apigateway:CreateApp",
"apigateway:ModifyApp",
"apigateway:DeleteApp",
"apigateway:DescribeAppSecurity",
"apigateway:ResetAppCode",
"apigateway:ResetAppSecret",
"apigateway:DescribeAppAttributes",
"apigateway:SetApisAuthorities",
"apigateway:DescribeAuthorizedApps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dg:GetUserGateways",
"dg:GetUserDatabases"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"openanalytics:QueryBucketList",
"openanalytics:QueryDirectoryList",
"openanalytics:ListVirtualClusters",
"openanalytics:SubmitSparkJob",
"openanalytics:KillSparkJob",
"openanalytics:GetJobLog",
"openanalytics:GetJobDetail",
"openanalytics:GetJobStatus",
"openanalytics:ExecuteService",
"openanalytics:QueryService",
"openanalytics:ExecuteOnVirtualCluster"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dbs:DescribeBackupPlanList",
"dbs:DescribeFullBackupList",
"dbs:CreateBackupPlan",
"dbs:ConfigureBackupPlan",
"dbs:ModifyBackupObjects",
"dbs:StartBackupPlan",
"dbs:ModifyBackupSourceEndpoint",
"dbs:StartTask",
"dbs:StopBackupPlan",
"dbs:CreateRestoreTask",
"dbs:StartRestoreTask",
"dbs:DescribeRestoreTaskList",
"dbs:DescribeRestoreRangeInfo",
"dbs:CreateDLAService",
"dbs:DescribeDLAService",
"dbs:CloseDLAService",
"dbs:CreateAndStartBackupPlan",
"dbs:DescribeFullBackupSet",
"dbs:DescribeDataSourceQueryableAttribute",
"dbs:DescribeDataSourceQueryableAttributeDetail",
"dbs:GetTimeTravelInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oceanbase:DescribeAllTenantsConnectionInfo",
"oceanbase:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dms.aliyuncs.com"
}
}
},
{
"Action": [
"hbase:DescribeInstances",
"hbase:DescribeInstance",
"hbase:DescribeEndpoints",
"hbase:DescribeIpWhitelist",
"hbase:ModifyIpWhitelist"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cassandra:DescribeClusters",
"cassandra:DescribeCluster",
"cassandra:DescribeDataCenters",
"cassandra:DescribeIpWhitelistGroups",
"cassandra:ModifyIpWhitelistGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lindorm:GetLindormInstanceList",
"lindorm:GetLindormInstance",
"lindorm:GetLindormInstanceEngineList",
"lindorm:GetLindormInstanceListForDMS",
"lindorm:GetLindormInstanceForDMS",
"lindorm:GetLindormInstanceForDMSByConnStr",
"lindorm:GetInstanceIpWhiteList",
"lindorm:UpdateInstanceIpWhiteList",
"lindorm:CreateComputeEngineJob",
"lindorm:GetComputeEngineJobDetail",
"lindorm:GetComputeEngineJobLog",
"lindorm:ReleaseLindormComputeJob"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"adb:CreateDBCluster",
"adb:CreateAccount",
"adb:DescribeDBClusters",
"adb:DescribeDBClusterNetInfo",
"adb:SubmitSparkApp",
"adb:KillSparkApp",
"adb:ListSparkApps",
"adb:GetSparkAppLog",
"adb:GetSparkAppInfo",
"adb:GetSparkAppState",
"adb:GetSparkAppAttemptLog",
"adb:GetSparkAppWebUiAddress",
"adb:ListSparkAppAttempts",
"adb:DescribeDBResourceGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstances",
"gpdb:ResumeInstance",
"gpdb:PauseInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
}
]
}建立服務關聯角色所需的許可權
您需要擁有指定的許可權,才能建立DMS服務關聯角色。
若您的RAM使用者權限不足,則需要添加如下許可權後再執行為RAM使用者授權操作。添加許可權和授權的具體操作,請參見建立自訂權限原則和為RAM使用者授權。
權限原則樣本:允許為DMS建立服務關聯角色。
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName": "dms.aliyuncs.com"
}
}
}建立服務關聯角色
若您的RAM使用者已添加DMS建立服務關聯角色許可權,則需要登入DMS控制台,並且在彈出的DMS服務關聯角色對話方塊中,單擊確認,系統將自動為您建立DMS服務關聯角色。更多建立服務關聯角色資訊,請參見建立服務關聯角色。
刪除服務關聯角色
若您需要刪除服務關聯角色(AliyunServiceRoleForDMS),需要在DMS控制台上移除執行個體列表中的所有執行個體,移除後再嘗試刪除該服務關聯角色。移除執行個體和服務關聯角色的具體操作,請參見刪除執行個體和刪除服務關聯角色。