全部產品
Search
文件中心

Data Management:DMS服務關聯角色

更新時間:Jun 30, 2024

本文介紹Data Management服務關聯角色(AliyunServiceRoleForDMS)的應用情境以及如何刪除服務關聯角色。

背景資訊

DMS服務關聯角色是一種RAM角色(RAM role)。在某些情境下,該角色可以協助DMS擷取到其他雲端服務的存取權限,來實現自身的某個功能。更多關於服務關聯角色的資訊,請參見服務關聯角色

應用情境

DMS部分功能需要訪問ECS、VPC、RDS以及各類型資料庫或工具相關的資源時,您可以通過DMS服務關聯角色擷取訪問資源的許可權。

AliyunServiceRoleForDMS介紹

角色名稱:AliyunServiceRoleForDMS。

策略名稱稱:AliyunServiceRolePolicyForDMS。

許可權說明:建立該關聯角色後,DMS即可訪問ECS、VPC、RDS以及各類型資料庫或工具相關的資源。

許可權的作用

  • 查詢RDS、PolarDB、Lindorm等各類型資料庫的資源詳情,以便管理雲資料庫。

  • 查詢ECS、VPC的資源詳情,以便管理ECS、公網自建資料庫。

  • 使用DTS、DBS等雲生態工具,進行一站式的資料管理。

策略內容

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:DescribeInstances",
        "ecs:JoinSecurityGroup",
        "ecs:LeaveSecurityGroup",
        "ecs:DescribeImages",
        "ecs:CreateSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:DescribeSecurityGroups",
        "ecs:RevokeSecurityGroup",
        "ecs:DescribeRegions",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceAttribute",
        "ecs:CreateCommand",
        "ecs:DeleteCommand",
        "ecs:DescribeInvocationResults"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:InvokeCommand",
        "ecs:StopInvocation"
      ],
      "Resource": "acs:ecs:*:*:instance/*",
      "Condition": {
        "StringEquals": {
          "acs:ResourceTag/dms": "script-for-dms"
        }
      },
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:InvokeCommand",
        "ecs:StopInvocation"
      ],
      "Resource": "acs:ecs:*:*:command/*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "rds:DescribeDBInstanceHAConfig",
        "rds:DescribeBinlogFiles",
        "rds:DescribeDBInstancePerformance",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeSlowLogs",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeSQLCollectorPolicy",
        "rds:ModifySQLCollectorPolicy",
        "rds:DescribeSQLLogRecords",
        "rds:DescribeSQLLogFiles",
        "rds:DescribeResourceUsage",
        "rds:DescribeRegions",
        "rds:DescribeDBInstances",
        "rds:DescribeDBInstanceAttribute",
        "rds:ModifyBackupPolicy",
        "rds:DescribeSecurityGroupConfiguration",
        "rds:DescribeDBInstanceEncryptionKey",
        "rds:DescribeDBInstanceTDE",
        "rds:DescribeDBInstanceSSL",
        "rds:DescribeCrossRegionBackupDBInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeSecurityIps",
        "dds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeSecurityIps",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeRegions",
        "kvstore:DescribeInstances",
        "kvstore:DescribeInstanceAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "drds:DescribeDrdsInstances",
        "drds:QueryInstanceInfoByConn",
        "drds:DescribeDrdsInstanceList",
        "drds:DescribeDrdsDBIpWhiteList",
        "drds:ModifyDrdsIpWhiteList",
        "drds:DescribeDrdsInstanceVersion"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeRegions",
        "polardb:DescribeDBClusters",
        "polardb:DescribeDBClusterAttribute",
        "polardb:DescribeDBClusterEndpoints"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
      "polardbx:DescribeDBInstances",
      "polardbx:DescribeSecurityIps",
      "polardbx:ModifySecurityIps",
      "polardbx:DescribeDBInstanceAttribute",
      "polardbx:DescribeBinaryLogList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "petadata:DescribeInstances",
      "petadata:DescribeInstanceInfoByConnection",
      "petadata:DescribeSecurityIPs",
      "petadata:ModifySecurityIPs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "hdm:AccessHDMInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dts:CreateMigrationJob",
      "dts:ConfigureMigrationJob",
      "dts:StartMigrationJob",
      "dts:StopMigrationJob",
      "dts:DescribeMigrationJobStatus",
      "dts:DescribeMigrationJobDetail",
      "dts:CreateSynchronizationJob",
      "dts:ConfigureSynchronizationJob",
      "dts:StartSynchronizationJob",
      "dts:SuspendSynchronizationJob",
      "dts:DescribeSynchronizationJobStatus",
      "dts:ShieldPrecheck",
      "dts:CreateDtsInstance",
      "dts:ConfigureDtsJob",
      "dts:StartDtsJob",
      "dts:ModifyDtsJob",
      "dts:StopDtsJob",
      "dts:DescribeDtsJobDetail",
      "dts:DescribeDtsJobs",
      "dts:ConfigureEtlJob",
      "dts:SaveEtlJob",
      "dts:SuspendDtsJob",
      "dts:DeleteDtsJob",
      "dts:ModifyDtsJobName",
      "dts:SkipPreCheck",
      "dts:DescribeDtsEtlJobVersionInfo",
      "dts:DescribeEtlJobLogs",
      "dts:PreviewSql",
      "dts:DescribePreCheckStatus",
      "dts:DescribeDtsJobLogs",
      "dts:DescribeJobMonitorRule",
      "dts:CreateJobMonitorRule",
      "dts:DescribeConfigRelations",
      "dts:DescribeFormInfo",
      "dts:DescribeDmsInstanceDetail",
      "dts:DescribeSchemaList",
      "dts:DescribeColumns",
      "dts:DescribeStruct",
      "dts:DescribeDtsInstancePrice",
      "dts:DescribeRegions",
      "dts:DescribeInstanceInventory",
      "dts:CreateCheckJob",
      "dts:DescribeCheckJobDiffDetails",
      "dts:EtlMockData",
      "dts:EtlMockResult",
      "dts:DescribeCheckJobStatus",
      "dts:Ping"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "apigateway:CreateApiGroup",
      "apigateway:ModifyApiGroup",
      "apigateway:DeleteApiGroup",
      "apigateway:DescribeApiGroups",
      "apigateway:CreateApi",
      "apigateway:ModifyApi",
      "apigateway:DeployApi",
      "apigateway:AbolishApi",
      "apigateway:DeleteApi",
      "apigateway:DescribeApi",
      "apigateway:DescribeApis",
      "apigateway:CreateApp",
      "apigateway:ModifyApp",
      "apigateway:DeleteApp",
      "apigateway:DescribeAppSecurity",
      "apigateway:ResetAppCode",
      "apigateway:ResetAppSecret",
      "apigateway:DescribeAppAttributes",
      "apigateway:SetApisAuthorities",
      "apigateway:DescribeAuthorizedApps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dg:GetUserGateways",
      "dg:GetUserDatabases"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "openanalytics:QueryBucketList",
      "openanalytics:QueryDirectoryList",
      "openanalytics:ListVirtualClusters",
      "openanalytics:SubmitSparkJob",
      "openanalytics:KillSparkJob",
      "openanalytics:GetJobLog",
      "openanalytics:GetJobDetail",
      "openanalytics:GetJobStatus",
      "openanalytics:ExecuteService",
      "openanalytics:QueryService",
      "openanalytics:ExecuteOnVirtualCluster"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "dbs:DescribeBackupPlanList",
      "dbs:DescribeFullBackupList",
      "dbs:CreateBackupPlan",
      "dbs:ConfigureBackupPlan",
      "dbs:ModifyBackupObjects",
      "dbs:StartBackupPlan",
      "dbs:ModifyBackupSourceEndpoint",
      "dbs:StartTask",
      "dbs:StopBackupPlan",
      "dbs:CreateRestoreTask",
      "dbs:StartRestoreTask",
      "dbs:DescribeRestoreTaskList",
      "dbs:DescribeRestoreRangeInfo",
      "dbs:CreateDLAService",
      "dbs:DescribeDLAService",
      "dbs:CloseDLAService",
      "dbs:CreateAndStartBackupPlan",
      "dbs:DescribeFullBackupSet",
      "dbs:DescribeDataSourceQueryableAttribute",
      "dbs:DescribeDataSourceQueryableAttributeDetail",
      "dbs:GetTimeTravelInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "oceanbase:DescribeAllTenantsConnectionInfo",
      "oceanbase:DescribeInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
      "StringEquals": {
      "ram:ServiceName": "dms.aliyuncs.com"
    }
    }
    },
      {
      "Action": [
      "hbase:DescribeInstances",
      "hbase:DescribeInstance",
      "hbase:DescribeEndpoints",
      "hbase:DescribeIpWhitelist",
      "hbase:ModifyIpWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "cassandra:DescribeClusters",
      "cassandra:DescribeCluster",
      "cassandra:DescribeDataCenters",
      "cassandra:DescribeIpWhitelistGroups",
      "cassandra:ModifyIpWhitelistGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "lindorm:GetLindormInstanceList",
      "lindorm:GetLindormInstance",
      "lindorm:GetLindormInstanceEngineList",
      "lindorm:GetLindormInstanceListForDMS",
      "lindorm:GetLindormInstanceForDMS",
      "lindorm:GetLindormInstanceForDMSByConnStr",
      "lindorm:GetInstanceIpWhiteList",
      "lindorm:UpdateInstanceIpWhiteList",
      "lindorm:CreateComputeEngineJob",
      "lindorm:GetComputeEngineJobDetail",
      "lindorm:GetComputeEngineJobLog",
      "lindorm:ReleaseLindormComputeJob"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "adb:CreateDBCluster",
      "adb:CreateAccount",
      "adb:DescribeDBClusters",
      "adb:DescribeDBClusterNetInfo",
      "adb:SubmitSparkApp",
      "adb:KillSparkApp",
      "adb:ListSparkApps",
      "adb:GetSparkAppLog",
      "adb:GetSparkAppInfo",
      "adb:GetSparkAppState",
      "adb:GetSparkAppAttemptLog",
      "adb:GetSparkAppWebUiAddress",
      "adb:ListSparkAppAttempts",
      "adb:DescribeDBResourceGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "gpdb:DescribeDBInstances",
      "gpdb:ResumeInstance",
      "gpdb:PauseInstance"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
      {
      "Action": [
      "vpc:DescribeVpcs",
      "vpc:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
      ]
    }

建立服務關聯角色所需的許可權

您需要擁有指定的許可權,才能建立DMS服務關聯角色。

若您的RAM使用者權限不足,則需要添加如下許可權後再執行為RAM使用者授權操作。添加許可權和授權的具體操作,請參見建立自訂權限原則為RAM使用者授權

權限原則樣本:允許為DMS建立服務關聯角色。

{
  "Action":"ram:CreateServiceLinkedRole",
  "Resource":"*",
  "Effect":"Allow",
  "Condition":{
  "StringEquals":{
    "ram:ServiceName": "dms.aliyuncs.com"
    }
  }
}

建立服務關聯角色

若您的RAM使用者已添加DMS建立服務關聯角色許可權,則需要登入DMS控制台,並且在彈出的DMS服務關聯角色對話方塊中,單擊確認,系統將自動為您建立DMS服務關聯角色。更多建立服務關聯角色資訊,請參見建立服務關聯角色

刪除服務關聯角色

若您需要刪除服務關聯角色(AliyunServiceRoleForDMS),需要在DMS控制台上移除執行個體列表中的所有執行個體,移除後再嘗試刪除該服務關聯角色。移除執行個體和服務關聯角色的具體操作,請參見刪除執行個體刪除服務關聯角色