本文介绍数据管理DMS服务关联角色(AliyunServiceRoleForDMS)的应用场景以及如何删除服务关联角色。
背景信息
服务关联角色是一种RAM角色(RAM role)。在某些场景下,该角色可以帮助数据管理DMS获取到其他云服务的访问权限,来实现自身的某个功能。更多关于服务关联角色的信息,请参见服务关联角色。
应用场景
数据管理DMS
当DMS部分功能需要访问ECS、VPC、RDS以及各类型数据库或工具相关的资源时,您可以通过DMS服务关联角色获取访问资源的权限。
角色介绍
AliyunServiceRoleForDMS
角色名称:AliyunServiceRoleForDMS
策略名称:AliyunServiceRolePolicyForDMS
权限说明:创建该关联角色后,DMS即可访问ECS、VPC、RDS以及各类型数据库或工具相关的资源。
权限的作用
查询RDS、PolarDB、Lindorm等各类型数据库的资源详情,以便管理云数据库。
查询ECS、VPC的资源详情,以便管理ECS、公网自建数据库。
使用DTS、DBS等云生态工具,进行一站式的数据管理。
策略内容
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:DescribeInstances",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DescribeImages",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:RevokeSecurityGroup",
"ecs:DescribeRegions",
"ecs:DescribeInstances",
"ecs:DescribeInstanceAttribute",
"ecs:CreateCommand",
"ecs:DeleteCommand",
"ecs:DescribeInvocationResults"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:InvokeCommand",
"ecs:StopInvocation"
],
"Resource": "acs:ecs:*:*:instance/*",
"Condition": {
"StringEquals": {
"acs:ResourceTag/dms": "script-for-dms"
}
},
"Effect": "Allow"
},
{
"Action": [
"ecs:InvokeCommand",
"ecs:StopInvocation"
],
"Resource": "acs:ecs:*:*:command/*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBInstanceHAConfig",
"rds:DescribeBinlogFiles",
"rds:DescribeDBInstancePerformance",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeSlowLogs",
"rds:DescribeSlowLogRecords",
"rds:DescribeSQLCollectorPolicy",
"rds:ModifySQLCollectorPolicy",
"rds:DescribeSQLLogRecords",
"rds:DescribeSQLLogFiles",
"rds:DescribeResourceUsage",
"rds:DescribeRegions",
"rds:DescribeDBInstances",
"rds:DescribeDBInstanceAttribute",
"rds:ModifyBackupPolicy",
"rds:DescribeSecurityGroupConfiguration",
"rds:DescribeDBInstanceEncryptionKey",
"rds:DescribeDBInstanceTDE",
"rds:DescribeDBInstanceSSL",
"rds:DescribeCrossRegionBackupDBInstance",
"rds:DescribeSQLCollectorRetention",
"rds:TagResources",
"rds:UntagResources",
"rds:ListTagResources",
"rds:DescribeDBInstanceByTags",
"rds:DescribeDatabases"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dds:DescribeSecurityIps",
"dds:ModifySecurityIps",
"dds:DescribeDBInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kvstore:DescribeSecurityIps",
"kvstore:ModifySecurityIps",
"kvstore:DescribeRegions",
"kvstore:DescribeInstances",
"kvstore:DescribeInstanceAttribute",
"kvstore:DescribeInstanceConfig"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"drds:DescribeDrdsInstances",
"drds:QueryInstanceInfoByConn",
"drds:DescribeDrdsInstanceList",
"drds:DescribeDrdsDBIpWhiteList",
"drds:ModifyDrdsIpWhiteList",
"drds:DescribeDrdsInstanceVersion"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardb:DescribeRegions",
"polardb:DescribeDBClusters",
"polardb:DescribeDBClusterAttribute",
"polardb:DescribeDBClusterEndpoints",
"polardb:DescribeMaskingRules",
"polardb:ModifyMaskingRules",
"polardb:DeleteMaskingRules",
"polardb:DescribeDBClusterVersion",
"polardb:DescribeDBClusterAuditLogCollector"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"polardbx:DescribeDBInstances",
"polardbx:DescribeSecurityIps",
"polardbx:ModifySecurityIps",
"polardbx:DescribeDBInstanceAttribute",
"polardbx:DescribeBinaryLogList",
"polardbx:DescribeDBInstanceViaEndpoint"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"petadata:DescribeInstances",
"petadata:DescribeInstanceInfoByConnection",
"petadata:DescribeSecurityIPs",
"petadata:ModifySecurityIPs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hdm:AccessHDMInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dts:CreateMigrationJob",
"dts:ConfigureMigrationJob",
"dts:StartMigrationJob",
"dts:StopMigrationJob",
"dts:DescribeMigrationJobStatus",
"dts:DescribeMigrationJobDetail",
"dts:CreateSynchronizationJob",
"dts:ConfigureSynchronizationJob",
"dts:StartSynchronizationJob",
"dts:SuspendSynchronizationJob",
"dts:DescribeSynchronizationJobStatus",
"dts:ShieldPrecheck",
"dts:CreateDtsInstance",
"dts:ConfigureDtsJob",
"dts:StartDtsJob",
"dts:ModifyDtsJob",
"dts:StopDtsJob",
"dts:DescribeDtsJobDetail",
"dts:DescribeDtsJobs",
"dts:ConfigureEtlJob",
"dts:SaveEtlJob",
"dts:SuspendDtsJob",
"dts:DeleteDtsJob",
"dts:ModifyDtsJobName",
"dts:SkipPreCheck",
"dts:DescribeDtsEtlJobVersionInfo",
"dts:DescribeEtlJobLogs",
"dts:PreviewSql",
"dts:DescribePreCheckStatus",
"dts:DescribeDtsJobLogs",
"dts:DescribeJobMonitorRule",
"dts:CreateJobMonitorRule",
"dts:DescribeConfigRelations",
"dts:DescribeFormInfo",
"dts:DescribeDmsInstanceDetail",
"dts:DescribeSchemaList",
"dts:DescribeColumns",
"dts:DescribeStruct",
"dts:DescribeDtsInstancePrice",
"dts:DescribeRegions",
"dts:DescribeInstanceInventory",
"dts:CreateCheckJob",
"dts:DescribeCheckJobDiffDetails",
"dts:EtlMockData",
"dts:EtlMockResult",
"dts:DescribeCheckJobStatus",
"dts:DescribeDtsJobStatistics",
"dts:Ping",
"dts:DescribeUploadPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"apigateway:CreateApiGroup",
"apigateway:ModifyApiGroup",
"apigateway:DeleteApiGroup",
"apigateway:DescribeApiGroups",
"apigateway:CreateApi",
"apigateway:ModifyApi",
"apigateway:DeployApi",
"apigateway:AbolishApi",
"apigateway:DeleteApi",
"apigateway:DescribeApi",
"apigateway:DescribeApis",
"apigateway:CreateApp",
"apigateway:ModifyApp",
"apigateway:DeleteApp",
"apigateway:DescribeAppSecurity",
"apigateway:ResetAppCode",
"apigateway:ResetAppSecret",
"apigateway:DescribeAppAttributes",
"apigateway:SetApisAuthorities",
"apigateway:DescribeAuthorizedApps"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dg:GetUserGateways",
"dg:GetUserDatabases",
"dg:GetUserGatewayInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"openanalytics:QueryBucketList",
"openanalytics:QueryDirectoryList",
"openanalytics:ListVirtualClusters",
"openanalytics:SubmitSparkJob",
"openanalytics:KillSparkJob",
"openanalytics:GetJobLog",
"openanalytics:GetJobDetail",
"openanalytics:GetJobStatus",
"openanalytics:ExecuteService",
"openanalytics:QueryService",
"openanalytics:ExecuteOnVirtualCluster"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dbs:DescribeBackupPlanList",
"dbs:DescribeFullBackupList",
"dbs:CreateBackupPlan",
"dbs:ConfigureBackupPlan",
"dbs:ModifyBackupObjects",
"dbs:StartBackupPlan",
"dbs:ModifyBackupSourceEndpoint",
"dbs:StartTask",
"dbs:StopBackupPlan",
"dbs:CreateRestoreTask",
"dbs:StartRestoreTask",
"dbs:DescribeRestoreTaskList",
"dbs:DescribeRestoreRangeInfo",
"dbs:CreateDLAService",
"dbs:DescribeDLAService",
"dbs:CloseDLAService",
"dbs:CreateAndStartBackupPlan",
"dbs:DescribeFullBackupSet",
"dbs:DescribeDataSourceQueryableAttribute",
"dbs:DescribeDataSourceQueryableAttributeDetail",
"dbs:GetTimeTravelInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oceanbase:DescribeAllTenantsConnectionInfo",
"oceanbase:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dms.aliyuncs.com"
}
}
},
{
"Action": [
"hbase:DescribeInstances",
"hbase:DescribeInstance",
"hbase:DescribeEndpoints",
"hbase:DescribeIpWhitelist",
"hbase:ModifyIpWhitelist"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cassandra:DescribeClusters",
"cassandra:DescribeCluster",
"cassandra:DescribeDataCenters",
"cassandra:DescribeIpWhitelistGroups",
"cassandra:ModifyIpWhitelistGroup"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lindorm:GetLindormInstanceList",
"lindorm:GetLindormInstance",
"lindorm:GetLindormInstanceEngineList",
"lindorm:GetLindormInstanceListForDMS",
"lindorm:GetLindormInstanceForDMS",
"lindorm:GetLindormInstanceForDMSByConnStr",
"lindorm:GetInstanceIpWhiteList",
"lindorm:UpdateInstanceIpWhiteList",
"lindorm:CreateComputeEngineJob",
"lindorm:GetComputeEngineJobDetail",
"lindorm:GetComputeEngineJobLog",
"lindorm:ReleaseLindormComputeJob"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"adb:CreateDBCluster",
"adb:CreateAccount",
"adb:DescribeDBClusters",
"adb:DescribeDBClusterNetInfo",
"adb:SubmitSparkApp",
"adb:KillSparkApp",
"adb:ListSparkApps",
"adb:GetSparkAppLog",
"adb:GetSparkAppInfo",
"adb:GetSparkAppState",
"adb:GetSparkAppAttemptLog",
"adb:GetSparkAppWebUiAddress",
"adb:ListSparkAppAttempts",
"adb:DescribeDBClusterAttribute",
"adb:DescribeDBResourceGroup",
"adb:ExecuteSparkWarehouseBatchSQL",
"adb:CancelSparkWarehouseBatchSQL",
"adb:GetSparkWarehouseBatchSQL"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gpdb:DescribeDBInstances",
"gpdb:ResumeInstance",
"gpdb:PauseInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"hologram:GetInstance",
"hologram:ListInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"gdb:DescribeDbInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"oss:ListBuckets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"selectdb:DescribeDBInstances",
"selectdb:DescribeDBInstanceAttribute",
"selectdb:DescribeDBInstanceNetInfo",
"selectdb:DescribeSecurityIPList",
"selectdb:ModifySecurityIPList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"clickhouse:DescribeDBClusters",
"clickhouse:DescribeDBInstances",
"clickhouse:DescribeDBInstanceAttribute",
"clickhouse:DescribeEndpoints",
"clickhouse:DescribeSecurityIPList",
"clickhouse:ModifySecurityIPList"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"sr:ListInstances",
"sr:GetInstanceDetail",
"sr:DescribeRegions",
"sr:GetDmsConnectionInfo",
"sr:GetNetworkMappingIp"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"dbs-inner:DescribeDataSourceQueryableAttribute",
"dbs-inner:DescribeDataSourceQueryableAttributeDetail",
"dbs-inner:GetTimeTravelInstance"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"kms:ListSecrets",
"kms:GetSecretValue",
"kms:Decrypt",
"kms:ListKmsInstances"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rds:CreateAccount",
"rds:DeleteAccount",
"rds:ResetAccountPassword",
"rds:GrantAccountPrivilege",
"rds:RevokeAccountPrivilege",
"rds:CheckAccountNameAvailable"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"rds:tag/dms": "account-management"
}
},
"Effect": "Allow"
},
{
"Action": [
"ots:ListInstance"
],
"Resource": "*",
"Effect": "Allow"
}
]
}创建服务关联角色所需的权限
数据管理DMS
您需要拥有指定的权限,才能创建DMS服务关联角色。
若您的RAM用户权限不足,则需要添加如下权限后再执行为RAM用户授权操作。添加权限和授权的具体操作,请参见创建自定义权限策略和为RAM用户授权。
权限策略示例:允许为DMS创建服务关联角色。
{
"Action":"ram:CreateServiceLinkedRole",
"Resource":"*",
"Effect":"Allow",
"Condition":{
"StringEquals":{
"ram:ServiceName": "dms.aliyuncs.com"
}
}
}创建服务关联角色
数据管理DMS
若您的RAM用户已添加DMS创建服务关联角色权限,则需要登录DMS控制台,并且在弹出的DMS服务关联角色对话框中,单击确认,系统将自动为您创建DMS服务关联角色。更多创建服务关联角色信息,请参见创建服务关联角色。
查看服务关联角色
数据管理DMS
当数据管理DMS服务关联角色(AliyunServiceRoleForDMS)创建成功后,您可以在RAM控制台查看该角色。包括角色基本信息、角色的信任策略和角色的权限策略(AliyunServiceRolePolicyForDMS)。
登录RAM控制台。
在左侧导航栏,选择身份管理 > 角色。
在角色页面,搜索并单击AliyunServiceRoleForDMS。
查看角色的基本信息。
在角色详情页面的基本信息区域,查看RAM角色名称、创建时间和ARN等信息。
查看角色的信任策略。
在角色详情页面,单击信任策略页签,通过
Service字段查看可以使用该角色的云服务。例如:"Service": ["dms.aliyuncs.com"]。查看角色的权限策略(AliyunServiceRolePolicyForDMS)。
在角色详情页面,单击权限管理页签。
单击权限策略名称AliyunServiceRolePolicyForDMS。
在策略内容页签中,查看权限策略具体内容。
说明不支持在RAM的权限策略列表中直接查看服务关联角色的权限策略。
删除服务关联角色
数据管理DMS
若您需要删除服务关联角色(AliyunServiceRoleForDMS),需要在DMS控制台上移除实例列表中的所有实例,移除后再尝试删除该服务关联角色。移除实例和服务关联角色的具体操作,请参见删除实例和删除服务关联角色。