初次使用数据库备份DBS时,您需要将角色权限(AliyunDBSDefaultRole)授权给DBS,并开通对象存储OSS。

前提条件

已注册阿里云账号,具体操作,请参见注册阿里云账号

步骤一:授权DBS服务关联角色

DBS服务关联角色(AliyunServiceRoleForDBS)是具备其他云服务访问权限的RAM角色,DBS接入您在阿里云购买的云数据库(如RDS、MongoDB、 Redis、PolarDB)或阿里云ECS上自建的数据库时, 需通过AliyunServiceRoleForDBS获取访问权限,更多信息,请参见服务关联角色
说明 DBS服务关联角色(AliyunServiceRoleForDBS)的详细权限信息,请参见AliyunServiceRoleForDBS介绍

初次使用数据库备份DBS时,您需要将服务关联角色(AliyunServiceRoleForDBS)授权给DBS。

  1. 登录DBS控制台
  2. 在弹出的提示对话框中,单击授权DBS服务关联角色
    说明 若登录DBS控制台后,没有弹出提示授权的对话框,则无需执行本文后续操作。您可以直接购买并配置备份计划,具体操作,请参见购买备份计划配置备份计划
  3. 单击确定
    此时,您已创建DBS服务关联角色(AliyunServiceRoleForDBS),若您需要删除服务关联角色(AliyunServiceRoleForDBS),请参见删除RAM角色

步骤二:开通对象存储OSS

开通对象存储OSS不会产生费用。开通后,您使用DBS进行备份时,DBS才能将备份数据存入OSS(云存储)中。

  1. 登录DBS控制台
  2. 在弹出的提示对话框中,单击立即开通使用OSS
  3. 在弹出的对话框中,单击立即开通
  4. 对象存储OSS页面,阅读并勾选服务协议,单击立即开通
    至此,您已开通数据库备份DBS服务。

AliyunServiceRoleForDBS介绍

角色名称:AliyunServiceRoleForDBS

角色权限策略:AliyunServiceRolePolicyForDBS

权限说明:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "rds:DescribeDBInstanceNetInfo",
        "rds:DescribeDBInstanceNetInfoForChannel",
        "rds:DescribeTasks",
        "rds:DescribeDBInstances",
        "rds:DescribeFilesForSQLServer",
        "rds:DescribeImportsForSQLServer",
        "rds:DescribeSlowLogRecords",
        "rds:DescribeBinlogFiles",
        "rds:DescribeSQLLogRecords",
        "rds:DescribeParameters",
        "rds:DescribeParameterTemplates",
        "rds:DescribeDBInstanceAttribute",
        "rds:DescribeDatabases",
        "rds:DescribeAccounts",
        "rds:DescribeSecurityIPList",
        "rds:DescribeSecurityIps",
        "rds:DescribeDBInstanceIPArray",
        "rds:DescribeDBInstanceIPArrayList",
        "rds:DescribeDBInstanceSSL",
        "rds:DescribeDBInstanceTDE",
        "rds:CreateDBInstance",
        "rds:CreateAccount",
        "rds:CreateDatabase",
        "rds:ModifySecurityIps",
        "rds:GrantAccountPrivilege",
        "rds:CreateMigrateTask",
        "rds:CreateOnlineDatabaseTask",
        "rds:DescribeMigrateTasks",
        "rds:DescribeOssDownloads",
        "rds:CreateBackup",
        "rds:DescribeBackups",
        "rds:DescribeBackupPolicy",
        "rds:ModifyBackupPolicy",
        "rds:DescribeBackupTasks",
        "rds:DescribeBinlogFiles"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:DescribeInstance",
        "ecs:DescribeInstances",
        "ecs:DescribeVpcs",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeSecurityGroupAttribute",
        "ecs:AuthorizeSecurityGroup",
        "ecs:JoinSecurityGroup",
        "ecs:RevokerSecurityGroup"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:ListKeys"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "cms:PutEventRule",
        "cms:PutEventTargets",
        "cms:ListEventRules",
        "cms:ListEventTargetsByRule",
        "cms:DeleteEventRule",
        "cms:DeleteEventTargets"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "polardb:DescribeDBClusterIPArrayList",
        "polardb:DescribeDBClusterNetInfo",
        "polardb:DescribeDBClusters",
        "polardb:ModifySecurityIps",
        "polardb:DescribeDBClusterEndpoints",
        "polardb:DescribeDBClusterAccessWhitelist",
        "polardb:ModifyDBClusterAccessWhitelist"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "dds:DescribeDBInstanceAttribute",
        "dds:DescribeReplicaSetRole",
        "dds:DescribeSecurityIps",
        "dds:DescribeDBInstances",
        "dds:ModifySecurityIps"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kvstore:DescribeSecurityIps",
        "kvstore:DescribeInstances",
        "kvstore:DescribeAccounts",
        "kvstore:DescribeDBInstanceNetInfo",
        "kvstore:CreateAccount",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:AllocateInstancePrivateConnection",
        "kvstore:DescribeLogicInstanceTopology"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "drds:DescribeDrdsDB",
        "drds:DescribeDrdsDBs",
        "drds:DescribeDrdsDbInstance",
        "drds:DescribeDrdsDbInstances",
        "drds:DescribeDrdsDBIpWhiteList",
        "drds:DescribeDrdsInstances",
        "drds:ModifyDrdsIpWhiteList",
        "drds:CreateDrdsDB",
        "drds:DescribeTable",
        "drds:DescribeTables",
        "drds:ModifyRdsReadWeight",
        "drds:ChangeAccountPassword",
        "drds:CreateDrdsInstance",
        "drds:CreateInstanceAccount",
        "drds:CreateInstanceInternetAddress",
        "drds:DescribeInstanceAccounts"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },    
    {
       "Action": [
         "bssapi:QueryResourcePackageInstances"
      ],
       "Resource": "*",
       "Effect": "Allow"
    },
    {
      "Action": "hdm:AddHDMInstance",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
          "StringEquals": {
              "ram:ServiceName": "dbs.aliyuncs.com"
          }
        }
    }
  ]
}

后续步骤