All Products
Search
Document Center

Authorize RAM roles for data backup or restoration across Alibaba Cloud accounts

Last Updated: May 28, 2020

DBS allows you to back up or restore data of RDS instances under an Alibaba Cloud account to your current Alibaba Cloud account. This topic describes how the Alibaba Cloud account to which the source instance belongs configures RAM user permissions to allow data of the source instance to be backed up or restored to another Alibaba Cloud account.

Prerequisites

The RAM role of DBS is authorized by the Alibaba Cloud account to which the source instance belongs to access cloud resources of the account. For more information, see Authorize RAM roles.

Procedure

  1. Log on to the RAM console with the Alibaba Cloud account to which the source instance belongs.

  2. In the left-side navigation pane, click RAM Roles.

  3. On the RAM Roles page, click Create RAM Role. In the Select Role Type step of the Create RAM Role wizard, set Trusted entity type to Alibaba Cloud Account. Then, click Next.Alibaba Cloud account

  4. In the Configure Role step of the Create RAM Role wizard, configure the parameters listed in the following table. Then, click OK.

    Parameter Description
    RAM Role Name Specify the RAM role name. The name can be up to 64 characters in length and can contain letters, digits, and hyphens (-). In this example, enter ram-for-dbs.
    Note Optional. Specify a description for the RAM role.
    Select Trusted Alibaba Cloud Account Select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account to which the destination instance belongs. To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Alibaba Cloud console with the account and go to the Account Management page. The following figure shows an example.
    Account ID
  5. After you have configured the RAM role, you can use one of the following methods to authorize the role:

    • Method 1: Authorize access to all cloud resources managed by the Alibaba Cloud account
    1. In the Finish step of the Create RAM Role wizard, click Add Permissions to RAM Role.

    2. In the Add Permissions pane that appears, select System Policy and enter AdministratorAccess in the field displayed below System Policy. Click AdministratorAccess in the Authorization Policy Name column to add AdministratorAccess to the Selected section on the right. Then, click OK.admin

    • Method 2: Grant DBS system permissions
    1. On the RAM Roles page, find the target RAM role name. Click Input and Attach in the Actions column.Input and Attach
    2. In the Add Permissions pane that appears, set Type to System Policy, enter AliyunDBSRolePolicy in the field displayed below Policy Name, and then click OK to complete the authorization.

      If you need to back up or restore on-premises user-created databases connected to Alibaba Cloud through Express Connect, VPN gateways, and smart access gateways, you must grant the AliyunVPCReadOnlyAccess permission. For more information, see Grant permissions to a RAM role.

      System Policy

  6. After you have completed the RAM role authorization, click the target RAM role name on the RAM Roles page. The Basic Information page appears.

  7. Click the Trust Policy Management tab. Then, click Edit Trust Policy and copy the following sample code to the page that appears.Trust policy

    1. {
    2. "Statement": [
    3. {
    4. "Action": "sts:AssumeRole",
    5. "Effect": "Allow",
    6. "Principal": {
    7. "RAM": [
    8. "acs:ram::<ID of the Alibaba Cloud account to which the destination instance belongs>:root"
    9. ],
    10. "Service": [
    11. "<ID of the Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com"
    12. ]
    13. }
    14. }
    15. ],
    16. "Version": "1"
    17. }

    To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Alibaba Cloud console with the account and go to the Account Management page . Then, you must replace the ID of the Alibaba Cloud account to which the destination instance belongs in the preceding sample code with the ID that you obtained.

  8. After you have granted permissions to the account to which the destination instance belongs, you can back up or restore data across Alibaba Cloud accounts. For more information, see Data backup and restore across Alibaba Cloud accounts.