Database Backup (DBS) allows you to back up and restore data across Alibaba Cloud accounts. This topic describes how to create a Resource Access Management (RAM) role within the Alibaba Cloud account to which the source instance belongs, grant the permissions to access the source instance to the RAM role, and assign the RAM role to another Alibaba Cloud account. This allows you to implement data backup and restoration across Alibaba Cloud accounts.
Prerequisites
The AliyunServiceRoleForDBS role is assigned to DBS within the Alibaba Cloud account to which the source instance belongs. For more information, see How do I activate DBS?
Procedure
Log on to the RAM console by using the Alibaba Cloud account to which the source instance belongs.
In the left-side navigation pane, choose .
On the Roles page, click Create Role. In the Select Role Type step of the Create Role wizard, set the Select Trusted Entity parameter to Alibaba Cloud Account. Then, click Next.
In the step of the Create Role wizard, set the parameters that are described in the following table. Then, click OK.
Parameter
Description
RAM Role Name
The name of the RAM role. The name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-). In this example, ram-for-dbs is specified.
Note
Optional. The description of the RAM role.
Select Trusted Alibaba Cloud Account
Set this parameter to Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account.
NoteTo obtain the ID of the Alibaba Cloud account to which you want to assign the RAM role, log on to Account Center by using the account and check the account ID.
After you configure the RAM role, use one of the following methods to grant permissions to the role:
Method 1: Grant the permissions to manage all cloud resources that belong to the Alibaba Cloud account
In the
of the Create Role wizard, click Add Permissions to RAM Role.In the Add Permissions panel, click the System Policy tab and enter AdministratorAccess in the field. Click the AdministratorAccess policy in the Authorization Policy Name column to add the policy to the Selected section on the right. Then, click OK.
Method 2: Attach the AliyunDBSRolePolicy policy to the RAM role
In the RAM console, choose
. On the Roles page, find the RAM role to which you want to attach the AliyunDBSRolePolicy policy, and click Input and Attach in the Actions column.In the Add Permissions panel, set the Type parameter to System Policy. Enter AliyunDBSRolePolicy in the Policy Name field, and click OK.
NoteTo back up and restore a self-managed database that is connected over Express Connect, VPN Gateway, or Smart Access Gateway, you must also attach the AliyunVPCReadOnlyAccess policy to the RAM role. This policy grants the read-only permissions on Virtual Private Cloud (VPC) resources. For more information, see Grant permissions to a RAM role.
After you grant permissions to the RAM role, click the RAM role name to go to the details page of the RAM role. On the page that appears, click the Trust Policy Management tab.
Click Edit Trust Policy and copy the following policy content to the policy editor.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::ID of the Alibaba Cloud account to which you want to assign the RAM role:root" ], "Service": [ "ID of the Alibaba Cloud account to which you want to assign the RAM role@dbs.aliyuncs.com" ] } } ], "Version": "1" }
NoteTo obtain the ID of the Alibaba Cloud account to which you want to assign the RAM role, you must log on to Account Center by using this account. The account ID is displayed on the Overview page. Then, replace the account ID in the preceding code with the ID that you obtain.
After you assign the RAM role to the specified Alibaba Cloud account, back up or restore data across Alibaba Cloud accounts in DBS. For more information, see Back up and restore data across Alibaba Cloud accounts.