Database Backup (DBS) allows you to back up and restore data across Alibaba Cloud accounts. This topic describes how to create a Resource Access Management (RAM) role within the Alibaba Cloud account to which the source instance belongs, grant the permissions to the RAM role to access the source instance, and assign the RAM role to another Alibaba Cloud account. This allows you to implement data backup and restoration across Alibaba Cloud accounts.
Prerequisites
The AliyunServiceRoleForDBS role is assigned to DBS within the Alibaba Cloud account to which the source instance belongs. For more information, see How do I activate DBS?
Procedure
Log on to the RAM console by using the Alibaba Cloud account to which the source instance belongs.
In the left-side navigation pane, choose .
On the Roles page, click Create Role. In the Select Role Type step of the Create Role wizard, set the Select Trusted Entity parameter to Alibaba Cloud Account. Then, click Next.
In the step of the Create Role wizard, set the parameters that are described in the following table. Then, click OK.
Parameter
Description
RAM Role Name
The name of the RAM role. The name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-). In this example, ram-for-dbs is used.
Note
Optional. The description of the RAM role.
Select Trusted Alibaba Cloud Account
Set this parameter to Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account.
NoteTo obtain the ID of the Alibaba Cloud account to which you want to assign the RAM role, log on to Account Center by using the account and check the account ID.
After you configure the RAM role, use one of the following methods to grant permissions to the role:
Method 1: Grant the permissions to manage all cloud resources that belong to the Alibaba Cloud account
In the of the Create Role wizard, click Add Permissions to RAM Role.
In the Grant Permission panel, click System Policy in the Select Policy section, search for the AdministratorAccess policy, add the policy to the Selected section, and then click OK to attach the policy to the role.
Method 2: Attach the AliyunDBSRolePolicy policy to the RAM role
In the RAM console, choose in the left-side navigation pane. On the Roles page, find the RAM role to which you want to attach a policy and click Grant Permission in the Actions column.
In the panel that appears, click System Policy in the Select Policy section, search for the AliyunDBSRolePolicy policy, add the policy to the Selected section, and then click OK.
NoteIf you want to back up or restore a self-managed database that is connected over Express Connect, VPN Gateway, or Smart Access Gateway, you must attach the AliyunVPCReadOnlyAccess policy to the RAM role. This way, the RAM role has the read-only permission on VPC resources. For more information, see Grant permissions to a RAM role.
After you attach the policy to the RAM role, go to the role details page and click the Trust Policy tab.
Click Edit Trust Policy, copy the following code and paste the code to the code editor.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::ID of the Alibaba Cloud account to which you want to assign the RAM role:root" ], "Service": [ "ID of the Alibaba Cloud account to which you want to assign the RAM role@dbs.aliyuncs.com" ] } } ], "Version": "1" }NoteTo obtain the ID of the Alibaba Cloud account to which you want to assign the RAM role, you must log on to Account Center by using this account. The account ID is displayed on the Security Settings page. Then, replace the account ID in the preceding code with the ID that you obtain.
After you assign the RAM role to the specified Alibaba Cloud account, back up or restore data across Alibaba Cloud accounts in DBS. For more information, see Back up and restore data across Alibaba Cloud accounts.