Database Backup (DBS) allows you to back up or restore data across Alibaba Cloud accounts. This topic shows you how to create a RAM role within the Alibaba Cloud account to which the source instance belongs, grant the permissions to access the source instance to the RAM role, and then assign the RAM role to another Alibaba Cloud account. This allows you to implement backup and restoration across Alibaba Cloud accounts.

Prerequisites

The AliyunServiceRoleForDBS role is assigned to DBS within the Alibaba Cloud account to which the source instance belongs. For more information, see How do I activate DBS?.

Procedure

  1. Log on to the RAM console by using the Alibaba Cloud account to which the source instance belongs.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role. In the Select Role Type step of the Create Role wizard, set the Select Trusted Entity parameter to Alibaba Cloud Account. Then, click Next.
  4. In the Configure Role step of the Create Role wizard, set the parameters that are described in the following table. Then, click OK.
    Parameter Description
    RAM Role Name Specify the name of the RAM role. The name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-). In this example, enter ram-for-dbs.
    Note Optional. Specify a description for the RAM role.
    Select Trusted Alibaba Cloud Account Set this parameter to Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account.
    Note To obtain the ID of the Alibaba Cloud account to which you want to assign the RAM role, you must log on to the Account Management console with this account. The account ID is displayed on the Basic Information page.
  5. After you configure the RAM role, use one of the following methods to grant permissions to the role:
    • Method 1: Grant the permissions to manage all cloud resources that belong to the Alibaba Cloud account
      1. In the Finish step of the Create Role wizard, click Add Permissions to RAM Role.
      2. In the Add Permissions panel, click the System Policy tab and enter AdministratorAccess field. Click the AdministratorAccess policy in the Authorization Policy Name column to add the policy to the Selected section on the right. Then, click OK.
    • Method 2: Attach the AliyunDBSRolePolicy policy to the RAM role
      1. In the RAM console, choose Identities > Roles. On the Roles page, find the RAM role to which you want to attach the AliyunDBSRolePolicy policy, and click Input and Attach in the Actions column.
      2. In the Add Permissions panel, set the Type parameter to System Policy. Enter AliyunDBSRolePolicy in the Policy Name field, and click OK.
        Note To back up and restore a self-managed database that is connected over Express Connect, VPN Gateway, or Smart Access Gateway, you must also attach the AliyunVPCReadOnlyAccess policy to the RAM role. This policy grants the read-only permissions on Virtual Private Cloud (VPC) resources. For more information, see Grant permissions to a RAM role.
  6. After you grant permissions to the RAM role, click the RAM role name to go to the details page of the RAM role. On the page that appears, click the Trust Policy Management tab.
  7. Click Edit Trust Policy, and copy the following policy content to the policy editor.
    {
     "Statement": [
         {
             "Action": "sts:AssumeRole",
             "Effect": "Allow",
             "Principal": {
                 "RAM": [
                     "acs:ram::ID of the Alibaba Cloud account to which you want to assign the RAM role:root"
                 ],
                 "Service": [
                     "ID of the Alibaba Cloud account to which you want to assign the RAM role@dbs.aliyuncs.com"
                 ]
             }
         }
     ],
     "Version": "1"
    }
    Note To obtain the ID of the Alibaba Cloud account to which you want to assign the RAM role, you must log on to the Account Management console with this account. The account ID is displayed on the Basic Information page. Then, replace the account ID in the preceding code with the ID that you obtain.
  8. After you assign the RAM role to the specified Alibaba Cloud accounts, back up or restore data across Alibaba Cloud accounts in DBS. For more information, see Back up and restore data across Alibaba Cloud accounts.