DTS supports data migration and synchronization between ApsaraDB for RDS instances that belong to different Alibaba Cloud accounts. This topic describes how to configure RAM authorization for the Alibaba Cloud account to which the source instance belongs if the destination instance belongs to a different Alibaba Cloud account.
Prerequisites
The Alibaba Cloud account to which the source instance belongs has authorized the RAM role of DTS to access the cloud resources of the account. For more information, see Authorize DTS to access cloud resources.
Instance types supported by cross-account data migration and synchronization
Feature | Source instance type | Destination instance type |
---|---|---|
Data migration | RDS instance | RDS instance |
DRDS instance | ||
HybridDB for MySQL instance | ||
ApsaraDB for OceanBase instance | ||
User-created database hosted on ECS | ||
User-created database with a public IP address | ||
Data synchronization | RDS instance | RDS instance |
MaxCompute (previous name: ODPS) instance | ||
Elasticsearch instance |
Background information
When you use DTS for data migration or synchronization, you must configure RAM authorization for the Alibaba Cloud account to which the source instance belongs. You must specify the Alibaba Cloud account to which the destination instance belongs as a trusted account. This ensures that the destination account can access cloud resources of the Alibaba Cloud account to which the source instance belongs.
Procedure
- Log on to the RAM console with the Alibaba Cloud account to which the source instance belongs.
- In the left-side navigation pane, click RAM Roles.
- Click Create RAM Role, select Alibaba Cloud Account, and then click Next.
- On the Create RAM Role page, configure parameters for the RAM role.
Parameter Description RAM Role Name Specify a name for the RAM role. In this example, enter ram-for-dts. Note The name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-).Note Optional. Specify the description for the RAM role. Select Trusted Alibaba Cloud Account Select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account to which the destination instance belongs. Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Alibaba Cloud console with the account and go to the Account Management page. - Click OK.
- Click Input and Attach.
- On the Add Permissions page, select System Policy and enter AliyunDTSRolePolicy.
- Click OK.
- Click Close.
- On the RAM Roles page, find the newly created RAM role, and click the role name to view details.
- On the Basic Information page of the RAM role, click the Trust Policy Management tab.
- On the Trust Policy Management tab, click Edit Trust Policy, and copy the following sample statements to the page that appears.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<ID of Alibaba Cloud account to which the destination instance belongs>:root" ], "Service": [ "<ID of Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com" ] } } ], "Version": "1" }
Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Alibaba Cloud console with the account and go to the Account Management page. Then, you must replace theID of Alibaba Cloud account to which the destination instance belongs
in the preceding statements with the obtained ID.
After authorization, you can create a task to migrate or synchronize data between RDS instances that belong to different Alibaba Cloud accounts.
Next steps
Log on to the DTS console with the Alibaba Cloud account to which the destination instance belongs, and then create a data migration task or data synchronization task.