DTS allows you to migrate and synchronize data between instances under two different Alibaba Cloud accounts. To achieve this feature, the Alibaba Cloud account to which the source instance belongs needs to grant specific permissions to the Alibaba Cloud account to which the target instance belongs. Then you need to log on to the DTS console using the Alibaba Cloud account to which the target instance belongs to configure tasks.
This topic describes how to use the Resource Access Management (RAM) system to grant permissions to a different account to migrate data between instances under different Alibaba Cloud accounts.
The cross-account migration and synchronization features that DTS supports are as follows:
- RDS instance to RDS instance
- RDS instance to DRDS instance
- RDS instance to PetaData instance
- RDS instance to OceanBase instance
- RDS instance to ECS external database
- RDS instance to On-premises databases
- RDS instance to RDS instance
- RDS instance to MaxCompute (formerly ODPS) instance
- RDS instance to Datahub (for stream calculation purposes) instance
- RDS instance to AnalyticDB instance
For security purposes, you need to be authorized before performing data migration between cross-account cloud resources.Suppose that the source instance belongs to account A and the target instance belongs to account B. In this case you must complete the following authorizations:
(1) The account to which the source instance belongs authorizes DTS access to its cloud resources.
(2) Account A to which the source instance belongs grants account B to which the target instance belongs access to cloud resources of account A in DTS.
The authorization process is detailed as follows:
First, the account to which the source instance belongs needs to authorize DTS access to its cloud resources. To do this, follow these steps:
Log on to the Alibaba Cloud website using account A, and then go to the DTS console . If account A has not authorized DTS to access its cloud resources, the following authorization dialog appears.
ClickAuthorize RAM user to go to the authorization page.
On the authorization page, click Agree to authorize to grant DTS the access to cloud resources.
If the preceding authorization request message does not appear when you log on to the DTS console, it indicates that account A has been authorized.
Account A to which the source instance belongs grants account B to which the target instance belongs access to cloud resources of account A in DTS.
When account A grants DTS access to cloud resources, you also need to grant account B access to cloud resources of account A in DTS.
The authorization is performed by granting a role to the account in the RAM system. When you configure a migration task, you need to configure the ID of account A and grant a role to account A, as shown in the figure.
In this figure, Alibaba Cloud account to which the RDS belongs is the account ID of the Alibaba Cloud account to which the source RDS belongs. You can retrieve the account ID through Security Settings in Account Management.
Role name is a name that account A authorizes to account B to access the cloud resources of account A. The process of creating an authorized role is as follows:
This section describes how to grant another Alibaba account access to the cloud resources of the RAM user under your own account.
In the following example, we migrate RDS instances under account A to the cloud resources under account B. The process for authorizing a role is as follows:
- Log on to the RAM console using account A, enter the role management page, and then click Create Role in the upper-right corner to create a cross-account authorization role.
- Select User Role for the role type.
- Trusted account. Select Other Alibaba Cloud Account. Configure Trusted Alibaba Cloud Account ID with the ID of the Alibaba Cloud account to which the target instance belongs, namely the ID of account B.
4.In this step, configure the role name, which needs to be specified in the process of configuring a DTS synchronization task.
When you create a role, you need to modify the role authorization policy, including:
(1) Trusted cloud account. Restrict the trusted cloud account to only have access to its own cloud resources in the DTS console. To do this, follow these steps:
1) On the role management page, click Manage next to the created role to manage the role.
2) Click Edit Basic Information in the upper-right corner. The Edit Role dialog box appears. Add a service definition to Principal, as shown below:
"Trusted Alibaba Cloud account ID@dts.aliyuncs.com"
Replace Trusted Cloud Account ID with the Alibaba Cloud account ID for configuring a synchronization task in DTS. dts.aliyuncs.com is the DTS code. Assume that the Alibaba Cloud account ID you use to configure the DTS migration task is 1218522260143989. In this case, the corresponding service needs to be defined as follows:
The complete role definition is as follows:
(2) Authorize the role to access the resources under the Alibaba Cloud account of the source instance.
After account B is configured, modify the role authorization policy. Grant the role access permission to specific cloud resources, allowing DTS to play the role for accessing these cloud instances. To do this, follow these steps:
1) On the role management page, click Authorize next to the created role and the Edit Role Authorization Policy dialog appears.
2) Search for AliyunDTSRolePolicy in the search bar, and grant this policy to the role.
You have completed the process of creating a role and granting the role to another account.
Once the authorization is complete, you can configure cross-account synchronization tasks. When you configure a synchronization task, set Role Name in the source instance information to the name of the role that you have created.