DTS supports data migration and synchronization between ApsaraDB for RDS instances that belong to different Alibaba Cloud accounts. This topic describes how to configure RAM authorization for the Alibaba Cloud account to which the source instance belongs if the destination instance belongs to a different Alibaba Cloud account.

Prerequisites

The Alibaba Cloud account to which the source instance belongs has authorized the RAM role of DTS to access the cloud resources of the account. For more information, see Authorize DTS to access cloud resources.

Instance types supported by cross-account data migration and synchronization

Feature Source instance type Destination instance type
Data migration RDS instance RDS instance
DRDS instance
HybridDB for MySQL instance
ApsaraDB for OceanBase instance
User-created database hosted on ECS
User-created database with a public IP address
Data synchronization RDS instance RDS instance
MaxCompute (previous name: ODPS) instance
Elasticsearch instance

Background information

When you use DTS for data migration or synchronization, you must configure RAM authorization for the Alibaba Cloud account to which the source instance belongs. You must specify the Alibaba Cloud account to which the destination instance belongs as a trusted account. This ensures that the destination account can access cloud resources of the Alibaba Cloud account to which the source instance belongs.

Note After authorization, you can create a data migration task or data synchronization task by using the Alibaba Cloud account to which the destination instance belongs.

Procedure

  1. Log on to the RAM console with the Alibaba Cloud account to which the source instance belongs.
  2. In the left-side navigation pane, click RAM Roles.
  3. Click Create RAM Role, select Alibaba Cloud Account, and then click Next.
  4. On the Create RAM Role page, configure parameters for the RAM role.Configure parameters for the RAM role
    Parameter Description
    RAM Role Name Specify a name for the RAM role. In this example, enter ram-for-dts.
    Note The name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-).
    Note Optional. Specify the description for the RAM role.
    Select Trusted Alibaba Cloud Account Select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account to which the destination instance belongs.
    Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Alibaba Cloud console with the account and go to the Account Management page.
    Obtain an Alibaba Cloud account ID
  5. Click OK.
  6. Click Input and Attach.单击精确授权
  7. On the Add Permissions page, select System Policy and enter AliyunDTSRolePolicy.Grant permissions
  8. Click OK.
  9. Click Close.
  10. On the RAM Roles page, find the newly created RAM role, and click the role name to view details.Click a RAM role name
  11. On the Basic Information page of the RAM role, click the Trust Policy Management tab.
  12. On the Trust Policy Management tab, click Edit Trust Policy, and copy the following sample statements to the page that appears. Modify the trust policy
    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::<ID of Alibaba Cloud account to which the destination instance belongs>:root"
                    ],
                    "Service": [
                        "<ID of Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }
    Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Alibaba Cloud console with the account and go to the Account Management page. Then, you must replace the ID of Alibaba Cloud account to which the destination instance belongs in the preceding statements with the obtained ID.
    Obtain an Alibaba Cloud account ID

After authorization, you can create a task to migrate or synchronize data between RDS instances that belong to different Alibaba Cloud accounts.

What to do next

Log on to the DTS console with the Alibaba Cloud account to which the destination instance belongs, and then create a data migration task or data synchronization task.

Note For more information about how to configure a data synchronization task, see Synchronize data between ApsaraDB RDS for MySQL instances that belong to different Alibaba Cloud accounts.