All Products
Search

This Product

    Data Online Migration:Preparations

    Document Center

    Data Online Migration:Preparations

    Last Updated:Feb 06, 2026

    This topic outlines the steps to prepare for data migration.

    Step 1: Create an account SAS token

    Important

    When you grant permissions, ensure that:

    • The Container resource type is allowed.

    • The Read and List permissions are granted.

    • The permissions remain valid throughout the migration.

    For security, we recommend creating an account-level Shared Access Signature (SAS) with read-only permissions for the source data. For more information, see Create an account SAS.

    Step 2: Create a destination bucket

    Create a destination bucket to store the migrated data. For more information, see Create a bucket.

    Step 3: Create and authorize a RAM user

    Important

    • This RAM user will be used to create roles and perform migration tasks. For best practice, create this user in the same Alibaba Cloud account as your source or destination bucket.

    • If you have not created a RAM user, see Quick start: Create a RAM user and grant permissions.

    Log on to the RAM console. On the Users page, find your RAM user and click Add Permissions in the Actions column.

    1. System policy: AliyunOSSImportFullAccess (Permissions for managing Online Migration Service).

    2. Custom policy: This policy must include the ram:CreateRole, ram:CreatePolicy, ram:AttachPolicyToRole, and ram:ListRoles permissions.

      For more information, see Create a custom policy. The following is an example policy:

      {
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "ram:CreateRole",
                "ram:CreatePolicy",
                "ram:AttachPolicyToRole",
                "ram:ListRoles"
            ],
            "Resource":"*"
        }
    ]
}

    Step 4: Authorize the RAM role for the destination bucket

    The required steps depend on whether the destination bucket is in the same account or a different one.

    Same-account destination

    • Automatic authorization

      We recommend using automatic authorization in the Data Online Migration console. For more information, see Step 3: Create a destination data address of the Migrate data topic.

    • Manual authorization

      Note

      Perform manual authorization in the following scenarios:

      • To grant a single RAM role permissions to access multiple source buckets for centralized management.

      • When your account is nearing its RAM role limit and you prefer not to create new ones.

      • Automatic authorization is not applicable or cannot be used.

      1. Create a RAM role for migration

      Log on to the RAM console in which the RAM user is created. On the Roles page, click Create Role.

      1. Principal Type: Select Cloud Service.

      2. Principal Name: Select Data Transport.

      3. Role Name: Enter the RAM role name. The RAM role name must be in lowercase.

      lQLPKIBPhyQhs7vNAlPNA-mwb_9Zfe8j6sMHtpv2syNfAA_1001_595

      image

      2. Grant permissions to the RAM role

      On the Roles page, find the created RAM role and click Grant Permission in the Actions column.

      • Custom policy: Attach a custom policy that includes the oss:List*, oss:Get*, oss:Put*, and oss:AbortMultipartUpload* permissions to the RAM role.

      For more information about how to attach a custom policy, see Create a custom policy. The following sample code provides an example of the custom policy:

      Note

      The following policy is only for reference. Replace <myDestBucket> with the name of the destination bucket.

      For more information about RAM policies for OSS, see Common examples of RAM policies.

      Important

      If the destination bucket uses SSE-KMS encryption, you must attach the AliyunKMSFullAccess system policy to the RAM role. 

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:List*",
        "oss:Get*",
        "oss:Put*",
        "oss:AbortMultipartUpload"
      ],
      "Resource": [
        "acs:oss:*:*:<myDestBucket>",
        "acs:oss:*:*:<myDestBucket>/*"
      ]
    }
  ]
}

    Cross-account destination

    1. Create a RAM role for migration

    Log on to the RAM console in which the RAM user is created. On the Roles page, click Create Role.

    1. Principal Type: Select Cloud Service.

    2. Principal Name: Select Data Transport.

    3. Role Name: Enter the RAM role name. The RAM role name must be in lowercase.

    lQLPKIBPhyQhs7vNAlPNA-mwb_9Zfe8j6sMHtpv2syNfAA_1001_595

    image

    2. Grant permissions to the RAM role

    Important

    Adding a new bucket policy will overwrite any existing policy. Ensure that your new policy includes all statements from the previous policy to avoid breaking existing permissions.

    1. Log on to the OSS console with the Alibaba Cloud account that owns the destination bucket.

    2. In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the destination bucket.

    3. In the left-side pane of the bucket details page, choose Permission Control > Bucket Policy.

    4. On the Bucket Policy tab, click Add by Syntax and then click Edit. In the code editor, enter the custom bucket policy. Then, click Save.

      • Grant the RAM role full object permissions (list, read, write, and delete) for the destination bucket.

    Note

    The following policy serves as a template. Before using it, replace the placeholders with your actual values. For more information about RAM policies for OSS, see Common examples of RAM policies.

    • <otherDestBucket>: The name of the destination bucket.

    • <otherUid>: The ID of the Alibaba Cloud account that owns the destination bucket.

    • <myUid>: The ID of your current Alibaba Cloud account (the one used for migration).

    • <roleName>: The name of the RAM role you created.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:List*",
        "oss:Get*",
        "oss:Put*",
        "oss:AbortMultipartUpload"
      ],
      "Principal": [
         "arn:sts::<myUid>:assumed-role/<roleName>/*"
      ],
      "Resource": [
        "acs:oss:*:<otherUid>:<otherDestBucket>",
        "acs:oss:*:<otherUid>:<otherDestBucket>/*"
      ]
    }
  ]
}
    3. Configure a policy for a custom key

    1. If SSE-KMS is configured for the destination bucket, you must attach the AliyunKMSFullAccess system policy to the RAM role.

    2. If the destination bucket is encrypted with a custom KMS key, you must also configure the key's policy:

      1. Log on to the KMS console and find the custom key.

      2. On the Key Policy tab of the details page, click Configure Key Policy. In the Key Policy panel, enter the ARN of the RAM role in the Cross-account User field. For more information, see Configure a key policy. image

    Step 5: Restore archived source data

    • You must manually restore objects from the Archive storage class before creating a source data address and migration task.

    • Set the restoration period (the number of days the object stays restored) to be long enough to complete the entire migration. This prevents objects from returning to the archived state mid-migration.

    • You may be charged for the restoration operation. The fee may be relatively high. For more information about the billing methods, contact the service provider that offers the source bucket.

    Note

    Data Online Migration will not automatically restore archived objects. Objects that are still archived or in the process of being restored cannot be migrated and will be skipped.

    For instructions on how to restore objects in Alibaba Cloud OSS, see Restore Objects.

    For more information about how to restore files in Azure Blob, see Blob rehydration from the archive tier.