This topic describes the operations that you must perform before you migrate data.
Step 1: Create an inventory for the source bucket
For more information about how to create a bucket inventory, see Bucket inventory.
Step 2: Create a destination bucket
Create an Object Storage Service (OSS) bucket as the destination to store the migrated data. For more information, see Create buckets.
Step 3: Create a RAM user and grant permissions to the RAM user
The Resource Access Management (RAM) user is used to perform the data migration task. You must create RAM roles and perform the data migration task as the RAM user. We recommend that you create the RAM user within the Alibaba Cloud account that owns the source or destination OSS bucket.
For more information, see Create a RAM user and grant permissions to the RAM user.
Log on to the RAM console with an Alibaba Cloud account. On the Users page, find the RAM user that you created and click Add Permissions in the Actions column.
System policy: Attach the AliyunOSSImportFullAccess policy to the RAM user.
Custom policy: Attach a custom policy that includes the
ram:CreateRole,ram:CreatePolicy,ram:AttachPolicyToRole, andram:ListRolespermissions to the RAM user.For more information about how to attach a custom policy, see Create a custom policy. The following sample code provides an example of a custom policy.
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "ram:CreateRole", "ram:CreatePolicy", "ram:AttachPolicyToRole", "ram:ListRoles" ], "Resource":"*" } ] }
Step 4: Grant permissions on the source bucket
Perform the corresponding operations based on whether the source bucket belongs to the current Alibaba Cloud account.
This current Alibaba Cloud account refers to the account that is used to log on to the Data Online Migration console. The operations vary based on whether the source bucket belongs to the current Alibaba Cloud account.
The source bucket belongs to the current Alibaba Cloud account
Automatic authorization
We recommend that you use automatic authorization in the Data Online Migration console. For more information, see the "Step 2: Create a source data address" section of the Migrate data topic.
Manual authorization
You can perform manual authorization in the following scenarios:
You want to grant permissions on multiple source buckets to a RAM role. This allows you to effectively manage multiple source buckets.
You do not want to create more RAM roles because the number of RAM roles within the current Alibaba Cloud account is close to the upper limit.
Automatic authorization is not applicable or cannot be used.
1. Create a RAM role that is used to migrate data
Log on to the RAM console. On the Roles page, click Create Role.
Principal Type: Select Cloud Service.
Principal Name: Select Data Transport.
Role Name: Enter the RAM role name in lowercase.
2. Grant permissions on the source bucket to the RAM role
On the Roles page, find the created RAM role and click Grant Permission in the Actions column.
Custom policy: Attach a custom policy that includes the
oss:List*andoss:Get*permissions to the RAM role.
For more information about how to attach a custom policy, see Create a custom policy. The following sample code provides an example of a custom policy.
The following policy is only for reference. Replace <mySrcBucket> with the name of the source bucket.
For more information about RAM policies for OSS, see Common examples of RAM policies.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:List*",
"oss:Get*"
],
"Resource": [
"acs:oss:*:*:<mySrcBucket>",
"acs:oss:*:*:<mySrcBucket>/*"
]
}
]
}The source bucket does not belong to the current Alibaba Cloud account
1. Create a RAM role that is used to migrate data
Log on to the RAM console in which the RAM user is created. On the Roles page, click Create Role.
Principal Type: Select Cloud Service.
Principal Name: Select Data Transport.
Role Name: Enter the RAM role name in lowercase.
2. Grant permissions on the source bucket to the RAM role
If you configure a bucket policy by specifying policy statements to grant the RAM role the required permissions, the new bucket policy overwrites the existing bucket policy. Make sure that the new bucket policy contains the content of the existing bucket policy. Otherwise, the authorization based on the existing bucket policy may fail.
Log on to the OSS console with the Alibaba Cloud account that owns the source bucket.
In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the source bucket.
In the left-side pane of the bucket details page, choose Permission Control > Bucket Policy.
On the Bucket Policy tab, click Add by Syntax. On the page that appears, click Edit, enter the custom bucket policy in the code editor, and then click Save.
Grant the RAM role the permissions to list and read all resources in the source bucket.
The following policy is only for reference. Replace <otherSrcBucket> with the name of the source bucket, <otherUid> with the ID of the Alibaba Cloud account that owns the source bucket, <myUid> with the ID of the Alibaba Cloud account that is used to log on to the Data Online Migration console, and <roleName> with the name of the RAM role that you created. For more information about RAM policies for OSS, see Common examples of RAM policies.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:List*",
"oss:Get*",
"oss:Put*",
"oss:AbortMultipartUpload"
],
"Principal": [
"arn:sts::<myUid>:assumed-role/<roleName>/*"
],
"Resource": [
"acs:oss:*:<otherUid>:<otherSrcBucket>",
"acs:oss:*:<otherUid>:<otherSrcBucket>/*"
]
}
]
}Step 5: Grant permissions on the bucket that stores inventory lists
Perform the corresponding operations based on whether the bucket that stores inventory lists belongs to the current Alibaba Cloud account.
The bucket that stores inventory lists belongs to the current Alibaba Cloud account
Automatic authorization
We recommend that you complete the authorization in the Data Online Migration console. For more information, see the "Step 2: Create a source data address" section of the Migrate data topic.
Manual authorization
Grant permissions on the bucket that stores inventory lists
On the Roles page, find the created RAM role and click Grant Permission in the Actions column.
Custom policy: Attach a custom policy that includes the
oss:List*andoss:Get*permissions to the RAM role.
For more information about how to attach a custom policy, see Create a custom policy. The following sample code provides an example of a custom policy.
NoteThe following policy is only for reference. Replace <myInvBucket> with the name of the bucket that stores inventory lists.
For more information about RAM policies for OSS, see Common examples of RAM policies.
ImportantIf server-side encryption by using Key Management Service managed keys (SSE-KMS) is configured for the bucket that stores inventory lists, you must attach the AliyunKMSFullAccess system policy to the RAM role.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:List*", "oss:Get*" ], "Resource": [ "acs:oss:*:*:<myInvBucket>", "acs:oss:*:*:<myInvBucket>/*" ] } ] }
The bucket that stores inventory lists does not belong to the current Alibaba Cloud account
Grant permissions on the bucket that stores inventory lists
Log on to the OSS console with the Alibaba Cloud account that owns the bucket that stores inventory lists.
In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the bucket that stores inventory lists.
In the left-side navigation pane, choose Permission Control > Bucket Policy.
On the Bucket Policy tab, click Add by Syntax. On the page that appears, click Edit, enter the custom bucket policy in the code editor, and then click Save.
Custom policy:
Grant the RAM role the permissions to list and read all resources in the bucket that stores inventory lists.
NoteThe following policy is only for reference. Replace <otherInvBucket> with the name of the bucket that stores inventory lists, <myuid> with the ID of the Alibaba Cloud account that is used to log on to the Data Online Migration console, <otherUid> with the ID of the Alibaba Cloud account that owns the bucket that stores inventory lists, and <roleName> with the name of the RAM role that you created. For more information about RAM policies for OSS, see Common examples of RAM policies.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:List*", "oss:Get*" ], "Principal": [ "arn:sts::<myUid>:assumed-role/<roleName>/*" ], "Resource": [ "acs:oss:*:<otherUid>:<otherInvBucket>", "acs:oss:*:<otherUid>:<othereInvBucket>/*" ] } ] }
2. Configure a policy for a custom key
If server-side encryption by using SSE-KMS is configured for the bucket that stores inventory lists, you must attach the AliyunKMSFullAccess system policy to the RAM role.
If a custom key of KMS is used to encrypt data in the bucket that stores inventory lists, perform the following steps to configure a policy for the custom key:
Log on to the KMS console and find the custom key.
On the Key Policy tab of the details page, click Configure Key Policy. In the Key Policy panel, enter the ARN of the RAM role in the Cross-account User field. For more information, see Configure a key policy.
Step 6: Grant permissions on the destination bucket
Perform the corresponding operations based on whether the destination bucket belongs to the current Alibaba Cloud account.
The destination bucket belongs to the current Alibaba Cloud account
Automatic authorization
We recommend that you use automatic authorization in the Data Online Migration console. For more information, see the "Step 3: Create a destination data address" section of the Migrate data topic.
Manual authorization
1. Grant permissions on the destination bucket to the RAM role
On the Roles page, find the created RAM role and click Grant Permission in the Actions column.
Custom policy: Attach a custom policy that includes the
oss:List*,oss:Get*,oss:Put*, andoss:AbortMultipartUpload*permissions to the RAM role.
For more information about how to attach a custom policy, see Create a custom policy. The following sample code provides an example of the custom policy:
NoteThe following policy is only for reference. Replace <myDestBucket> with the name of the destination bucket.
For more information about RAM policies for OSS, see Common examples of RAM policies.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:List*", "oss:Get*", "oss:Put*", "oss:AbortMultipartUpload" ], "Resource": [ "acs:oss:*:*:<myDestBucket>", "acs:oss:*:*:<myDestBucket>/*" ] } ] }
The destination bucket does not belong to the current Alibaba Cloud account
1. Grant permissions on the destination bucket to the RAM role
If you configure a bucket policy by specifying policy statements to grant the RAM role the required permissions, the new bucket policy overwrites the existing bucket policy. Make sure that the new bucket policy contains the content of the existing bucket policy. Otherwise, the authorization based on the existing bucket policy may fail.
Log on to the OSS console with the Alibaba Cloud account that owns the destination bucket.
In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the destination bucket.
In the left-side pane of the bucket details page, choose Permission Control > Bucket Policy.
On the Bucket Policy tab, click Add by Syntax. On the page that appears, click Edit, enter the custom bucket policy in the code editor, and then click Save.
Grant the RAM role the permissions to list, read, and delete objects in and write objects to the destination bucket.
The following policy is only for reference. Replace <otherDestBucket> with the name of the destination bucket, <otherUid> with the ID of the Alibaba Cloud account that owns the destination bucket, <myUid> with the ID of the Alibaba Cloud account that is used to log on to the Data Online Migration console, and <roleName> with the name of the RAM role that you created. For more information about RAM policies for OSS, see Common examples of RAM policies.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:List*",
"oss:Get*",
"oss:Put*",
"oss:AbortMultipartUpload"
],
"Principal": [
"arn:sts::<myUid>:assumed-role/<roleName>/*"
],
"Resource": [
"acs:oss:*:<otherUid>:<otherDestBucket>",
"acs:oss:*:<otherUid>:<otherDestBucket>/*"
]
}
]
}Step 7: Restore the data to be migrated in the source bucket
Before you create a migration task to migrate data of the Archive storage class, you must manually restore the data. Take note of the following items when you restore the data:
Before you create a source data address and a migration task, make sure that data of the Archive storage class is restored.
Specify the number of days during which the restored data remains in the restored state based on the amount of data that you want to migrate. This can prevent data from entering the archived state during data migration.
You may be charged for the restoration operation. The fee may be relatively high. For more information about the billing methods, contact the service provider that offers the source bucket.
Data Online Migration does not restore data in archived objects at the source data address during data migration. The objects that are not restored or are being restored cannot be migrated.
For more information about how to restore archived objects in an OSS bucket, see Restore objects.