Data Transmission Service (DTS) supports data migration and synchronization between RDS instances that belong to different Alibaba Cloud accounts. This topic describes how to configure Resource Access Management (RAM) authorization for the Alibaba Cloud account to which the source instance belongs before you use DTS to migrate or synchronize data to the destination instance that belongs to a different Alibaba Cloud account.
Prerequisites
The Alibaba Cloud account to which the source instance belongs has authorized the RAM role of DTS to access the cloud resources of the account. For more information, see Authorize DTS to access Alibaba Cloud resources.
Background information
When you use DTS to migrate or synchronize data, you must configure RAM authorization for the Alibaba Cloud account to which the source instance belongs (Account A). You must specify the Alibaba Cloud account to which the destination instance belongs (Account B) as a trusted account, and then authorize Account B to access the cloud resources of Account A by using DTS.
Usage notes
- Two-way synchronization across Alibaba Cloud accounts is not supported.
- Data synchronization between accounts of different infrastructures is not supported, such as between an Alibaba Finance Cloud account and an Alibaba Gov Cloud account.
Procedure
- Use the Alibaba Cloud account to which the source instance belongs to create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account. Note You can also directly grant permissions to an existing RAM role and modify the trust policy for the RAM role as described in Step 4. For more information about how to grant permissions to an existing RAM role, see Grant permissions to an existing RAM role.
- Find the created RAM role and click Input and Attach in the Actions column.
- Grant the AliyunDTSRolePolicy permission to the RAM role. For more information, see Method 2: Grant permissions to a RAM role by clicking Input and Attach on the Roles page. Important We recommend that you use the Alibaba Cloud account to which the source instance belongs to grant permissions. Otherwise, an error message about invalid permissions may appear when you configure a DTS task.
- Modify the trust policy for the RAM role. For more information, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account. The following policy is attached to the RAM role:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<ID of the Alibaba Cloud account to which the destination instance belongs>:root" ], "Service": [ "<ID of the Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com" ] } } ], "Version": "1" }Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Account Management console by using this account. The account ID is displayed on the Security Settings page. Then, you must replace<ID of the Alibaba Cloud account to which the destination instance belongs>in the preceding statements with the obtained account ID. - Click OK.
Grant permissions to an existing RAM role
- Log on to the RAM console by using the Alibaba Cloud account to which the source instance belongs. Important We recommend that you use the Alibaba Cloud account to which the source instance belongs to grant permissions. Otherwise, an error message about invalid permissions may appear when you configure a DTS task.
- In the left-side navigation pane, choose .
- To the right of Create Role, enter the name of the RAM role in the search box.
- Find the RAM role and click Input and Attach in the Actions column.
- In the Add Permissions panel, set the Policy Name parameter to AliyunDTSRolePolicy. Note By default, the Type parameter is set to System Policy.
- Click OK.