Data Transmission Service (DTS) supports data migration and synchronization between RDS instances that belong to different Alibaba Cloud accounts. This topic describes how to configure Resource Access Management (RAM) authorization for the Alibaba Cloud account to which the source instance belongs if the destination instance belongs to a different Alibaba Cloud account.

Prerequisites

The Alibaba Cloud account to which the source instance belongs has authorized the RAM role of DTS to access the cloud resources of the account. For more information, see Authorize DTS to access Alibaba Cloud resources.

Background information

When you use DTS to migrate or synchronize data, you must configure RAM authorization for the Alibaba Cloud account to which the source instance belongs (Account A). You must specify the Alibaba Cloud account to which the destination instance belongs (Account B) as a trusted account and then authorize Account B to access the cloud resources of Account A by using DTS.

Note After authorization, you can create a data migration task or data synchronization task by using the Alibaba Cloud account to which the destination instance belongs.

Procedure

  1. Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
  2. Find the created RAM role and click Input and Attach in the Actions column.
  3. Grant permissions to the RAM role. For more information, see Method 2: Grant permissions to a RAM role by clicking Input and Attach on the Roles page.
    Note The permission policy that you want to attach to the RAM role is AliyunDTSRolePolicy.
  4. Modify the trust policy for the RAM role. For more information, see Example 1: Change the trusted entity of a RAM role to an Alibaba Cloud account. The following policy is attached to the RAM role:
    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::<ID of the Alibaba Cloud account to which the destination instance belongs>:root"
                    ],
                    "Service": [
                        "<ID of the Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }
    Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Account Management console by using this account. The account ID is displayed on the Security Settings page. Then, you must replace the <ID of the Alibaba Cloud account to which the destination instance belongs> in the preceding statements with the obtained account ID.
  5. Click OK.

What to do next

After authorization, you can create a task to migrate or synchronize data between RDS instances that belong to different Alibaba Cloud accounts. For more information, see Synchronize or migrate data across Alibaba Cloud accounts.