Configure RAM authorization for data migration or synchronization from a self-managed database in a VPC across different Alibaba Cloud accounts - Data Transmission Service

This topic describes how to configure Resource Access Management (RAM) authorization for data migration or synchronization from a self-managed database in a virtual private cloud (VPC) across different Alibaba Cloud accounts. After authorization, Data Transmission Service (DTS) can read data from a VPC that belongs to another Alibaba Cloud account when you configure data migration or synchronization. You can migrate or synchronize data from a self-managed database that is connected over Express Connect across different Alibaba Cloud accounts.

Prerequisites

The RAM role of DTS is authorized by the Alibaba Cloud account to which the Express Connect circuit belongs to access the cloud resources of the account. For more information, see Authorize DTS to access Alibaba Cloud resources.

Background information

An on-premises database or a database hosted on a third-party cloud is connected to Alibaba Cloud VPC over Express Connect, VPN Gateway, or Smart Access Gateway. You need to migrate data from the on-premises database or the database hosted on the third-party cloud to an ApsaraDB RDS instance across different Alibaba Cloud accounts. The following figure shows the architecture for this scenario.

Note Before you can use DTS to migrate or synchronize data from a self-managed database in a VPC across different Alibaba Cloud accounts, you must perform the following steps: Configure RAM authorization for the Alibaba Cloud account to which the Express Connect circuit belongs (Account A), specify the Alibaba Cloud account to which the destination instance belongs (Account B) as a trusted account, and then authorize Account B to access the cloud resources of Account A.

Step 1: Create a RAM role and grant the default permission on DTS to the role

Log on to the RAM console by using the Alibaba Cloud account to which the Express Connect circuit belongs.
In the left-side navigation pane, click RAM Roles.
On the RAM Roles page, click Create RAM Role.
In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
Specify the RAM Role Name and Note parameters.
Select Current Alibaba Cloud Account in the Select Trusted Alibaba Cloud Account field and click OK.

Note If you select Other Alibaba Cloud Account, you must enter the ID of the Alibaba Cloud account.
On the Roles page, find the RAM role to which you want to grant permissions and click Input and Attach in the Actions column.
In the Add Permissions panel, select System Policy and enter AliyunDTSRolePolicy in the Policy Name field.
Click OK.
Click Close.

Step 2: Authorize the RAM role to access the VPC within another Alibaba Cloud account

Log on to the RAM console by using the Alibaba Cloud account to which the Express Connect circuit belongs.
In the left-side navigation pane, click RAM Roles.
Find the RAM role created in Step 1 and click the role name.
On the Permissions tab of the page that appears, click Grant Permission.
In the Grant Permission panel, attach the AliyunVPCReadOnlyAccess policy to the RAM role.
1. Select the authorization scope.
  - Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
  - Specific Resource Group: The authorization takes effect in a specific resource group.
    
    Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Specify the principal.
  The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
3. Select policies.
  
  Enter AliyunVPCReadOnlyAccess in the search box and click the policy name to add the policy to the Selected section.
  
  Note You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
Click OK.
Click Complete.
On the Basic Information page of the RAM role, click the Trust Policy Management tab.
Click Edit Trust Policy, and replace the policy content with the following sample statements.
```
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::<ID of the Alibaba Cloud account to which the destination instance belongs>:root"
                ],
                "Service": [
                    "<ID of the Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}
```
Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Account Management console by using this account. The account ID is displayed on the Security Settings page. Then, you must replace the <ID of the Alibaba Cloud account to which the destination instance belongs> in the preceding statements with the obtained account ID.
Click OK.

Configurations for data synchronization or migration across different Alibaba Cloud accounts

Synchronize or migrate data across Alibaba Cloud accounts