This topic describes how to configure Resource Access Management (RAM) authorization
for data migration or synchronization from a self-managed database in a virtual private
cloud (VPC) across different Alibaba Cloud accounts. After authorization, Data Transmission
Service (DTS) can read data from a VPC that belongs to another Alibaba Cloud account
when you configure data migration or synchronization. You can migrate or synchronize
data from a self-managed database that is connected over Express Connect across different
Alibaba Cloud accounts.
Prerequisites
The RAM role of DTS is authorized by the Alibaba Cloud account to which the Express
Connect circuit belongs to access the cloud resources of the account. For more information,
see
Authorize DTS to access Alibaba Cloud resources.
Background information
An on-premises database or a database hosted on a third-party cloud is connected to
Alibaba Cloud VPC over Express Connect, VPN Gateway, or Smart Access Gateway. You
need to migrate data from the on-premises database or the database hosted on the third-party
cloud to an ApsaraDB RDS instance across different Alibaba Cloud accounts. The following
figure shows the architecture for this scenario.
Note Before you can use DTS to migrate or synchronize data from a self-managed database
in a VPC cross different Alibaba Cloud accounts, you must perform the following steps:
Configure RAM authorization for the Alibaba Cloud account to which the Express Connect
circuit belongs (Account A), specify the Alibaba Cloud account to which the destination
instance belongs (Account B) as a trusted account, and then authorize Account B to
access the cloud resources of Account A.
Step 1: Create a RAM role and grant the default permission on DTS to the role
- Log on to the RAM console with the Alibaba Cloud account to which the Express Connect circuit belongs.
- In the left-side navigation pane, choose Identities > Roles.
- Click Create Role. In the Create Role panel, set Select Trusted Entity to Alibaba Cloud Account, and then click Next.
- In the Create Role panel, configure parameters for the RAM role.

Parameter |
Description |
RAM Role Name |
The name of the RAM role. In this example, enter ram-for-dts.
Note The name must be 1 to 64 characters in length and can contain letters, digits, and
hyphens (-).
|
Note |
Optional. The description for the RAM role. |
Select Trusted Alibaba Cloud Account |
Select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account to which the destination instance belongs.
Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs,
you must log on to the Account Management console with this account. The account ID is displayed on the Security Settings page.
 |
- Click OK.
- Click Input and Attach.
- In the Add Permissions panel, select System Policy and enter AliyunDTSRolePolicy in the Policy Name field.
- Click OK.
- Click Close.
Step 2: Authorize the RAM role to access the VPC within another Alibaba Cloud account
- Log on to the RAM console with the Alibaba Cloud account to which the Express Connect circuit belongs.
- In the left-side navigation pane, choose Identities > Roles.
- Find the RAM role created in Step 1 and click the role name.
- On the Basic Information page of the RAM role, click Add Permissions.
- In the Add Permissions panel, enter AliyunVPCReadOnlyAccess in the search box and click the policy name to add the policy to the Selected section.
- Click OK.
- On the Basic Information page of the RAM role, click the Trust Policy Management tab.
- Click Edit Trust Policy, and replace the policy text with the following sample statements.

{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::<ID of the Alibaba Cloud account to which the destination instance belongs>:root"
],
"Service": [
"<ID of the Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs,
you must log on to the
Account Management console with this account. The account ID is displayed on the Security Settings page.
Then, you must replace the
<ID of the Alibaba Cloud account to which the destination instance belongs>
in the preceding statements with the obtained account ID.
