Configure RAM authorization for data transmission from a self-managed database in a VPC across Alibaba Cloud accounts - Data Transmission Service

This topic describes how to configure Resource Access Management (RAM) authorization for data migration or synchronization from a self-managed database in a virtual private cloud (VPC) across different Alibaba Cloud accounts. After RAM authorization is complete, Data Transmission Service (DTS) can read data from a VPC that belongs to another Alibaba Cloud account when you configure a data migration or synchronization task. You can migrate or synchronize data from a self-managed database that is connected over Express Connect across different Alibaba Cloud accounts.

Prerequisites

The RAM role of DTS is authorized by the Alibaba Cloud account to which the Express Connect circuit belongs to access the cloud resources of the account. For more information, see Authorize DTS to access Alibaba Cloud resources.

Background information

An on-premises database or a database hosted on a third-party cloud is connected to an Alibaba Cloud VPC over Express Connect, VPN Gateway, or Smart Access Gateway. You need to synchronize or migrate data from the on-premises database or the database hosted on the third-party cloud to a cloud database of an Alibaba Cloud account over the VPC.

Important

Before you can use DTS to synchronize or migrate data from a self-managed database in a VPC across different Alibaba Cloud accounts, you must perform the following steps: Configure RAM authorization for the Alibaba Cloud account to which the Express Connect circuit belongs (Account A), specify the Alibaba Cloud account to which the destination instance belongs (Account B) as a trusted account, and then authorize Account B to access the cloud resources of Account A.

Usage notes

You can synchronize or migrate data from a self-managed database in a VPC across Alibaba Cloud accounts when the self-managed database is used as the source database. If the self-managed database is used as the destination database, you cannot synchronize or migrate data to the self-managed database in the VPC across Alibaba Cloud accounts.

Step 1: Create a RAM role and grant the default permission on DTS to the RAM role

Log on to the RAM console by using the Alibaba Cloud account to which the Express Connect circuit belongs.
In the left-side navigation pane, choose Identities > Roles.
Important
Do not choose Identities > Users. Otherwise, DTS cannot access the instance, and an error will be reported.
On the Roles page, click Create Role.
In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.
In the Create Role panel, specify Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.
Configure parameters for the RAM role.
1. Specify RAM Role Name.
2. Optional:Specify Note.
3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account.
  - Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
  - Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to authorize different Alibaba Cloud accounts.
    Note You can view the ID of an Alibaba Cloud account on the Security Settings page.
Click OK.
Click Input and Attach.
In the Add Permissions panel, select System Policy for Type.
In the Policy Name field, enter AliyunDTSRolePolicy.
Click OK.
Click Close.

Step 2: Authorize the RAM role to access the VPC within another Alibaba Cloud account

Log on to the RAM console by using the Alibaba Cloud account to which the Express Connect circuit belongs.
In the left-side navigation pane, choose Identities > Roles.
Important
Do not choose Identities > Users. Otherwise, DTS cannot access the instance, and an error will be reported.
Find the RAM role that you created in Step 1 and click the role name.
On the Permissions tab, click Grant Permission.
In the Grant Permission panel, attach the AliyunVPCReadOnlyAccess policy to the RAM role.
1. Set the authorization scope.
  - Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
  - Specific Resource Group: The permissions take effect in a specific resource group.
    Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
2. Specify the principal.
  The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
3. Attach a policy to the RAM role.
  Enter AliyunVPCReadOnlyAccess in the search box and click the policy name to add the policy to the Selected section.
  Note You can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.
Click OK.
Click Complete.
On the Basic Information page of the RAM role, click the Trust Policy Management tab.

Click Edit Trust Policy. In the Edit Trust Policy panel, replace the policy content with the following sample code.

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::<ID of the Alibaba Cloud account to which the destination instance belongs>:root"
                ],
                "Service": [
                    "<ID of the Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

Note

To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must go to the Account Management page by using the account. The account ID is displayed on the Security Settings page. Then, you must replace <ID of Account B> in the preceding sample code with the account ID that you obtained.

Click OK.

Configure a data synchronization or migration task

Log on to the Data Management (DMS) console by using the Alibaba Cloud account to which the destination instance belongs.
Go to the corresponding task management page based on the actual case.
Note
The operations that you perform may vary based on the mode and layout of the DMS console. For more information, see Simple mode and Customize the layout and style of the DMS console.
Create a DTS task that migrates or synchronizes data across Alibaba Cloud accounts based on the type of the source and destination databases. For more information, see Overview of data synchronization scenarios, Overview of data migration scenarios, and Overview of change tracking scenarios.
Note
- You must set the Access Method parameter of the source database to Express Connect, VPN Gateway, or Smart Access Gateway and the Replicate Data Across Alibaba Cloud Accounts parameter to Yes.
- If an error occurs when you set the Connected VPC parameter for the source database, refer to the solutions that are described in the Troubleshooting section of the "Synchronize or migrate data across Alibaba Cloud accounts" topic.