Collaborate on resources in DMS across Alibaba Cloud accounts - Data Management

In Data Management Service (DMS), resources are isolated by Alibaba Cloud account. To access resources from another Alibaba Cloud account or register your resources in the DMS of another account, you must perform a cross-account operation. This topic describes how to access and register resources across Alibaba Cloud accounts.

Register an instance across Alibaba Cloud accounts

Notes

Only Alibaba Cloud instances can be registered across accounts.
When you add an instance from another account, DMS requires the resource owner to have logged in to DMS.

Grant permissions

Note

Before you register an instance across accounts, you must grant the required permissions to the RAM user. These permissions include managing DMS resources and registering specific types of database instances in DMS.

Assume that Alibaba Cloud account A needs to register a resource from Alibaba Cloud account B in the DMS tenant of account A. A RAM user that belongs to account B must perform the following operations in the RAM console:

Log on to the RAM console as a RAM user that belongs to the resource owner's Alibaba Cloud account B. This user must have the AliyunRAMFullAccess permission.
On the Roles page, create a RAM role and set a trust policy for account A. You can use one of the following methods:
Method 1: Visual editor
1. On the Create Role page, click Switch to Policy Editor.
2. On the Visual Editor tab, set Principal to Cloud Service and configure the following parameters:
  - Enter the UID of Alibaba Cloud account A in the Other Account text box.
  - Set the Cloud Service parameter to Data Management/DMS Enterprise.
3. Click OK.
Method 2: Script editor
1. On the Create Role page, click Switch To Policy Editor.
2. On the JSON tab, enter the policy.
  Policy description: This trust policy allows the specified user to register instances and manage resources across accounts.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID of Alibaba Cloud account A>@dms.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
3. Click OK.

On the Policies page, create a permission policy, such as DmsCrossAccountPolicy.

The access policy supports the following database types and connection types (VPC and leased line): Redis, PolarDB-X, OceanBase, Lindorm, Hologres, GDB, SelectDB, and ClickHouse Enterprise Edition.

Note

For RDS, PolarDB for MySQL, PolarDB for PostgreSQL, and PolarDB for PostgreSQL (Compatible with Oracle), you can skip Steps 3 and 4 and proceed directly to Step 5.

Click to view the access policy for each database type.

Redis

{
  "Statement": [
    {
      "Action": [
        "kvstore:DescribeSecurityIps",
        "kvstore:ModifySecurityIps",
        "kvstore:DescribeRegions",
        "kvstore:DescribeInstances",
        "kvstore:DescribeInstanceAttribute",
        "kvstore:DescribeInstanceConfig"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

PolarDB-X 1.0

{
  "Statement": [
    {
      "Action": [
        "drds:DescribeDrdsInstances",
        "drds:QueryInstanceInfoByConn",
        "drds:DescribeDrdsInstanceList",
        "drds:DescribeDrdsDBIpWhiteList",
        "drds:ModifyDrdsIpWhiteList",
        "drds:DescribeDrdsInstanceVersion"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

PolarDB-X 2.0

{
  "Statement": [
    {
      "Action": [
        "polardbx:DescribeDBInstances",
        "polardbx:DescribeSecurityIps",
        "polardbx:ModifySecurityIps",
        "polardbx:DescribeDBInstanceAttribute",
        "polardbx:DescribeDBInstanceViaEndpoint"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

OceanBase

{
  "Statement": [
    {
      "Action": [
        "oceanbase:DescribeAllTenantsConnectionInfo",
        "oceanbase:DescribeInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

Lindorm

{
  "Statement": [
    {
      "Action": [
        "lindorm:GetLindormInstanceList",
        "lindorm:GetLindormInstance",
        "lindorm:GetLindormInstanceListForDMS",
        "lindorm:GetLindormInstanceForDMS",
        "lindorm:GetLindormInstanceForDMSByConnStr",
        "lindorm:GetInstanceIpWhiteList",
        "lindorm:UpdateInstanceIpWhiteList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

Hologres

{
  "Statement": [
    {
      "Action": [
        "hologram:GetInstance",
        "hologram:ListInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

GDB

{
  "Statement": [
    {
      "Action": [
        "gdb:DescribeDbInstances"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

SelectDB

{
  "Statement": [
    {
      "Action": [
        "selectdb:DescribeDBInstances",
        "selectdb:DescribeDBInstanceAttribute",
        "selectdb:DescribeDBInstanceNetInfo",
        "selectdb:DescribeSecurityIPList",
        "selectdb:ModifySecurityIPList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

ClickHouse Enterprise Edition

{
  "Statement": [
    {
      "Action": [
        "clickhouse:DescribeDBClusters",
        "clickhouse:DescribeDBInstances",
        "clickhouse:DescribeDBInstanceAttribute",
        "clickhouse:DescribeEndpoints",
        "clickhouse:DescribeSecurityIPList",
        "clickhouse:ModifySecurityIPList"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

Example policy description: This policy lets you register a database in DMS over a VPC or leased line.

{
  "Statement": [
    {
      "Action": [
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}

On the Roles page, grant the DmsCrossAccountPolicy permission to the role that you created in Step 2. For more information, see Grant permissions to a RAM role.
On the Roles page, click the role name. On the resulting page, copy the ARN.

Register the instance

When user A registers a database, enter the role ARN.

Access instance resources across Alibaba Cloud accounts

Note

To access instance resources in DMS across Alibaba Cloud accounts, follow these steps.

Prerequisites

The user who accesses the resource (User A) and the resource owner (Account B) must belong to different Alibaba Cloud accounts. Account B must also have a tenant in DMS.

Grant permissions to the accessor

Log on to the RAM console as a RAM user of Account B that has the AliyunRAMFullAccess permission.
On the Roles page, create a RAM role.
Note
In the Other Account section, enter the UID of Account A.
On the Roles page, grant the AliyunDMSLoginConsoleAccess permission to the role that you created in Step 2. This permission is required to log on to the DMS console. For more information, see Grant permissions to a RAM role.

Access DMS resources

Log on to the Alibaba Cloud Management Console as a RAM user of Account A that has the AliyunSTSAssumeRoleAccess permission.
In the upper-right corner, click your profile picture and switch your identity.
Enter the UID of Account B and the name of the RAM role that you created.
Click Submit.
After the role switch is complete, access Data Management DMS 5.0.
Note
When you access DMS, you are automatically assigned the role of a regular user. If you want to modify or export instance resources, you must apply for the required permissions in DMS.

Data Management:Collaborate on DMS across Alibaba Cloud accounts

Register an instance across Alibaba Cloud accounts

Notes

Grant permissions

Method 1: Visual editor

Method 2: Script editor

Redis

PolarDB-X 1.0

PolarDB-X 2.0

OceanBase

Lindorm

Hologres

GDB

SelectDB

ClickHouse Enterprise Edition

Register the instance

Access instance resources across Alibaba Cloud accounts

Prerequisites

Grant permissions to the accessor

Access DMS resources

Related documents