Use DMS across Alibaba Cloud accounts

Updated at:
Copy as MD

In DMS, resources are isolated by Alibaba Cloud account. If you need to access resources in another Alibaba Cloud account's DMS tenant or register an instance from your account to another's, you must perform a cross-account operation. This topic describes how to access resources and register instances across accounts.

Register an instance across Alibaba Cloud accounts

Usage notes

  • You can only register Alibaba Cloud instances across accounts.

  • To register an instance across accounts, the resource owner must have previously logged in to DMS.

Grant permissions

Note

Before you register an instance across accounts, you must grant the RAM user permissions to manage DMS resources and the database instances you will register.

Assume that Account A wants to register a resource from Account B in Account A's DMS tenant. A RAM user from Account B must then perform the following steps in the RAM console:

  1. Log in to the RAM console as a RAM user in Account B with the AliyunRAMFullAccess permission.

  2. On the Roles page, create a RAM role and set a trust policy for Account A. You can use either of the following methods:

    Method 1: Visual editor

    1. On the Create Role page, click Switch to Policy Editor.

      For Select Trusted Entity, select Alibaba Cloud Account. The Switch to Policy Editor button is located on the right side of the prompt message at the bottom of the page.

    2. On the Visual Editor tab, for Principal, select Cloud Service. Configure the parameters as follows:

      • In the text box under Other Account, enter the UID of Account A.

      • For Cloud Service, select Data Management/DMSEnterprise.

    3. Click OK.

    Method 2: Script editor

    1. On the Create Role page, click Switch to Policy Editor.

    2. On the Script Editor tab, enter the following policy.

      This is a trust policy for cross-account instance registration that allows the DMS service, acting on behalf of Account A, to assume this role.

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "<UID of Alibaba Cloud account A>@dms.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
    3. Click OK.

  3. On the Policies page, create a custom permission policy. For example, name the policy DmsCrossAccountPolicy.

    The following database types and connection method are supported in the permission policy: Redis, PolarDB-X, OceanBase, Lindorm, Hologres, GDB, SelectDB, and ClickHouse Enterprise Edition.

    Note

    For RDS, PolarDB for MySQL, PolarDB for PostgreSQL, and PolarDB for PostgreSQL (Compatible with Oracle), you can skip Steps 3 and 4 and proceed to Step 5.

    The following are the required permission policies for each database type.

    Redis

    {
      "Statement": [
        {
          "Action": [
            "kvstore:DescribeSecurityIps",
            "kvstore:ModifySecurityIps",
            "kvstore:DescribeRegions",
            "kvstore:DescribeInstances",
            "kvstore:DescribeInstanceAttribute",
            "kvstore:DescribeInstanceConfig"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }

    PolarDB-X 1.0

    {
      "Statement": [
        {
          "Action": [
            "drds:DescribeDrdsInstances",
            "drds:QueryInstanceInfoByConn",
            "drds:DescribeDrdsInstanceList",
            "drds:DescribeDrdsDBIpWhiteList",
            "drds:ModifyDrdsIpWhiteList",
            "drds:DescribeDrdsInstanceVersion"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }

    PolarDB-X 2.0

    {
      "Statement": [
        {
          "Action": [
            "polardbx:DescribeDBInstances",
            "polardbx:DescribeSecurityIps",
            "polardbx:ModifySecurityIps",
            "polardbx:DescribeDBInstanceAttribute",
            "polardbx:DescribeDBInstanceViaEndpoint"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }

    OceanBase

    {
      "Statement": [
        {
          "Action": [
            "oceanbase:DescribeAllTenantsConnectionInfo",
            "oceanbase:DescribeInstances"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }

    Lindorm

    {
      "Statement": [
        {
          "Action": [
            "lindorm:GetLindormInstanceList",
            "lindorm:GetLindormInstance",
            "lindorm:GetLindormInstanceListForDMS",
            "lindorm:GetLindormInstanceForDMS",
            "lindorm:GetLindormInstanceForDMSByConnStr",
            "lindorm:GetInstanceIpWhiteList",
            "lindorm:UpdateInstanceIpWhiteList"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }

    Hologres

    {
      "Statement": [
        {
          "Action": [
            "hologram:GetInstance",
            "hologram:ListInstances"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }

    GDB

    {
      "Statement": [
        {
          "Action": [
            "gdb:DescribeDbInstances"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }

    SelectDB

    {
      "Statement": [
        {
          "Action": [
            "selectdb:DescribeDBInstances",
            "selectdb:DescribeDBInstanceAttribute",
            "selectdb:DescribeDBInstanceNetInfo",
            "selectdb:DescribeSecurityIPList",
            "selectdb:ModifySecurityIPList"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }

    ClickHouse Enterprise Edition

    {
      "Statement": [
        {
          "Action": [
            "clickhouse:DescribeDBClusters",
            "clickhouse:DescribeDBInstances",
            "clickhouse:DescribeDBInstanceAttribute",
            "clickhouse:DescribeEndpoints",
            "clickhouse:DescribeSecurityIPList",
            "clickhouse:ModifySecurityIPList"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }

    The following policy is an example for registering a database through a VPC.

    {
      "Statement": [
        {
          "Action": [
            "vpc:DescribeVpcs"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ],
      "Version": "1"
    }
  4. On the Roles page, attach the DmsCrossAccountPolicy policy to the role that you created in Step 2. For more information, see Manage permissions for a RAM role.

  5. On the Roles page, click the role name and copy the ARN from the role details page.

Register the instance

When a user from Account A registers a database, they must enter the role ARN.

In the Register Database dialog box, in the Basic Information section, set Database Type to MySQL and configure Instance Region. Then, in the Cross-account role ARN field, enter the ARN you copied in Step 5.

Access cross-account instance resources

Note

If you need to access instance resources in DMS across Alibaba Cloud accounts, follow these steps.

Prerequisites

The accessor, User A, and the resource owner, User B, belong to different Alibaba Cloud accounts. User B's account must have an associated DMS tenant.

Grant permissions to the accessor

  1. Log in to the RAM console as a RAM user in the resource owner's account (Account B) with the AliyunRAMFullAccess permission.

  2. On the Roles page, create a RAM role.

    Note

    In the Other Account field, enter the UID of the accessor's account (Account A).

    In the Select Trusted Entity section, select Alibaba Cloud Account, and then click OK.

  3. On the Roles page, attach the AliyunDMSLoginConsoleAccess policy to the role that you created in Step 2. For more information, see Manage permissions for a RAM role.

Access DMS resources

  1. Log in to the Alibaba Cloud Management Console as a RAM user in Account A with the AliyunSTSAssumeRoleAccess permission.

  2. In the upper-right corner, click your profile picture to switch identity.

  3. Enter the UID of Alibaba Cloud account B (the resource owner) and the name of the role you created.

  4. Click Submit.

  5. After switching your identity, navigate to Data Management DMS 5.0.

    Note

    When you access DMS, DMS automatically sets you as a regular user. If you need to modify or export instance resources, you need to apply for additional resource permissions in DMS.

Related topics

Register an ApsaraDB instance