This topic describes how to configure RAM authorization for data migration from a user-created database in a VPC across different Alibaba Cloud accounts. After authorization, DTS can read data from a VPC that belongs to another Alibaba cloud account when you configure data migration. You can migrate data from a user-created database that is connected over Express Connect across different Alibaba Cloud accounts.
Prerequisites
Background information
The on-premises data center or a third-party cloud is connected to Alibaba Cloud VPC over Express Connect, VPN Gateway, or Smart Access Gateway. You need to migrate data from a user-created database that resides in an on-premises data center or a third-party cloud to an RDS instance across different Alibaba Cloud accounts. The following figure shows the architecture for this scenario.
Step 1: Create a RAM role and grant the default permission on DTS to the RAM role
- In the Create RAM Role pane, configure parameters for the RAM role.
Parameter Description RAM Role Name Specify a name for the RAM role. In this example, enter ram-for-dts. Note The name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-).Note Optional. Specify the description for the RAM role. Select Trusted Alibaba Cloud Account Select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account to which the destination instance belongs. Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Account Management console by using this account. The account ID is displayed on the Security Settings page.
- In the Add Permissions pane, select System Policy and enter AliyunDTSRolePolicy.
Step 2: Authorize the RAM role to access the VPC under another Alibaba Cloud account
- Find the RAM role created in step 1, and click the role name.
- In the Add Permissions pane, enter AliyunVPCReadOnlyAccess in the search box and click the policy name to move the policy to the Selected section.
- Click Edit Trust Policy, and replace the policy text with the following sample statements.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<ID of the Alibaba Cloud account to which the destination instance belongs>:root" ], "Service": [ "<ID of the Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com" ] } } ], "Version": "1" }Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, you must log on to the Account Management console by using this account. The account ID is displayed on the Security Settings page. Then, you must replace the<ID of the Alibaba Cloud account to which the destination instance belongs>in the preceding statements with the account ID.