This topic describes how to configure RAM authorization for data migration from a
user-created database in a VPC across different Alibaba Cloud accounts. After authorization,
DTS can read data from a VPC that belongs to another Alibaba cloud account when you
configure data migration. You can migrate data from a user-created database that is
connected over Express Connect across different Alibaba Cloud accounts.
Prerequisites
The Alibaba Cloud account to which the Express Connect circuit belongs has authorized
the RAM role of DTS to access the cloud resources of the account. For more information,
see
Authorize DTS to access cloud resources.
Background information
The on-premises data center or a third-party cloud is connected to Alibaba Cloud VPC
over Express Connect, VPN Gateway, or Smart Access Gateway. You need to migrate data
from a user-created database that resides in an on-premises data center or a third-party
cloud to an RDS instance across different Alibaba Cloud accounts. The following figure
shows the architecture for this scenario.
Note Before you can use DTS to migrate data from a user-created database in a VPC cross
different Alibaba Cloud accounts, you must perform the following steps: Configure
RAM authorization for the Alibaba Cloud account to which the Express Connect circuit
belongs (Account A), specify the Alibaba Cloud account to which the destination instance
belongs (Account B) as a trusted account, and then authorize Account B to access the
cloud resources of Account A.
Step 1: Create a RAM role and grant the default permission on DTS to the RAM role
- Log on to the RAM console by using the Alibaba Cloud account to which the Express Connect circuit belongs.
- In the left-side navigation pane, click RAM Roles.
- Click Create RAM Role, select Alibaba Cloud Account, and then click Next.
- In the Create RAM Role pane, configure parameters for the RAM role.
Parameter |
Description |
RAM Role Name |
Specify a name for the RAM role. In this example, enter ram-for-dts.
Note The name must be 1 to 64 characters in length and can contain letters, digits, and
hyphens (-).
|
Note |
Optional. Specify the description for the RAM role. |
Select Trusted Alibaba Cloud Account |
Select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account to which the destination instance belongs.
Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs,
you must log on to the Account Management console by using this account. The account ID is displayed on the Security Settings
page.
|
- Click OK.
- Click Input and Attach.
- In the Add Permissions pane, select System Policy and enter AliyunDTSRolePolicy.
- Click OK.
- Click Close.
Step 2: Authorize the RAM role to access the VPC under another Alibaba Cloud account
- Log on to the RAM console by using the Alibaba Cloud account to which the Express Connect circuit belongs.
- In the left-side navigation pane, click RAM Roles.
- Find the RAM role created in step 1, and click the role name.
- On the Basic Information page of the RAM role, click Add Permissions.
- In the Add Permissions pane, enter AliyunVPCReadOnlyAccess in the search box and click the policy name to move the policy to the Selected section.
- Click OK.
- On the Basic Information page of the RAM role, click the Trust Policy Management tab.
- Click Edit Trust Policy, and replace the policy text with the following sample statements.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::<ID of the Alibaba Cloud account to which the destination instance belongs>:root"
],
"Service": [
"<ID of the Alibaba Cloud account to which the destination instance belongs>@dts.aliyuncs.com"
]
}
}
],
"Version": "1"
}
Note To obtain the ID of the Alibaba Cloud account to which the destination instance belongs,
you must log on to the
Account Management console by using this account. The account ID is displayed on the Security Settings
page. Then, you must replace the
<ID of the Alibaba Cloud account to which the destination instance belongs>
in the preceding statements with the account ID.