All Products
Search
Document Center

Data Transmission Service:Configure RAM authorization for cross-account DTS tasks

Last Updated:Jan 16, 2024

Data Transmission Service (DTS) allows you to migrate or synchronize data across different Alibaba Cloud accounts. This topic describes how to configure Resource Access Management (RAM) authorization for the Alibaba Cloud account to which the source or destination instance belongs before you configure cross-account DTS tasks.

Background information

Before you configure a cross-account DTS task, you must configure RAM authorization for the Alibaba Cloud account to which a database instance belongs (hereinafter referred to as Account A). You must specify the Alibaba Cloud account that is used to configure the DTS task (hereinafter referred to as Account B) as a trusted account and authorize Account B to access the cloud resources of Account A by using DTS.

Supported source instances

  • Alibaba Cloud database instances: ApsaraDB RDS for MySQL instances, ApsaraDB RDS for MariaDB TX instances, ApsaraDB RDS for PostgreSQL instances, PolarDB-X 1.0 instances, PolarDB for PostgreSQL (Compatible with Oracle) clusters, PolarDB for MySQL clusters, ApsaraDB for Redis instances, and ApsaraDB for MongoDB instances.

  • Self-managed databases: self-managed MySQL, PostgreSQL, Redis, MongoDB, Oracle, SQL Server, and Db2 for LUW databases that are connected over Express Connect, VPN Gateway, Smart Access Gateway or Elastic Compute Service (ECS).

Supported destination instances

Only ApsaraDB RDS for MySQL instances are supported.

Prerequisites

  • Account A has authorized the RAM role of DTS to access its cloud resources. For more information, see Authorize DTS to access Alibaba Cloud resources.

  • The IDs of Account A and Account B are obtained. To obtain the ID of an Alibaba Cloud account, log on to the Security Settings console by using this account. The Account ID is displayed on the Security Settings page.

Limits

  • Two-way synchronization across Alibaba Cloud accounts is supported only between ApsaraDB RDS for MySQL instances.

  • You cannot use DTS to synchronize data between accounts of different infrastructures, such as between an Alibaba Finance Cloud account and an Alibaba Gov Cloud account.

Procedure

  1. Create a RAM role for the database instance.

    Note
    • If you grant permissions to a RAM role by using a RAM user, an error message about invalid permissions may appear when you configure a DTS task.

    • For database instances that do not require cross-account operations, creating a RAM role is not necessary.

    1. Log on to the RAM console by using the Alibaba Cloud account to which the source or destination instance belongs.

    2. In the left-side navigation pane, choose Identities > Roles.身份管理-角色-zh.jpeg

      Important

      Do not choose Identities > Users. Otherwise, DTS cannot access the instance, and an error will be reported.

    3. On the Roles page, click Create Role.

    4. In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.创建角色

    5. In the Configure Role step, configure parameters for the RAM role.信任账号

      Parameter

      Description

      RAM Role Name

      The name of the RAM role. In this example, ram-for-dts is used.

      Note

      The name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-).

      Note

      Optional. The description for the RAM role.

      Select Trusted Alibaba Cloud Account

      Select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account that is used to create the DTS task.

      Important
      • If the account that creates the synchronization task also owns the destination instance, its ID only needs to be specified by the account to which the source instance belongs.

      • If the account that creates the synchronization task also owns the source instance, its ID only needs to be specified by the account to which the destination instance belongs.

      • If the account that creates the synchronization task does not own the source or destination instance, its ID needs to be specified by both the accounts to which the source and destination instances belong.

    6. Click OK.

  2. Grant permissions to the created RAM role.

    1. Click Input and Attach.创建角色

    2. In the Add Permissions panel, select System Policy for Type.添加权限

    3. In the Policy Name field, enter AliyunDTSRolePolicy.

    4. Click OK.

    5. After you grant the permissions, click Close.

  3. Modify the trust policy.

    1. On the RAM Roles page, find the RAM role that you created, and click the role name to view details.角色

    2. On the Basic Information page of the RAM role, click the Trust Policy Management tab.信任策略管理

    3. On the page that appears, click Edit Trust Policy.

    4. Copy the following code to the code editor:

      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "RAM": [
                          "acs:ram::<ID of the Alibaba Cloud account>:root"
                      ],
                      "Service": [
                          "<ID of the Alibaba Cloud account>@dts.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
    5. In the preceding code, replace ID of the Alibaba Cloud account with the Alibaba Cloud account ID that is used to create the DTS task.

    6. Click OK.

What to do next

After you grant permissions to the RAM role, you can create a task that migrates or synchronizes data across Alibaba Cloud accounts. For more information, see Overview of data synchronization scenarios, Overview of data migration scenarios, and Overview of change tracking scenarios.

Important

You need to log on to the DTS console by using the Alibaba Cloud account ID that is configured in the trust policy to create a task.

Troubleshooting

The following table describes the common alert messages and the corresponding solutions when you configure the source instance.

Alert message

Solution

UID错误提示_zh

The value of the Alibaba Cloud Account parameter is invalid. Check whether you enter a valid ID of the Alibaba Cloud account to which the source or destination instance belongs. For more information, see Preparations.

角色名错误

Possible causes:

  • The value of the RAM Role Name parameter is invalid. Check whether you enter a valid RAM role name of the Alibaba Cloud account to which the source or destination instance belongs.

  • The required permissions are not granted to the RAM role. Use the Alibaba Cloud account to which the source or destination instance belongs to grant permissions.

Note

For more information, see Preparations.

RAM

Possible causes:

  • The value of the RAM Role Name parameter is invalid. Check whether you enter a valid RAM role name of the Alibaba Cloud account to which the source or destination instance belongs.

  • The required permissions are not granted to the RAM role. Check whether you have granted the required permissions to the RAM role.

  • The trust policy of the RAM role is not modified. Check whether you correctly have modified the trust policy for the RAM role.

Note

For more information, see Preparations.

没有权限

The RAM role that you specify in the RAM Role Name parameter is not granted permissions by clicking Input and Attach on the Roles page in the RAM console. Grant the required permissions to the RAM role by clicking Input and Attach on the Roles page and create a task again. For example, you must grant the required permissions to the RAM role of the Alibaba Cloud account to which the source instance belongs. For information about how to grant permissions to a RAM role, see the "Grant permissions to an existing RAM role" section of the Configure RAM authorization for cross-account data migration or synchronization topic.

Grant permissions to an existing RAM role

  1. Log on to the RAM console by using the Alibaba Cloud account to which the source instance belongs.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. Enter the name of the RAM role in the search box to the right of Create Role.

  4. Find the RAM role and click Input and Attach in the Actions column.

  5. In the Add Permissions panel, set the Policy Name parameter to AliyunDTSRolePolicy.

    Note

    By default, the Type parameter is set to System Policy.

  6. Click OK.