This topic describes how to configure Resource Access Management (RAM) authorization for data migration or synchronization from a self-managed database in a virtual private cloud (VPC) across different Alibaba Cloud accounts. After RAM authorization is complete, Data Transmission Service (DTS) can read data from a VPC that belongs to another Alibaba Cloud account when you configure a data migration or synchronization task. You can migrate or synchronize data from a self-managed database that is connected over Express Connect across different Alibaba Cloud accounts.
Prerequisites
The RAM role of DTS is authorized by the Alibaba Cloud account to which the Express Connect circuit belongs to access the cloud resources of the account. For more information, see Authorize DTS to access Alibaba Cloud resources.
Access the Security Settings page to obtain Account ID by using the Alibaba Cloud account to which the source or destination instance belongs.
Background
An on-premises database or a database hosted on a third-party cloud is connected to an Alibaba Cloud VPC over Express Connect, VPN Gateway, or Smart Access Gateway. You need to synchronize or migrate data from the on-premises database or the database hosted on the third-party cloud to a cloud database of an Alibaba Cloud account over the VPC.
Before you can use DTS to synchronize or migrate data from a self-managed database in a VPC across different Alibaba Cloud accounts, you must perform the following steps: Configure RAM authorization for the Alibaba Cloud account to which the Express Connect circuit belongs (Account A), specify the Alibaba Cloud account to which the destination instance belongs (Account B) as a trusted account, and then authorize Account B to access the cloud resources of Account A.
Usage notes
You can synchronize or migrate data from a self-managed database in a VPC over Express Connect, VPN Gateway, or Smart Access Gateway across Alibaba Cloud accounts when the self-managed database is used as the source database. If the self-managed database is used as the destination database, you cannot synchronize or migrate data to the self-managed database in the VPC across Alibaba Cloud accounts. For more information about supported databases, see the section Supported databases in the topic "Configure RAM authorization for cross-account DTS tasks".
Step 1: Create a RAM role and grant the default permission on DTS to the RAM role
Log on to the RAM console by using the Alibaba Cloud account to which the Express Connect circuit belongs.
ImportantIf you grant permissions to a RAM role as a RAM user, an error message that indicates invalid permissions may appear when you configure a DTS task.
In the left-side navigation pane, choose
.ImportantDo not choose
, as this will prevent DTS from accessing the database instance, resulting in an error.On the Roles page, click Create Role.
In the Create Role panel, perform the following steps.
Select the Principal Type parameter to Cloud Account.
Select the Principal Name parameter to Other Account, and enter the ID of the Alibaba Cloud account to which the source instances belong.
Click OK.
In the Create Role panel that appears, enter the role name, and click OK.
In this example, ram-for-dts is specified.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, perform the following steps:
Select the Policy Type parameter to System Policy.
Enter a Policy Name. In this example, AliyunDTSRolePolicy is specified.
Click OK.
Click the
icon in the right side of the Permissions tab to refresh the page. Check whether the required permissions are granted.
Step 2: Authorize the RAM role to access the VPC within another Alibaba Cloud account
Log on to the RAM console by using the Alibaba Cloud account to which the Express Connect circuit belongs.
ImportantIf you grant permissions to a RAM role as a RAM user, an error message that indicates invalid permissions may appear when you configure a DTS task.
In the left-side navigation pane, choose
.ImportantDo not choose
, as this will prevent DTS from accessing the database instance, resulting in an error.Find the RAM role that you created in Step 1 and click the role name.
Grant permissions to the RAM role.
On the Permissions tab, click Grant Permission.
In the Grant Permission panel, perform the following steps:
Configure the Resource Scope parameter.
In this example, Account is selected. For more information, see Grant permissions to a RAM role.
In the Policy section, select System Policy from the drop-down list.
Configure the Policy parameter.
Enter AliyunVPCReadOnlyAccess in the search box and click the search icon. Select the policy name to add it to the Selected Policy section.
Click Grant permissions.
After you grant the permissions, click Close.
Modify the trust policy of the RAM role.
Click the Trust Policy tab.
Click Edit Trust Policy.
Replace the policy text with the following sample code.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }
Replace the two
<Alibaba Cloud account ID>
in the sample code with the ID of the Alibaba Cloud account to which the destination database belongs.Click OK.
If the
"<Alibaba Cloud account ID>@dts.aliyuncs.com"
in the Service section of the preceding code is automatically changed to"dts.aliyuncs.com"
after you save the trust policy, this indicates that the configuration of<Alibaba Cloud account ID>
is invalid.NoteFor more information about the Alibaba Cloud account that is used to log on to the RAM console and the Alibaba Cloud account that is specified in the trust policy, see Account information of this topic.
Configure a DTS task
In this example, a synchronization task is configured to show how to configure a DTS task across Alibaba Cloud accounts.
Access the Configurations for Source and Destination Databases page by using the Alibaba Cloud account to which the destination instance belongs.
Use one of the following methods to go to the Data Synchronization page and select the region in which the data synchronization instance resides.
DTS console
Log on to the DTS console.
In the left-side navigation pane, click Data Synchronization.
In the upper-left corner of the page, select the region in which the data synchronization instance resides.
DMS console
NoteThe actual operations may vary based on the mode and layout of the DMS console. For more information, see Simple mode and Customize the layout and style of the DMS console.
Log on to the DMS console.
In the top navigation bar, move the pointer over Data + AI and choose
.From the drop-down list to the right of Data Synchronization Tasks, select the region in which the data synchronization instance resides.
Click Create Task to go to the task configuration page.
Configure a source database.
The following table describes key parameters:
Parameter
Description
Select Existing Connection
This parameter is not set in this example.
Database Type
You can select one based on your business requirements.
Access Method
Select Express Connect, VPN Gateway, or Smart Access Gateway.
Instance Region
You can select one based on your business requirements.
Replicate Data Across Alibaba Cloud Accounts
Select Yes.
Alibaba Cloud Account
Enter the Alibaba Cloud account that owns the source database.
RAM Role Name
The name of the RAM role that is created by using the Alibaba Cloud account to which the source database belongs. In this example, enter the RAM role name created in Step 1.
Connected VPC
You can select one based on your business requirements.
NoteIf an error occurs when you set the Connected VPC parameter for the source database, see the section Common errors in the topic "Configure a DTS task across Alibaba Cloud accounts".
Refer to the related topics and configure other parameters based on your business requirements.