All Products
Search

This Product

    Data Transmission Service:How to configure RAM authorization for data transmission from a self-managed database in a VPC across Alibaba Cloud accounts

    Document Center

    Data Transmission Service:How to configure RAM authorization for data transmission from a self-managed database in a VPC across Alibaba Cloud accounts

    Last Updated:Mar 30, 2026

    This topic describes how to configure Resource Access Management (RAM) authorization so that Data Transmission Service (DTS) can migrate or synchronize data from a self-managed database — connected to an Alibaba Cloud virtual private cloud (VPC) via Express Connect, VPN Gateway, or Smart Access Gateway — to a cloud database owned by a different Alibaba Cloud account.

    The setup involves two accounts:

    Account Role
    Account A Owns the Express Connect circuit and the VPC
    Account B Owns the destination database instance

    Account A grants Account B (and the DTS service) permission to read its VPC resources. After authorization, Account B can use DTS to run cross-account migration or synchronization tasks.

    Background information

    Limits

    The self-managed database in the VPC can only be the source database in a cross-account DTS task. Using it as the destination is not supported.

    For supported database types, see the Supported databases section in "Configure RAM authorization for cross-account DTS tasks".

    Prerequisites

    Before you begin, make sure that:

    Important

    Complete all steps in this topic using the Alibaba Cloud account (root account), not a RAM user. RAM user grants cause DTS to return an invalid permissions error because DTS must call STS AssumeRole on a role principal — not a user principal.

    Step 1: Create a RAM role and grant the DTS default permission

    All steps in this section are performed in Account A (the Express Connect circuit owner).

    1. Log in to the RAM console using Account A.

    2. In the left-side navigation pane, choose Identities > Roles.

      Important

      Do not choose Identities > Users. Using a user identity prevents DTS from accessing the database instance and causes an error.

      身份管理-角色-new-zh.jpg

    3. On the Roles page, click Create Role.

      image

    4. In the Create Role panel, complete the following settings:

      1. Set Principal Type to Cloud Account. 1-1

      2. Set Principal Name to Other Account, then enter the account ID of Account A (the account that owns the source instances). 2-1

      3. Click OK.

      4. Enter a role name and click OK. In this example, the role name is ram-for-dts. 3-1

    5. On the Permissions tab, click Precise Permission.

      image

    6. In the Precise Permission panel, complete the following settings:

      1. Set Policy Type to System Policy. 4-1

      2. Enter AliyunDTSRolePolicy in the Policy Name field. > Note: AliyunDTSRolePolicy is the default system policy that grants DTS the permissions required to perform data migration and synchronization tasks.

      3. Click OK.

    7. Click the refresh icon on the Permissions tab to verify that the permission was granted.

      image

    Step 2: Authorize the RAM role to access the VPC

    All steps in this section are also performed in Account A.

    1. Log in to the RAM console using Account A.

    2. In the left-side navigation pane, choose Identities > Roles.

      身份管理-角色-new-zh.jpg

    3. Find the RAM role created in Step 1 and click the role name.

    4. On the Permissions tab, click Grant Permission.

    5. In the Grant Permission panel, complete the following settings:

      1. Set Resource Scope to Account. For more information, see Grant permissions to a RAM role.

      2. In the Policy section, select System Policy from the drop-down list.

      3. Search for AliyunVPCReadOnlyAccess and select it. > Note: AliyunVPCReadOnlyAccess allows DTS to read VPC and subnet metadata to locate your Express Connect, VPN Gateway, or Smart Access Gateway connection.

      4. Click Grant permissions, then click Close.

    6. Modify the trust policy of the RAM role:

      1. Click the Trust Policy tab. image

      2. Click Edit Trust Policy.

      3. Replace the existing policy with the following: ``json { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" } ``

      4. Replace both instances of <Alibaba Cloud account ID> with the account ID of Account B (the destination database owner).

      5. Click OK.

      If <Alibaba Cloud account ID>@dts.aliyuncs.com in the Service field is automatically changed to dts.aliyuncs.com after you save, the account ID is invalid. Verify the account ID and try again.

    Configure a DTS task

    The following steps show how to configure a synchronization task using Account B (the destination instance owner).

    1. Log in to the DTS console or DMS console using Account B.

      DTS console

      1. Log in to the DTS console.

      2. In the left-side navigation pane, click Data Synchronization.

      3. In the upper-left corner, select the region where the data synchronization instance resides.

      DMS console

      Note

      The actual steps may vary based on your DMS console mode and layout. For more information, see Simple mode and Customize the layout and style of the DMS console.

      1. Log in to the DMS console.

      2. In the top navigation bar, move the pointer over Data + AI and choose DTS (DTS) > Data Synchronization.

      3. From the drop-down list next to Data Synchronization Tasks, select the region where the data synchronization instance resides.

    2. Click Create Task to go to the task configuration page.

    3. On the Configurations for Source and Destination Databases page, configure the source database. The following table describes the parameters:

      Parameter Description
      Select Existing Connection This parameter is not set in this example.
      Database Type Select based on your database type.
      Access Method Select Express Connect, VPN Gateway, or Smart Access Gateway.
      Instance Region Select the region where the source database resides.
      Replicate Data Across Alibaba Cloud Accounts Select Yes.
      Alibaba Cloud Account Enter the account ID of Account A (the VPC owner).
      RAM Role Name Enter the name of the RAM role created in Step 1. In this example, enter ram-for-dts.
      Connected VPC Select the VPC that contains your Express Connect, VPN Gateway, or Smart Access Gateway connection. If an error occurs, see the Common errors section in "Configure a DTS task across Alibaba Cloud accounts".

    4. Configure the remaining parameters based on your requirements and the related topics.