Same-region replication (SRR) across accounts allows the automatic and asynchronous (near real-time) replication of Object Storage Service (OSS) objects from a bucket in a region to another bucket in the same region across Alibaba Cloud accounts. Operations, such as the creation, update, and deletion of objects, can be replicated from a source bucket to a destination bucket. This topic describes how to perform SRR across accounts.
Prerequisites
Bucket A, which works as the source bucket of an SRR task, is created in a region within Account A. The UID of Account A, the name of Bucket A, and the region in which Bucket A is located are recorded.
Bucket B, which works as the destination bucket of the SRR task, is created in the same region within Account B. The UID of Account B and the name of Bucket B are recorded.
Use the OSS console
Use Account A to perform the following operations:
Create a normal service role.
ImportantYou can create a role by using a RAM user. The RAM user must have the following permissions:
ram:CreateRole,ram:GetRole,ram:ListPoliciesForRole, andram:AttachPolicyToRole. However, it is risky to grant a RAM user permissions such asram:CreateRoleandram:GetRole. You can use the Alibaba Cloud account with which the RAM user is associated to create a RAM role and grant the required permissions to the RAM role. Then, the RAM user can assume the RAM role that is created by the Alibaba Cloud account.When you create a normal service role, set Select Trusted Entity to Alibaba Cloud Service, Role Type to Normal Service Role, and Select Trusted Service to OSS. For more information, see Create a regular service role.
Grant the RAM role the permissions to perform SRR on the source bucket.
You can use one of the following methods to grant the permissions to the RAM role:
Attach the required system policy to the RAM role
WarningAttach the
AliyunOSSFullAccesssystem policy to the RAM role. The RAM role to which theAliyunOSSFullAccesssystem policy is attached has the permissions to perform all operations on all buckets within the current Alibaba Cloud account. Exercise caution when you attach the system policy to the RAM role.For more information, see Grant permissions to a RAM role.
Attach a custom policy to the RAM role
You can use a RAM policy to grant the RAM role the minimum permissions required to perform SRR on the source bucket.
NoteReplace src-bucket with the name of the source bucket based on your business requirements.
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "oss:ReplicateList", "oss:ReplicateGet" ], "Resource":[ "acs:oss:*:*:src-bucket", "acs:oss:*:*:src-bucket/*" ] } ] }For more information, see Grant permissions to a RAM role.
Use Account B to grant the RAM role the permissions to receive the objects that you want to replicate to the destination bucket.
Method 1: (Recommended) Add in GUI
Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.
In the left-side navigation tree, choose .
On the Bucket Policy tab, click Add in GUI and then click Receive Objects to Replicate.
In the Receive Objects to Replicate panel, set Obtain UID and RAM Role From to Source RAM role ARN for replication, and select the ARN of the RAM role that you created in Step 1 for Source RAM Role ARN for Replication.
Click Generate Policy.
Method 2: Add by Syntax
In the left-side navigation tree, choose Permission Control > Bucket Policy.
On the Bucket Policy tab, click Add by Syntax and then click Edit.
In the code editor, enter the following bucket policy.
ImportantIf you configure a bucket policy by specifying policy statements to grant the RAM role the required permissions, the new bucket policy overwrites the existing bucket policy. Make sure that the new bucket policy contains the content of the existing bucket policy. Otherwise, the authorization of the existing bucket policy may fail.
Replace the custom role name with the name of the role that you created based on your business requirements. If the created role name contains uppercase letters, you need to convert them to lowercase letters. For example, if the created role name is AliyunOssDrsRole, you need to convert AliyunOssDrsRole to aliyunossdrsrole. In the following example, the name of the destination bucket is dest-bucket, the UID of the account to which the source bucket belongs is 137918634953xxxx, and the UID of the account to which the destination bucket belongs is 111933544165xxxx.
{ "Version": "1", "Statement": [{ "Effect": "Allow", "Action": [ "oss:ReplicateList", "oss:ReplicateGet", "oss:ReplicatePut", "oss:ReplicateDelete" ], "Principal": [ "arn:sts::137918634953xxxx:assumed-role/aliyunossdrsrole/*" ], "Resource": [ "acs:oss:*:111933544165xxxx:dest-bucket", "acs:oss:*:111933544165xxxx:dest-bucket/*" ] }] }Click Save. In the message that appears, click OK.
Create an SRR rule for the source bucket by using Account A.
Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, click src-bucket.
In the left-side navigation tree, choose .
On the SRR tab, click SRR.
In the SRR panel, configure the parameters. The following table describes the parameters.
Section
Parameter
Description
Configure Destination Bucket
Source Bucket
The region and name of the source bucket are displayed.
Destination Bucket
Select Specify a bucket that belongs to another Alibaba Cloud account and enter the name of the destination bucket.
Configure Replication Policy
Objects to Replicate
Select the objects that you want to replicate to the destination bucket. Valid values:
All Objects in Source Bucket: OSS replicates all objects from the source bucket to the destination bucket.
Objects with Specified Prefix: OSS replicates the objects whose names contain a specific prefix from the source bucket to the destination bucket. You can specify up to 10 prefixes.
Replication Policy
Configure the data replication mode. Valid values:
Add/Change: OSS replicates only object creation and update operations from the source bucket to the destination bucket.
Add/Delete/Change: OSS replicates object creation, update, and deletion operations from the source bucket to the destination bucket.
If you perform multipart upload to upload an object to the source bucket, each uploaded part is replicated to the destination bucket. The complete object that is obtained by calling the CompleteMultipartUpload operation is also replicated to the destination bucket.
For more information about how to configure SRR for objects in versioning-enabled buckets, see Use data replication with versioning.
Replicate Historical Data
Specify whether to replicate historical data (data that exists in the source bucket before you enable SRR) to the destination bucket. Valid values:
Yes: Historical data is replicated to the destination bucket.
ImportantWhen historical data is replicated, objects that are replicated from the source bucket may overwrite objects that have the same names in the destination bucket. To prevent data loss, we recommend that you enable versioning for the source and destination buckets.
No: OSS replicates only objects that are uploaded or updated after you enable SRR to the destination bucket.
RAM Role Name
Select the RAM role that you created in Step 1 from the drop-down list.
Click OK. In the message that appears, click Enable.
After you create an SRR rule, you cannot modify or delete the rule.
After you create an SRR rule, the replication task starts in 3 to 5 minutes. You can view the replication progress on the SRR tab of the source bucket.
In SRR, data is asynchronously replicated. The period of time that is required to replicate data from the source bucket to the destination bucket varies based on the amount of data. The period of time may range from a few minutes to a few hours.
Use OSS SDKs
SRR across accounts is supported only by using OSS SDK for Java, OSS SDK for Python, and OSS SDK for Go.
Java
import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.model.AddBucketReplicationRequest;
public class Demo {
public static void main(String[] args) throws Exception {
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// We recommend that you do not save access credentials in the project code. Otherwise, access credentials may be leaked. As a result, the security of all resources in your account is compromised. In this example, access credentials are obtained from environment variables. Before you run the sample code, make sure that the environment variables are configured.
EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
// Specify the name of the source bucket. Example: src-bucket.
String bucketName = "src-bucket";
// Specify the name of the destination bucket. The destination bucket and the source bucket must belong to different Alibaba Cloud accounts.
String targetBucketName = "dest-bucket";
// Specify the region in which the destination bucket is located. The source and destination buckets must be located in the same region.
String targetBucketLocation = "oss-cn-hangzhou";
// Create an OSSClient instance.
OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);
try {
AddBucketReplicationRequest request = new AddBucketReplicationRequest(bucketName);
request.setTargetBucketName(targetBucketName);
request.setTargetBucketLocation(targetBucketLocation);
// Specify whether to replicate historical data. By default, historical data is replicated. In this example, this parameter is set to false, which indicates that historical data is not replicated.
request.setEnableHistoricalObjectReplication(false);
// Specify the name of the RAM role that you want OSS to use to replicate data. The RAM role must have the permissions to perform SRR on the source bucket and receive replicated objects in the destination bucket.
request.setSyncRole("yourRole");
//List prefixes = new ArrayList();
//prefixes.add("image/");
//prefixes.add("video");
//prefixes.add("a");
//prefixes.add("A");
// Specify the prefixes that are contained in the names of the objects that you want to replicate. After you specify the prefixes, only objects whose names contain one of the prefixes are replicated to the destination bucket.
//request.setObjectPrefixList(prefixes);
//List actions = new ArrayList();
//actions.add(AddBucketReplicationRequest.ReplicationAction.ALL);
// Specify the operations that you want to replicate to the destination bucket. The default value is ALL. This indicates that all operations performed on the objects in the source bucket are replicated to the destination bucket.
//request.setReplicationActionList(actions);
ossClient.addBucketReplication(request);
} catch (OSSException oe) {
System.out.println("Caught an OSSException, which means your request made it to OSS, "
+ "but was rejected with an error response for some reason.");
System.out.println("Error Message:" + oe.getErrorMessage());
System.out.println("Error Code:" + oe.getErrorCode());
System.out.println("Request ID:" + oe.getRequestId());
System.out.println("Host ID:" + oe.getHostId());
} catch (ClientException ce) {
System.out.println("Caught an ClientException, which means the client encountered "
+ "a serious internal problem while trying to communicate with OSS, "
+ "such as not being able to access the network.");
System.out.println("Error Message:" + ce.getMessage());
} finally {
if (ossClient != null) {
ossClient.shutdown();
}
}
}
} Python
# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
from oss2.models import ReplicationRule
# Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
auth = oss2.ProviderAuth(EnvironmentVariableCredentialsProvider())
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
# Specify the name of the source bucket. Example: src-bucket.
bucket = oss2.Bucket(auth, 'https://oss-cn-hangzhou.aliyuncs.com', 'src-bucket')
replica_config = ReplicationRule(
# Specify the name of the destination bucket. The source and destination buckets must belong to different Alibaba Cloud accounts.
target_bucket_name='dest-bucket',
# Specify the region in which the destination bucket is located. The source and destination buckets must be located in the same region.
target_bucket_location='oss-cn-hangzhou',
# Specify the name of the RAM role that you want OSS to use to replicate data. The RAM role must have the permissions to perform SRR on the source bucket and receive replicated objects in the destination bucket.
sync_role_name='yourRole',
)
# Specify the prefixes that are contained in the names of the objects that you want to replicate. After you specify the prefixes, only objects whose names contain one of the prefixes are replicated to the destination bucket.
# prefix_list = ['prefix1', 'prefix2']
# Specify the data replication rule.
# replica_config = ReplicationRule(
# prefix_list=prefix_list,
# Specify the operations that you want to replicate to the destination bucket. The default value is ALL. This indicates that all operations performed on the objects in the source bucket are replicated to the destination bucket.
# action_list=[ReplicationRule.ALL],
# Specify the name of the destination bucket. The source and destination buckets must belong to different Alibaba Cloud accounts.
# target_bucket_name='dest-bucket',
# Specify the region in which the destination bucket is located. The source and destination buckets must be located in the same region.
# target_bucket_location='oss-cn-hangzhou',
# Specify whether to replicate historical data. By default, historical data is replicated. In this example, this parameter is set to False, which indicates that historical data is not replicated.
# is_enable_historical_object_replication=False,
#)
# Enable data replication.
bucket.put_bucket_replication(replica_config)Go
package main
import (
"encoding/xml"
"fmt"
"github.com/aliyun/aliyun-oss-go-sdk/oss"
"os"
)
func HandleError(err error) {
fmt.Println("Error:", err)
os.Exit(-1)
}
// Enable data replication.
func main() {
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
provider, err := oss.NewEnvironmentVariableCredentialsProvider()
if err != nil {
fmt.Println("Error:", err)
os.Exit(-1)
}
// Create an OSSClient instance.
// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint.
client, err := oss.New("yourEndpoint", "", "", oss.SetCredentialsProvider(&provider))
if err != nil {
fmt.Println("Error:", err)
os.Exit(-1)
}
// Specify the name of the source bucket.
srcbucketName := "yourSrcBucket"
// Specify the name of the destination bucket. The source and destination buckets must belong to different Alibaba Cloud accounts.
destBucketName := "yourDestBucket"
// Specify the prefix_1 and prefix_2 prefixes that are contained in the names of the objects that you want to replicate. After you specify the prefixes, only objects whose names contain one of the prefixes are replicated to the destination bucket.
// To replicate all objects from the source bucket to the destination bucket, do not specify prefixes.
prefix1 := "prefix_1"
prefix2 := "prefix_2"
prefixSet := oss.ReplicationRulePrefix{Prefix: []*string{&prefix1, &prefix2}}
reqReplication := oss.PutBucketReplication{
Rule: []oss.ReplicationRule{
{
PrefixSet: &prefixSet,
// Specify the operations that you want to replicate to the destination bucket. The default value is ALL. This indicates that all operations performed on the objects in the source bucket are replicated to the destination bucket.
Action: "ALL",
Destination: &oss.ReplicationRuleDestination{
Bucket: destBucketName,
// Specify the region in which the destination bucket is located. The source and destination buckets must be located in the same region.
Location: "oss-cn-hangzhou",
},
// Specify whether to replicate historical data. By default, historical data is replicated. In this example, this parameter is set to disabled, which indicates that historical data is not replicated.
HistoricalObjectReplication: "disabled",
// Specify the name of the RAM role that you want OSS to use to replicate data. The role must have the permissions to perform SRR on the source bucket and receive replicated objects in the destination bucket.
SyncRole: "yourRole",
},
},
}
xmlBody, err := xml.Marshal(reqReplication)
if err != nil {
HandleError(err)
}
err = client.PutBucketReplication(srcbucketName, string(xmlBody))
if err != nil {
HandleError(err)
}
fmt.Println("Put Bucket Replication Success!")
}