Configure same-region replication (SRR) within the same account - Object Storage Service

Same-region replication (SRR) automatically and asynchronously (in near real-time) replicates objects—including their creation, updates, and deletions—from a source bucket to a destination bucket. The source and destination buckets must be in the same region and belong to the same Alibaba Cloud account. This topic describes how to configure SRR for buckets within the same account.

Prerequisites

A source bucket is created in a region under your Alibaba Cloud account. The account UID, source bucket name, and region are recorded.
A destination bucket is created in the same region under the same Alibaba Cloud account. The destination bucket name is recorded.

RAM role types

To perform SRR, you must specify a RAM role that Object Storage Service (OSS) can assume to replicate objects from the source bucket to the destination bucket. You can use one of the following role types for the SRR task.

Important

You can create a role by using a RAM user. The RAM user must have the following permissions: ram:CreateRole, ram:GetRole, ram:ListPoliciesForRole, and ram:AttachPolicyToRole. Because granting role-related permissions such as ram:CreateRole and ram:GetRole to a RAM user involves high risks, we recommend that you use the Alibaba Cloud account associated with the RAM user to create a RAM role and grant permissions to the role. After the authorization is complete, the RAM user can directly reuse the RAM role created by the Alibaba Cloud account.

New RAM role (recommended)

When you create a same-region replication rule within the same account, you can choose to create a new role to complete the replication task. If you choose to create a new role, a role with the name format oss-replication-{uuid} is automatically created in the background and is granted different permission policies based on whether you choose to replicate KMS-encrypted objects.

Replicating KMS-encrypted objects
After the role is created, you must authorize it by following the on-screen instructions. Once authorized, the role receives a fine-grained policy for data replication and the AliyunKMSCryptoUserAccess policy to manage KMS.
Not replicating KMS-encrypted objects
After the role is created, you must authorize it by following the on-screen instructions. Once authorized, the role receives a fine-grained policy for data replication.

AliyunOSSRole

When you create an SRR rule, you can select the AliyunOSSRole for the replication task. After you select this role, a policy is attached based on whether you choose to replicate KMS-encrypted objects.

Replicating KMS-encrypted objects
If you select the AliyunOSSRole, the system automatically attaches the AliyunOSSFullAccess policy (grants permissions to manage OSS) and the AliyunKMSCryptoUserAccess policy (grants permissions to manage KMS) to the role.
Warning
This role has permissions to perform all operations on all buckets and KMS keys in the current account. This is a broad permission scope, so use this role with caution.
Not replicating KMS-encrypted objects
If you select the AliyunOSSRole, the system automatically attaches the AliyunOSSFullAccess policy (grants permissions to manage OSS) to the role.
Warning
This role has permissions to perform all operations on all buckets in the current account. This is a broad permission scope, so use this role with caution.

Custom role

When you create an SRR rule, you can use a custom role for the replication task. You must create a custom role in the RAM console and grant the required permissions to the role.

Create a regular service role.
When you create the role, select Alibaba Cloud Service for the trusted entity type and Object Storage Service for the trusted service. For more information, see Create a regular service role.
Grant permissions to the role.
You can grant permissions to the role in one of the following ways.
System policy
Warning
You can grant the system policy AliyunOSSFullAccess to a RAM role. AliyunOSSFullAccess grants full permissions on all buckets in the current account by default. Use this policy with caution.
If you want to copy a KMS-encrypted object to the destination bucket, you also need to grant the AliyunKMSFullAccess system policy to the role.
For more information, see Grant permissions to a RAM role.
Custom policy
We recommend that you grant the RAM role the minimum permissions required to replicate objects from the source bucket (src-bucket) to the destination bucket (dest-bucket).
Note
When you use the policy, replace the names of the source and destination buckets with the actual names.
```
{
   "Version":"1",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "oss:ReplicateList",
          	"oss:ReplicateGet"
         ],
         "Resource":[
          	"acs:oss:*:*:src-bucket",
            "acs:oss:*:*:src-bucket/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
          	"oss:ReplicateList",
            "oss:ReplicateGet",
            "oss:ReplicatePut",
            "oss:ReplicateDelete"
         ],
         "Resource":[
          	"acs:oss:*:*:dest-bucket",
            "acs:oss:*:*:dest-bucket/*"
         ]
      }
   ]
}
```
For more information, see Grant permissions to a RAM role.
Note
If you want to copy a KMS-encrypted Object to the destination Bucket, you also need to grant the AliyunKMSFullAccess system policy to the role.

Important

For SRR within the same account, OSS evaluates permissions based only on the policy of the RAM role. It does not check the bucket policies of the source or destination buckets.

Procedure

OSS console

Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the source bucket.
In the left-side navigation pane, choose Data Management > SRR.
On the SRR tab, click SRR.

In the SRR panel, configure the following parameters.

Section	Parameter	Description
Configure Destination Bucket	Source bucket	The region and name of the source bucket are displayed.
Configure Destination Bucket	Destination Bucket	Select Select a bucket in this account, and then select the destination bucket in the same region from the drop-down list.
Configure Replication Policy	Objects to Replicate	Select the source objects that you want to replicate. Synchronize all files: Replicates all objects in the bucket to the destination bucket. Objects with specified prefixes: Replicates objects with specified prefixes to the destination bucket. By default, you can add up to 10 prefixes. To increase this limit, contact technical support. The limit can be increased to 100.
	Object Tagging	Note To configure this parameter, the following conditions must be met: Tags must already be set on the Object. Neither "Replicate Delete Markers" nor "Replicate Delete Operations" is selected. After selecting the Configure Rules checkbox, you can replicate Objects with specific tags to the destination bucket. You can add up to 10 tags (key-value pairs). Once tags are added, you can choose one of the following Tag filtering policy: Include all tags: The Object is replicated only if all tags defined in the filtering rule exist on the Object. Include any one tag: The Object is replicated if at least one tag defined in the filtering rule exists on the Object. Note Tag filtering is currently not supported in the following regions: China (Zhangjiakou), China (Zhongwei), and Mexico.
	Copy and delete operation	Select how data is replicated. Note After a replication rule is created, changes to an object's storage class in the source bucket (caused by lifecycle rules or the CopyObject operation) and the object's last access time (`x-oss-last-access-time` property) are not replicated to the destination bucket. No (for disaster recovery scenarios): Replicates object creation and update operations from the source bucket to the destination bucket. Important This prevents accidental data loss in the destination bucket from deletions (whether manual or by a lifecycle rule) in the source bucket. If versioning is enabled for the source bucket, deleting an object from the source bucket without a version ID creates a delete marker, which is then replicated to the destination bucket. Yes (for data sharing scenarios): Replicates object creation, update, and deletion operations from the source bucket to the destination bucket. Important This option keeps the buckets synchronized by replicating creations, updates, and deletions. It is suitable for environments where multiple users or applications need to access the same dataset. However, be aware that deleting an object in the source bucket (manually or by a lifecycle rule) also deletes the object in the destination bucket, and it cannot be recovered. For objects uploaded using multipart upload, OSS replicates each part as it is uploaded. The final object is also replicated after the CompleteMultipartUpload operation. For more information about the replication behavior when you use SRR with versioning, see SRR with versioning.
	Replicate Historical Data	Select whether to replicate historical data from the source bucket. Yes: Replicates historical data to the destination bucket. Important When historical data is replicated, objects from the source bucket may overwrite objects with the same name in the destination bucket. To prevent data loss, we recommend that you enable versioning for both the source and destination buckets. No: Replicates only objects that are uploaded or updated after the SRR rule takes effect.
	Replicate Objects Encrypted Based on KMS	Select whether to replicate KMS-encrypted objects to the destination bucket. Yes: Replicates an object to the destination bucket if the source object or destination bucket is encrypted by using server-side encryption with KMS-managed keys (SSE-KMS) and a specified CMK ID. Note You can call the HeadObject and GetBucketEncryption operations to query the encryption status of the source object and destination bucket, respectively. No: Does not replicate KMS-encrypted objects to the destination bucket.
	CMK ID	If you choose to replicate KMS-encrypted objects, you must specify the CMK ID of the KMS key used to encrypt objects in the destination bucket. Before you specify a CMK ID, you must first create the corresponding key in the KMS console. The KMS key must be in the same region as the destination bucket. For more information, see Create a CMK.
	RAM Role	We recommend that you select New RAM Role. If you select this option, follow the on-screen instructions to authorize the new role. You can also select AliyunOSSRole or a custom role. For more information about these three role types, see RAM role types.

Click OK. In the confirmation dialog box that appears, click Enable.
- After an SRR rule is created, you cannot edit or delete it.
- The replication task starts 3 to 5 minutes after the SRR rule is configured. You can view the replication progress on the SRR tab of the source bucket.
- The time required to replicate data depends on its size and can range from minutes to hours.

SDKs

SRR for buckets within the same account is supported only by Alibaba Cloud SDK for Java, Python, and Go.

Java

import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.model.AddBucketReplicationRequest;
import com.aliyun.oss.ClientBuilderConfiguration;
import com.aliyun.oss.common.comm.SignVersion;

public class Demo {

    public static void main(String[] args) throws Exception {
        // Specify the endpoint. For example, if your bucket is in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Specify the region ID that corresponds to the endpoint, such as cn-hangzhou.
        String region = "cn-hangzhou";
        // We strongly recommend that you do not save access credentials in your code. Otherwise, the access credentials may be leaked, which poses a threat to the security of all resources in your account. In this example, access credentials are obtained from environment variables. Before you run the sample code, configure the required environment variables.
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the source bucket.
        String bucketName = "src-bucket";
        // Specify the destination bucket. The destination bucket and source bucket must belong to the same account.
        String targetBucketName = "dest-bucket";
        // Specify the region where the destination bucket is located. The destination bucket and source bucket must be in the same region.
        String targetBucketLocation = "oss-cn-hangzhou";

        // Create an OSSClient instance.
        // When the OSSClient instance is no longer needed, call the shutdown method to release resources.
        ClientBuilderConfiguration clientBuilderConfiguration = new ClientBuilderConfiguration();
        // Explicitly declare that the V4 signature algorithm is used.
        clientBuilderConfiguration.setSignatureVersion(SignVersion.V4);
        OSS ossClient = OSSClientBuilder.create()
                .endpoint(endpoint)
                .credentialsProvider(credentialsProvider)
                .clientConfiguration(clientBuilderConfiguration)
                .region(region)
                .build();

        try {
            AddBucketReplicationRequest request = new AddBucketReplicationRequest(bucketName);

            request.setTargetBucketName(targetBucketName);
            request.setTargetBucketLocation(targetBucketLocation);
            // By default, historical data is replicated. Set this parameter to false to disable historical data replication.
            request.setEnableHistoricalObjectReplication(false);
            // Specify the name of the RAM role that is authorized to replicate data. The role must have permissions to perform SRR on the source bucket and write to the destination bucket.
            request.setSyncRole("yourRole");
            // Specify whether to replicate objects that are encrypted by using SSE-KMS.
            //request.setSseKmsEncryptedObjectsStatus("Enabled");
            // Specify the ID of the CMK that is used for SSE-KMS. If you set SseKmsEncryptedObjectsStatus to Enabled, you must specify this parameter.
            //request.setReplicaKmsKeyID("3542abdd-5821-4fb5-a425-90adca***");
            //List prefixes = new ArrayList();
            //prefixes.add("image/");
            //prefixes.add("video");
            //prefixes.add("a");
            //prefixes.add("A");
            // Specify the prefixes of the objects to replicate. Only objects with the specified prefixes are replicated to the destination bucket.
            //request.setObjectPrefixList(prefixes);
            //List actions = new ArrayList();
            //actions.add(AddBucketReplicationRequest.ReplicationAction.PUT);
            // Replicate object creation and update operations from the source bucket to the destination bucket.
            //request.setReplicationActionList(actions);
            ossClient.addBucketReplication(request);
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught a ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}

Python

# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
from oss2.models import ReplicationRule
# Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
auth = oss2.ProviderAuth(EnvironmentVariableCredentialsProvider())
# Specify the endpoint of the region in which the source bucket is located. For example, for the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
# Specify the name of the source bucket, for example, src-bucket.
bucket = oss2.Bucket(auth, 'https://oss-cn-hangzhou.aliyuncs.com', 'src-bucket')
replica_config = ReplicationRule(
    # Specify the destination bucket. The destination bucket and source bucket must belong to the same account.
    target_bucket_name='dest-bucket',
    # Specify the region where the destination bucket is located. The destination bucket and source bucket must be in the same region.
    target_bucket_location='oss-cn-hangzhou',
    # Specify the name of the RAM role that is authorized to replicate data. The role must have permissions to perform SRR on the source bucket and write to the destination bucket.
    sync_role_name='roleNameTest',
)

# Specify the prefixes of the objects to replicate. Only objects with the specified prefixes are replicated to the destination bucket.
# prefix_list = ['prefix1', 'prefix2']
# Configure a data replication rule.
# replica_config = ReplicationRule(
     # prefix_list=prefix_list,
     # Replicate object creation and update operations from the source bucket to the destination bucket.
     # action_list=[ReplicationRule.PUT],
     # Specify the destination bucket.
     # target_bucket_name='dest-bucket',
     # Specify the region where the destination bucket is located.
     # target_bucket_location='yourTargetBucketLocation',
     # By default, historical data is replicated. Set this parameter to False to disable historical data replication.
     # is_enable_historical_object_replication=False,    
     # Replicate objects that are encrypted by using SSE-KMS.
     # sse_kms_encrypted_objects_status=ReplicationRule.ENABLED
     # Specify the ID of the CMK that is used for SSE-KMS. If you choose to replicate objects encrypted by using SSE-KMS, you must specify this parameter.
     # replica_kms_keyid='9468da86-3509-4f8d-a61e-6eab1eac****',
  #)

# Enable data replication.
bucket.put_bucket_replication(replica_config)

Go

package main

import (
	"encoding/xml"
	"fmt"
	"github.com/aliyun/aliyun-oss-go-sdk/oss"
	"os"
)

func HandleError(err error) {
	fmt.Println("Error:", err)
	os.Exit(-1)
}

// Enable data replication.
func main() {
	// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
	provider, err := oss.NewEnvironmentVariableCredentialsProvider()
	if err != nil {
		fmt.Println("Error:", err)
		os.Exit(-1)
	}
	// Create an OSSClient instance.
	// Set yourEndpoint to the endpoint of the bucket's region. For example, for the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
	client, err := oss.New("yourEndpoint", "", "", oss.SetCredentialsProvider(&provider))
	if err != nil {
		fmt.Println("Error:", err)
		os.Exit(-1)
	}
	// Specify the name of the source bucket.
	srcbucketName := "yourSrcBucket"
	// Specify the name of the destination bucket.
	destBucketName := "yourDestBucket"
	// Specify the prefixes of the objects to replicate, such as prefix_1 and prefix_2. Only objects with these prefixes are replicated.
	// If you want to replicate all objects in the source bucket, do not set prefixes.
	prefix1 := "prefix_1"
	prefix2 := "prefix_2"
	// Specify the ID of the CMK that is used for SSE-KMS. If the status is set to Enabled, you must specify this parameter.
	keyId := "c4d49f85-ee30-426b-a5ed-95e9****"
	// Specify whether to replicate objects that are encrypted by using SSE-KMS.
	source := "Enabled"
	prefixSet := oss.ReplicationRulePrefix{Prefix: []*string{&prefix1, &prefix2}}	
	reqReplication := oss.PutBucketReplication{
		Rule: []oss.ReplicationRule{
			{
				PrefixSet: &prefixSet,
				//Replicate object creation and update operations from the source bucket to the destination bucket.
				Action: "PUT",				
				Destination: &oss.ReplicationRuleDestination{
					Bucket: destBucketName,
					// Specify the region of the destination bucket. The source and destination buckets must be in the same region.
					Location: "oss-cn-hangzhou",					
				},
				// By default, historical data is replicated. Set this parameter to "disabled" to disable historical data replication.
				HistoricalObjectReplication: "disabled",
				// Specify the name of the RAM role that is authorized to replicate data. The role must have permissions to perform SRR on the source bucket and write to the destination bucket.
				SyncRole:                "yourRole",
				EncryptionConfiguration: &keyId,
				SourceSelectionCriteria: &source,
			},
		},
	}

	xmlBody, err := xml.Marshal(reqReplication)
	if err != nil {
		HandleError(err)
	}
	err = client.PutBucketReplication(srcbucketName, string(xmlBody))

	if err != nil {
		HandleError(err)
	}

	fmt.Println("Put Bucket Replication Success!")
}

ossutil

For information about how to enable SRR by using ossutil, see put-bucket-replication.

REST API

For advanced use cases, you can directly call REST API operations. This requires manually calculating the request signature in your code. For more information, see PutBucketReplication.