Cross-region replication for the same account - Object Storage Service

Cross-Region Replication (CRR) automatically and asynchronously replicates objects from a source bucket in one region to a destination bucket in another region within the same Alibaba Cloud account. Object creation, update, and deletion operations are replicated nearly in real time. This topic describes how to configure CRR for buckets that belong to the same account.

Prerequisites

You have created a source bucket in a region under your Alibaba Cloud account. Record the account UID, the source bucket name, and its region.
You have created a destination bucket in a different region under the same Alibaba Cloud account. Record the destination bucket name and its region.

Role types

To perform CRR, you must specify a RAM role that Object Storage Service (OSS) can assume to replicate objects from the source bucket to the destination bucket. You can select one of the following role types for the replication.

Important

You can use a RAM user to create the role. The RAM user must have the following permissions: ram:CreateRole, ram:GetRole, ram:ListPoliciesForRole, and ram:AttachPolicyToRole. However, granting role-related permissions such as ram:CreateRole and ram:GetRole to a RAM user poses security risks. We recommend that you use the parent Alibaba Cloud account to create and authorize the RAM role, which the RAM user can then assume.

(Recommended) new RAM role

When creating a CRR rule, you can create a new RAM role for the replication. OSS automatically creates a role named oss-replication-{uuid} and attaches different permission policies depending on whether you replicate objects encrypted with Key Management Service (KMS).

Replicate KMS-encrypted objects
After creating the role, grant it the required permissions as prompted. Once authorized, the role receives a fine-grained permission policy for replication from the source bucket to the destination bucket and the AliyunKMSCryptoUserAccess policy for managing Key Management Service (KMS).
Do not replicate KMS-encrypted objects
After creating the role, grant it the required permissions as prompted. Once authorized, the role receives a fine-grained permission policy for replication from the source bucket to the destination bucket.

AliyunOSSRole

When you create a CRR rule, you can select the AliyunOSSRole to perform the replication. OSS attaches different permission policies to the role based on whether you choose to replicate KMS-encrypted objects.

Replicate KMS-encrypted objects
If you select AliyunOSSRole, OSS automatically attaches the following permission policies to the role: AliyunOSSFullAccess (permissions to manage Object Storage Service) and AliyunKMSCryptoUserAccess (permissions to manage Key Management Service).
Warning
This role has broad permissions, allowing all operations on all buckets and KMS resources under the current account. Use this role with caution.
Do not replicate KMS-encrypted objects
If you select AliyunOSSRole, OSS automatically attaches AliyunOSSFullAccess (permissions to manage Object Storage Service) to the role.
Warning
This role has broad permissions, allowing all operations on all buckets under the current account. Use this role with caution.

Custom role

When you create a CRR rule, you can use a custom role for the replication. You must create the custom role in the Resource Access Management (RAM) console and grant the required permissions to the role.

Create a regular service role.
During role creation, select Alibaba Cloud Service as the trusted entity and Object Storage Service as the trusted service. For more information, see Create a regular service role.
Grant permissions to the role.
You can use one of the following methods to grant permissions to the role.
System policy
Warning
You can attach the AliyunOSSFullAccess system policy to the RAM role. By default, AliyunOSSFullAccess grants full permissions on all buckets within the current account. Use this policy with caution.
To replicate KMS-encrypted objects, you must also attach the AliyunKMSFullAccess system policy to the role.
For more information, see Grant permissions to a RAM role.
Custom policy
Use a RAM policy to grant the RAM role the minimum permissions required for replication from the source bucket (src-bucket) to the destination bucket (dest-bucket).
Note
Replace the source and destination bucket names with the actual names of your buckets.
```
{
   "Version":"1",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "oss:ReplicateList",
            "oss:ReplicateGet"
         ],
         "Resource":[
            "acs:oss:*:*:src-bucket",
            "acs:oss:*:*:src-bucket/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "oss:ReplicateList",
            "oss:ReplicateGet",
            "oss:ReplicatePut",
            "oss:ReplicateDelete"
         ],
         "Resource":[
            "acs:oss:*:*:dest-bucket",
            "acs:oss:*:*:dest-bucket/*"
         ]
      }
   ]
}
```
For more information, see Grant permissions to a RAM role.
Note
To replicate KMS-encrypted objects, you must also attach the AliyunKMSFullAccess system policy to the role.

Important

When you replicate data across regions within the same account, OSS validates only the permission policy of the RAM role used for replication. OSS does not validate the bucket policies on the source or destination buckets.

Procedure

OSS Console

Log on to the OSS console.
In the left-side navigation pane, click Buckets. Then, click the name of the source bucket.
In the left-side navigation pane, choose Data Management > CRR.
On the CRR tab, click CRR.

In the CRR panel, configure the following parameters.

Section	Parameter	Description
Configure Destination Bucket	Source bucket	Displays the region and name of the source bucket.
Configure Destination Bucket	Destination bucket	Select Select a Bucket in This Account, and then select the region and name of the destination bucket from the drop-down lists.
Configure Replication Policy	Objects to Replicate	Select the source objects to replicate. Note After a CRR rule is created, changes to the storage class in the source bucket that are caused by lifecycle rules or the CopyObject operation, and changes to the last access time (`x-oss-last-access-time`) attribute of objects in the bucket are not replicated to the destination bucket. Synchronize all files: Replicates all objects in the bucket to the destination bucket. Sync by specified prefix: Replicates only objects with a specified prefix to the destination bucket. You can add up to 10 prefixes by default. To increase the limit to 100, contact Technical Support.
	Copy and delete operation	Select how objects are replicated. Note After a CRR rule is created, changes to the storage class in the source bucket that are caused by lifecycle rules or the CopyObject operation, and changes to the last access time (`x-oss-last-access-time`) attribute of objects in the bucket are not replicated to the destination bucket. No (for disaster recovery scenarios): Replicates object creation and update operations from the source bucket to the destination bucket. Important With this policy, only new and updated objects are replicated. Delete operations in the source bucket do not affect the destination bucket. This method prevents data loss in the destination bucket that is caused by manual deletions or automatic deletions by lifecycle rules in the source bucket. If versioning is enabled for the source bucket, when an object is deleted from the source bucket without a specific version ID, OSS creates a delete marker in the source bucket. This delete marker is also replicated to the destination bucket. Yes (for scenarios where you need to share and access the same dataset): Replicates object creation, update, and deletion operations from the source bucket to the destination bucket. Important With this policy, all object creations, updates, and deletions are replicated to the destination bucket. This method ensures data consistency and is suitable for multi-user or multi-application environments that need to share and access the same dataset. However, this also means that if an object is deleted from the source bucket (either manually or by a lifecycle rule), it is also deleted from the destination bucket and cannot be recovered. When an object is uploaded to the source bucket using a multipart upload, each part is replicated. The final object, created after the CompleteMultipartUpload operation completes, is also replicated. For more information about replication behavior when CRR is used with versioning, see CRR and versioning.
	Replicate Historical Data	Specify whether to replicate objects that existed in the source bucket before you enable CRR. Replicate: Replicates historical data to the destination bucket. Important When you replicate historical data, objects from the source bucket may overwrite objects with the same name in the destination bucket. To prevent this data loss, we recommend that you enable versioning for both the source and destination buckets. Do Not Replicate: Replicates only objects that are uploaded or updated after the CRR rule takes effect.
	Replicate Objects Encrypted Based on KMS	Specify whether to replicate KMS-encrypted objects to the destination bucket. Replicate: Replicates objects to the destination bucket if the source objects are encrypted with KMS-managed keys (SSE-KMS with a specified customer master key (CMK) ID) or the destination bucket is configured to use SSE-KMS encryption. Note You can call the HeadObject and GetBucketEncryption operations to query the encryption status of the source objects and the destination bucket, respectively. Do Not Replicate: Does not replicate KMS-encrypted objects to the destination bucket.
	CMK ID	Specify the KMS key to encrypt the destination objects. You must first create a KMS key in the same region as the destination bucket. For more information, see Create a CMK.
	RAM Role	We recommend selecting New RAM Role. You must then grant permissions to the role as prompted. You can also select AliyunOSSRole or a custom role. For more information about these three role types, see Role types.
Configure Replication Speed	Acceleration Type	Only Transfer Acceleration is supported. Transfer Acceleration improves the speed of cross-region replication between regions inside and outside mainland China. If you enable Transfer Acceleration, additional fees are charged. For more information about billing, see Transfer Acceleration fees.
Configure Replication Speed	Replication Time Control (RTC)	Note RTC is available in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), and China (Shenzhen). RTC is available in the following regions: US (Silicon Valley) and US (Virginia). If you do not replicate historical data, RTC takes effect within 15 minutes. If you do, it takes effect about one hour after the historical data is replicated. After RTC takes effect, OSS replicates 99.99% of new objects (non-historical objects) within 10 minutes. If you enable RTC, RTC fees are charged.

Click OK. In the dialog box that appears, click Enable.
- After a CRR rule is created, you cannot modify or delete it.
- Replication starts 3 to 5 minutes after you configure the CRR rule. You can view the replication progress on the CRR tab of the source bucket.
- The time required to replicate objects to the destination bucket depends on their size and quantity, and typically ranges from several minutes to several hours.

Alibaba Cloud SDKs

Only Alibaba Cloud SDKs for Java, Python, and Go support CRR within the same account.

Java

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.common.comm.SignVersion;
import com.aliyun.oss.model.AddBucketReplicationRequest;

public class Demo {

    public static void main(String[] args) throws Exception {
        // This example uses the China (Hangzhou) region. Replace the endpoint with the actual endpoint of the region where your source bucket is located.
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Specify the region ID that corresponds to the endpoint, such as cn-hangzhou.
        String region = "cn-hangzhou";
        // Storing credentials in your code is not recommended as it may lead to leaks and compromise your account's security. This example shows how to obtain credentials from environment variables. Before you run this example, configure the required environment variables.
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the source bucket.
        String bucketName = "src-bucket";
        // Specify the destination bucket for data replication. The destination bucket and source bucket must belong to the same account.
        String targetBucketName = "dest-bucket";
        // Specify the region of the destination bucket. The destination bucket must be in a different region from the source bucket.
        String targetBucketLocation = "oss-cn-shanghai";

        // Create an OSSClient instance.
        // When the OSSClient instance is no longer used, call the shutdown method to release resources.
        ClientBuilderConfiguration clientBuilderConfiguration = new ClientBuilderConfiguration();
        // Explicitly declare the use of the V4 signature algorithm.
        clientBuilderConfiguration.setSignatureVersion(SignVersion.V4);
        OSS ossClient = OSSClientBuilder.create()
                .endpoint(endpoint)
                .credentialsProvider(credentialsProvider)
                .clientConfiguration(clientBuilderConfiguration)
                .region(region)
                .build();

        try {
            AddBucketReplicationRequest request = new AddBucketReplicationRequest(bucketName);
            request.setTargetBucketName(targetBucketName);
            request.setTargetBucketLocation(targetBucketLocation);
            // By default, historical data is replicated. Set this parameter to false to disable historical data replication.
            request.setEnableHistoricalObjectReplication(false);
            // Specify the RAM role that OSS assumes for replication. The role must have permissions to replicate from the source bucket and write to the destination bucket.
            request.setSyncRole("yourRole");
            // Specify whether OSS replicates objects that are encrypted by using SSE-KMS.
            //request.setSseKmsEncryptedObjectsStatus("Enabled");
            // Specify the SSE-KMS key ID. This element is required if Status is set to Enabled.
            //request.setReplicaKmsKeyID("3542abdd-5821-4fb5-a425-90adca***");
            //List prefixes = new ArrayList();
            //prefixes.add("image/");
            //prefixes.add("video");
            //prefixes.add("a");
            //prefixes.add("A");
            // Specify the prefixes of the objects to be replicated. Only objects with the specified prefixes are replicated to the destination bucket.
            //request.setObjectPrefixList(prefixes);
            //List actions = new ArrayList();
            //actions.add(AddBucketReplicationRequest.ReplicationAction.PUT);
            // Replicate object creation and update operations from the source bucket to the destination bucket.
            //request.setReplicationActionList(actions);
            ossClient.addBucketReplication(request);
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}

Python

# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
from oss2.models import ReplicationRule
# Obtain credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
auth = oss2.ProviderAuth(EnvironmentVariableCredentialsProvider())
# Specify the endpoint of the region where the source bucket is located. This example uses the China (Hangzhou) region. Set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
# Specify the name of the source bucket, for example, src-bucket.
bucket = oss2.Bucket(auth, 'https://oss-cn-hangzhou.aliyuncs.com', 'src-bucket')
replica_config = ReplicationRule(
    # Specify the destination bucket for data replication. The destination bucket and source bucket must belong to the same account.
    target_bucket_name='dest-bucket',
    # Specify the region of the destination bucket. The destination bucket and source bucket must be in different regions.
    target_bucket_location='oss-cn-shanghai',
    # Specify the name of the RAM role that OSS assumes to replicate data. This role must have permissions to perform CRR from the source bucket and write to the destination bucket.
    sync_role_name='roleNameTest',
)

# Specify the prefixes of objects to replicate. After you specify a prefix, only objects whose names start with the prefix are replicated to the destination bucket.
# prefix_list = ['prefix1', 'prefix2']
# Configure the data replication rule.
# replica_config = ReplicationRule(
     # prefix_list=prefix_list,
     # Replicate object creation and update operations from the source bucket to the destination bucket.
     # action_list=[ReplicationRule.PUT],
     # Specify the destination bucket for data replication. The destination bucket and source bucket must belong to the same account.
     # target_bucket_name='dest-bucket',
     # Specify the region of the destination bucket. The destination bucket and source bucket must be in different regions.
     # target_bucket_location='yourTargetBucketLocation',
     # By default, historical data is replicated. Set this parameter to False to disable historical data replication.
     # is_enable_historical_object_replication=False,
     # Specify the data transfer link to be used for data replication.
     # target_transfer_type='oss_acc',    
  #)

# Enable data replication.
bucket.put_bucket_replication(replica_config)

Go

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // Region in which the bucket is located.
	bucketName string // Name of the bucket.
)

// Specify the init function used to initialize command line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}

func main() {
	// Parse command line parameters.
	flag.Parse()

	var (
		targetBucket   = "target bucket name" // Name of the destination bucket.
		targetLocation = "oss-cn-beijing"     // Region in which the destination bucket is located.
	)

	// Check whether the name of the bucket is specified.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the region is specified.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Load the default configurations and specify the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to enable data replication for the bucket.
	request := &oss.PutBucketReplicationRequest{
		Bucket: oss.Ptr(bucketName), // Name of the bucket.
		ReplicationConfiguration: &oss.ReplicationConfiguration{
			Rules: []oss.ReplicationRule{
				{
					RTC: &oss.ReplicationTimeControl{
						Status: oss.Ptr("enabled"), // Enable the RTC feature.
					},
					Destination: &oss.ReplicationDestination{
						Bucket:       oss.Ptr(targetBucket),   // Name of the destination bucket.
						Location:     oss.Ptr(targetLocation), // Region in which the destination bucket is located.
						TransferType: oss.TransferTypeOssAcc,  // Type of transfer.
					},
					HistoricalObjectReplication: oss.HistoricalObjectReplicationEnabled, // Enable the historical data replication feature.
				},
			},
		},
	}

	// Enable data replication.
	result, err := client.PutBucketReplication(context.TODO(), request)
	if err != nil {
		log.Fatalf("failed to put bucket replication %v", err)
	}

	// Display the result.
	log.Printf("put bucket replication result:%#v\n", result)
}

ossutil

For more information about how to enable CRR by using ossutil, see put-bucket-replication.

REST API

For highly customized applications, you can call the REST API operations directly. This requires you to manually write code to calculate the signature for each request. For more information, see PutBucketReplication.

Object Storage Service:Cross-region replication for the same account