Required permissions are different between data replication across accounts and data replication within the same account. To complete a data replication task, you must grant the required replication permissions to the RAM role that you want Object Storage Service (OSS) to assume.
Usage notes
Each replication operation requires a collection of replication permissions. OSS assumes the RAM role that you create to obtain the permissions required to replicate data.
The resources specified in a permission policy of the RAM role refer only to the resources within the current Alibaba Cloud account. Therefore, the policies required for data replication across accounts and data replication within the same account are different.
Data replication within the same account: The source and destination buckets are resources within the same Alibaba Cloud account. Therefore, you can grant the replication permissions on the source and destination buckets to the RAM role within the Alibaba Cloud account.
Data replication across accounts: The source and destination buckets are resources that belong to two different Alibaba Cloud accounts. In this topic, the source bucket and destination bucket in cross-account data replication belong to Account A and Account B, respectively. To allow data replication from the source bucket to the destination bucket, you must attach a RAM policy to the RAM role of Account A and specify a bucket policy for the destination bucket in Account B to grant the required permissions to the RAM role of Account A.
Required permissions of the RAM role for same-account data replication
This section describes the trust policy and minimum permissions required by the RAM role for data replication within the same account.
Required trust policy for the RAM role
The following trust policy is attached to the RAM role. OSS is selected as a trusted entity and is authorized to assume the RAM role to replicate data.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "oss.aliyuncs.com" ] } } ], "Version": "1" }Required minimum permissions for the RAM role
You can use a RAM policy to grant the RAM role the minimum permissions required to perform data replication on the source and destination buckets.
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "oss:ReplicateList", "oss:ReplicateGet" ], "Resource":[ "acs:oss:*:*:src-bucket", "acs:oss:*:*:src-bucket/*" ] }, { "Effect":"Allow", "Action":[ "oss:ReplicateList", "oss:ReplicateGet", "oss:ReplicatePut", "oss:ReplicateDelete" ], "Resource":[ "acs:oss:*:*:dest-bucket", "acs:oss:*:*:dest-bucket/*" ] } ] }Actions
Action
Description
oss:ReplicateList
The list permissions in the replication process. This allows OSS to list the historical data in the source bucket and then replicate the historical data to the destination bucket.
oss:ReplicateGet
The read permissions in the replication process. This allows OSS to read data and metadata from the source and destination buckets, such as objects, parts, and multipart upload tasks.
oss:ReplicatePut
The write permissions in the replication process. This allows OSS to perform write operations on the destination bucket, such as writing objects, multipart upload tasks, parts, and symbolic links, and modifying object metadata.
oss:ReplicateDelete
The delete permissions in the replication process. This allows OSS to perform delete operations on the destination bucket, such as DeleteObject, AbortMultipartUpload, and DeleteMarker.
ImportantThis action is required only if you set Replication Policy to Add/Delete/Change.
Required permissions of the RAM role for cross-account data replication
Two buckets that belong to different Alibaba Cloud accounts are required for data replication across accounts. The following items describe the trust policy and minimum permissions required by the RAM role for data replication across accounts.
RAM role authorization required for the account of the source bucket
Required trust policy for the RAM role
The trust policy required for the RAM role of data replication across accounts is the same as that required for data replication within the same account. You must use Account A to attach the required trust policy to the RAM role. For more information, see Required trust policy for the RAM role.
Required minimum permissions for the RAM role
For more information about the permissions that correspond to the actions for data replication across accounts, see Actions.
Use Account A to specify a RAM policy that grants the RAM role of the account the minimum permissions required for data replication.
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "oss:ReplicateList", "oss:ReplicateGet" ], "Resource":[ "acs:oss:*:*:src-bucket", "acs:oss:*:*:src-bucket/*" ] } ] }
RAM role authorization required for the account of the destination bucket
Use Account B to specify a bucket policy that grants the RAM role of Account A the minimum permissions required for data replication.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ReplicateList",
"oss:ReplicateGet",
"oss:ReplicatePut",
"oss:ReplicateDelete"
],
"Principal": [
"arn:sts::src-uid:assumed-role/role-name/*"
],
"Resource": [
"acs:oss:*:dest-uid:dest-bucket",
"acs:oss:*:dest-uid:dest-bucket/*"
]
}
]
}The following table describes the parameters in the preceding bucket policy.
Parameter | Description |
src-uid | The UID of the Alibaba Cloud account to which the source bucket belongs. |
role-name | The name of the RAM role that is created by the Alibaba Cloud account to which the source bucket belongs. |
dest-uid | The UID of the Alibaba Cloud account to which the destination bucket belongs. |
dest-bucket | The name of the destination bucket. |