Data Transmission Service (DTS) allows you to migrate or synchronize data across Alibaba Cloud accounts. This topic describes how to configure Resource Access Management (RAM) authorization for the Alibaba Cloud account to which the source or destination instance belongs before you configure cross-account DTS tasks.
Background information
Before you configure a cross-account DTS task, you must configure RAM authorization for the Alibaba Cloud account to which a database instance belongs (hereinafter referred to as Account A). You must specify the Alibaba Cloud account that is used to configure the DTS task (hereinafter referred to as Account B) as a trusted account and authorize Account B to access the cloud resources of Account A by using DTS.
Supported databases
The following table describes the databases for which you can configure the Replicate Data Across Alibaba Cloud Accounts parameter when you configure a DTS task.
The setting of the Replicate Data Across Alibaba Cloud Accounts parameter for the source database does not affect the setting of the Database Type parameter for the destination database.
Database instance | Alibaba Cloud database instance | Self-managed database |
Source database | ApsaraDB RDS for MySQL, ApsaraDB RDS for MariaDB, ApsaraDB RDS for PostgreSQL, ApsaraDB RDS for SQL Server, PolarDB-X 1.0, PolarDB-X 2.0, PolarDB for PostgreSQL, PolarDB for PostgreSQL (Compatible with Oracle), PolarDB for MySQL, Tair (Redis OSS-Compatible), ApsaraDB for MongoDB, AnalyticDB MySQL 3.0, and ApsaraDB for OceanBase (MySQL mode). |
|
Destination database | ApsaraDB RDS for MySQL, PolarDB for MySQL, ApsaraDB for SelectDB, Tair (Redis OSS-Compatible), and ApsaraDB for ClickHouse, AnalyticDB MySQL 3.0. | Not supported. |
Prerequisites
Account A has authorized the RAM role of DTS to access its cloud resources. For more information, see Authorize DTS to access Alibaba Cloud resources.
The IDs of Account A and Account B are obtained. To obtain the IDs of the Alibaba Cloud accounts, log on to the Alibaba Cloud Management Console, go to the Security Settings page, and then view the value of the Account ID parameter in the upper-right corner.
Limits
Two-way synchronization across Alibaba Cloud accounts is supported only between ApsaraDB RDS for MySQL instances.
You cannot use DTS to synchronize data between accounts of different infrastructures. For example, you cannot use DTS to synchronize data between an Alibaba Finance Cloud account and an Alibaba Gov Cloud account.
Procedure
Create a RAM role for the database instance.
NoteIf you grant permissions to a RAM role by using a RAM user, an error message about invalid permissions may appear when you configure a DTS task.
You do not need to create a RAM role for the database instance of a DTS task for which the Replicate Data Across Alibaba Cloud Accounts parameter is unavailable or is set to No.
Log on to the RAM console by using the Alibaba Cloud account to which the source or destination instance belongs.
In the left-side navigation pane, choose .
ImportantDo not choose
. Otherwise, DTS cannot access the instance, and an error may be reported.On the Roles page, click Create Role.
On the Create Role page, set the Select Trusted Entity parameter to Alibaba Cloud Account and click Next.
In the Configure Role step, configure parameters for the RAM role.
Parameter
Description
RAM Role Name
The name of the RAM role. In this example, ram-for-dts is specified.
NoteThe name must be 1 to 64 characters in length and can contain letters, digits, and hyphens (-).
Note
Optional. The description of the RAM role.
Select Trusted Alibaba Cloud Account
Select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account that is used to create the DTS task.
Click OK.
Grant permissions to the created RAM role.
Click Input and Attach.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, set Type to System Policy.
In the Policy Name field, enter AliyunDTSRolePolicy.
In the message that appears, click OK.
Click Close.
Modify the trust policy.
Optional. On the Roles page, find the created RAM role and click its name.
On the details page of the RAM role, click the Trust Policy tab.
On the Trust Policy tab, click Edit Trust Policy.
Copy the following code to the code editor:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }
Replace
<Alibaba Cloud account ID>
in the preceding code with the ID of the Alibaba Cloud account that is used to create the DTS task.Click Save trust policy document.
What to do next
After you grant permissions to the RAM role, you can create a cross-account DTS task. For more information, see Overview of data synchronization scenarios, Overview of data migration scenarios, and Overview of change tracking scenarios.
You need to log on to the DTS console by using the
<Alibaba Cloud account ID>
that is configured in the trust policy to create a task.When you configure the task, set the Replicate Data Across Alibaba Cloud Accounts parameter to Yes, set the Alibaba Cloud Account parameter to the ID of the Alibaba Cloud account to which the database instance belongs, and set the RAM Role Name parameter to the name of the RAM role that is configured for the Alibaba Cloud account to which the database instance belongs. In this example, the RAM Role Name parameter is set to ram-for-dts.
FAQ
What Alibaba Cloud accounts do I use in different stages of a cross-account DTS task?
In a cross-account DTS task, the use of each Alibaba Cloud account is related to the database of the Alibaba Cloud account. Take note of the following items when you decide to use an Alibaba Cloud account:
NoteThe accounts that you use during the DTS task are Alibaba Cloud accounts.
If a database to be used during the task does not belong to the Alibaba Cloud account that you use to create the DTS task, set the Replicate Data Across Alibaba Cloud Accounts parameter of the database to Yes.
The Databases that support the Replicate Data Across Alibaba Cloud Accounts parameter, see Supported databases.
The following table describes how to decide the Alibaba Cloud accounts that you need to use in different stages of the cross-account DTS task. You must decide the across-account database that you want to use first. Find the row that meets your business requirements based on the Across-account database column. Then, you can view the Alibaba Cloud accounts that you need to use in different stages of the cross-account DTS task.
Across-account database
Alibaba Cloud account that is used to log on to the RAM console
Alibaba Cloud account that is specified in the trust policy
Alibaba Cloud Account that is used to create the DTS task
Alibaba Cloud account that is configured for the Alibaba Cloud Account parameter
Source database
Alibaba Cloud account to which the source database belongs
Alibaba Cloud account to which the destination database belongs
Alibaba Cloud account to which the destination database belongs
Set the Alibaba Cloud Account parameter in the Source Database section to the Alibaba Cloud account to which the source database belongs.
Destination database
Alibaba Cloud account to which the destination database belongs
Alibaba Cloud account to which the source database belongs
Alibaba Cloud account to which the source database belongs
Set the Alibaba Cloud Account parameter in the Destination Database section to the Alibaba Cloud account to which the destination database belongs.
Source and destination databases
Each of the Alibaba Cloud accounts to which the source and destination database belong
Specific Alibaba Cloud account
Specific Alibaba Cloud account
Set the Alibaba Cloud Account parameter in the Source Database section to the Alibaba Cloud account to which the source database belongs.
Set the Alibaba Cloud Account parameter in the Destination Database section to the Alibaba Cloud account to which the destination database belongs.
How do I handle the errors that occur when I configure a cross-account DTS task?
The following table shows the common error messages that appear when you configure a cross-account DTS task and provides the corresponding solutions.
Error message
Solution
The value of the Alibaba Cloud Account parameter is invalid. Check whether you enter a valid ID of the Alibaba Cloud account to which the source or destination instance belongs. For more information, see the Preparations section of this topic.
These errors may occur due to the following reasons:
The value of the RAM Role Name parameter is invalid. Check whether you enter a valid RAM role name of the Alibaba Cloud account to which the source or destination instance belongs.
The required permissions are not granted to the RAM role. Use the Alibaba Cloud account to which the source or destination instance belongs to grant permissions.
NoteFor more information, see the Preparations section of this topic.
These errors may occur due to the following reasons:
The value of the RAM Role Name parameter is invalid. Check whether you enter a valid RAM role name of the Alibaba Cloud account to which the source or destination instance belongs.
The required permissions are not granted to the RAM role. Check whether you have granted the required permissions to the RAM role.
The trust policy of the RAM role is not modified. Check whether you have modified the trust policy for the RAM role.
NoteFor more information, see the Preparations section of this topic.
The RAM role that you specify in the RAM Role Name parameter is not granted the required permissions. To grant the required permissions to the RAM role, go to the details page of the RAM role. On the Permissions tab, click Precise Permission and specify the policy in the Precise Permission panel. Then, create the task again. For example, you must grant the required permissions to the RAM role of the Alibaba Cloud account to which the source instance belongs. For information about how to grant permissions to a RAM role, see the "Grant permissions to an existing RAM role" section of the Configure RAM authorization for cross-account DTS tasks topic.
The value of the RAM Role Name parameter is invalid. Enter the RAM role that you create during preparations instead of the default role AliyunDTSDefaultRole of DTS.
Grant permissions to an existing RAM role
Log on to the RAM console by using the Alibaba Cloud account to which the source instance belongs.
In the left-side navigation pane, choose
.Enter the name of the RAM role in the search box to the right of Create Role.
Find the RAM role and click Input and Attach in the Actions column.
In the Add Permissions panel, set the Policy Name parameter to AliyunDTSRolePolicy.
NoteBy default, the Type parameter is set to System Policy.
Click OK.