Data Transmission Service (DTS) allows you to migrate or synchronize data across Alibaba Cloud accounts. This topic describes how to configure Resource Access Management (RAM) authorization for the Alibaba Cloud account to which a database instance belongs before you configure cross-account DTS tasks.
Background information
Before you configure a cross-account DTS task (select the Replicate Data Across Alibaba Cloud Accounts parameter to Yes), you must configure RAM authorization for the Alibaba Cloud account to which a database instance belongs (hereinafter referred to as Account A). You must specify the Alibaba Cloud account that is used to configure the DTS task (hereinafter referred to as Account B) as a trusted account and authorize Account B to access the cloud resources of Account A by using DTS.
What is a cross-account DTS task?
A cross-account DTS task, also known as a DTS task across Alibaba Cloud accounts, is a DTS task where the source or destination database instance belongs to an Alibaba Cloud account different from the Alibaba Cloud Account that is used to create the DTS task.
Supported databases
A source or destination database instance that supports a cross-account DTS task is determined by only the Database Type and Access Method. The following table lists the database instances that support the cross-account DTS task.
The setting of the Replicate Data Across Alibaba Cloud Accounts parameter for the source database does not affect the setting of the Database Type parameter of the destination database.
Source database
Database type | Access method |
MySQL | Alibaba Cloud Instance, Express Connect, VPN Gateway, or Smart Access Gateway, Self-managed Database on ECS |
PolarDB for MySQL | Alibaba Cloud Instance |
Tair/Redis | Alibaba Cloud Instance, Express Connect, VPN Gateway, or Smart Access Gateway, Self-managed Database on ECS, Cloud Enterprise Network (CEN), Database Gateway |
SQL Server | Alibaba Cloud Instance, Express Connect, VPN Gateway, or Smart Access Gateway |
PostgreSQL | Alibaba Cloud Instance, Express Connect, VPN Gateway, or Smart Access Gateway |
MongoDB | Alibaba Cloud Instance, Express Connect, VPN Gateway, or Smart Access Gateway, Self-managed Database on ECS, Cloud Enterprise Network (CEN) |
Oracle | Express Connect, VPN Gateway, or Smart Access Gateway |
PolarDB (Compatible with Oracle) | Alibaba Cloud Instance, Express Connect, VPN Gateway, or Smart Access Gateway |
PolarDB for PostgreSQL | Alibaba Cloud Instance |
PolarDB-X 1.0 | Alibaba Cloud Instance |
PolarDB-X 2.0 | Alibaba Cloud Instance |
DB2 for iSeries (AS/400) | Express Connect, VPN Gateway, or Smart Access Gateway |
DB2 for LUW | Express Connect, VPN Gateway, or Smart Access Gateway, Self-managed Database on ECS |
MariaDB | Alibaba Cloud Instance, Express Connect, VPN Gateway, or Smart Access Gateway, Self-managed Database on ECS |
ApsaraDB OceanBase for MySQL | Alibaba Cloud Instance, Express Connect, VPN Gateway, or Smart Access Gateway, Self-managed Database on ECS |
SLS | Alibaba Cloud Instance |
AnalyticDB for MySQL 3.0 | Alibaba Cloud Instance |
Destination database
Database type | Access method |
MySQL | Alibaba Cloud Instance |
PolarDB for MySQL | Alibaba Cloud Instance |
AnalyticDB for MySQL 3.0 | Alibaba Cloud Instance |
Tair/Redis | Alibaba Cloud Instance |
ClickHouse | Alibaba Cloud Instance |
SelectDB | Alibaba Cloud Instance |
MongoDB | Alibaba Cloud Instance |
Account information
In a cross-account DTS task, the use of the Alibabin the trusta Cloud account to which the source database and destination database belongs and that is used to create a DTS task is related to the across-account database.
Across-account database: When you configure a DTS task, set the Replicate Data Across Alibaba Cloud Accounts parameter to Yes.
The following table describes how to decide the Alibaba Cloud accounts that you need to use in different stages of a cross-account DTS task. You must decide the across-account database that you want to use first. Find the row that meets your business requirements based on the Across-account database column. Then, you can view the Alibaba Cloud accounts that you need to use in different stages of the cross-account DTS task.
Cross-account database | Alibaba Cloud account that is used to log on to the RAM console | Alibaba Cloud account that is specified in the trust policy | Alibaba Cloud Account that is used to create a DTS task | Alibaba Cloud account that is configured for a DTS task |
Source database | Alibaba Cloud account to which the source database belongs | Alibaba Cloud account to which the destination database belongs | Alibaba Cloud account to which the destination database belongs | Set the Alibaba Cloud Account parameter in the Source Database section to the Alibaba Cloud account to which the source database belongs. |
Destination database | Alibaba Cloud account to which the destination database belongs | Alibaba Cloud account to which the source database belongs | Alibaba Cloud account to which the source database belongs | Set the Alibaba Cloud Account parameter in the Destination Database section to the Alibaba Cloud account to which the destination database belongs. |
Source and destination databases | Alibaba Cloud account to which the source and destination databases belong | Specific Alibaba Cloud account | Specific Alibaba Cloud account |
|
Procedure
Obtain the ID of the Alibaba Cloud account.
Obtain the ID of the Alibaba Cloud account to which a database instance belongs and that is used to create a DTS task.
Create a RAM role.
Create a RAM role for the DTS task by using the ID of the Alibaba Cloud account to which the database instance belongs.
Grant permissions.
Grant permissions to the created RAM role.
Edit the trust policy.
Edit the trust policy of the RAM role.
Prerequisites
Account A has authorized the RAM role of DTS to access its cloud resources. For more information, see Authorize DTS to access Alibaba Cloud resources.
Usage notes
You can configure a two-way synchronization task across Alibaba Cloud accounts only between ApsaraDB RDS for MySQL instances, between PolarDB for MySQL clusters, between Tair (Enterprise Edition) instances, between ApsaraDB for MongoDB replica set instances, and between ApsaraDB for MongoDB sharded cluster instances.
The two-way synchronization task across Alibaba Cloud accounts is similar to the scenarios that synchronize data across Alibaba Cloud accounts. Both the source and destination instances do not belong to the Alibaba Cloud account that is used to create the data synchronization task. You must configure RAM authorization for the Alibaba Cloud accounts to which the source and destination instances belong.
You cannot use DTS to synchronize data between accounts of different infrastructures. For example, you cannot use DTS to synchronize data between an Alibaba Finance Cloud account and an Alibaba Gov Cloud account.
Log on to the RAM console by using your Alibaba Cloud account. If you grant permissions to a RAM role as a RAM user, an error message that indicates invalid permissions may appear when you configure a DTS task.
Preparations
Obtain the ID of the Alibaba Cloud account to which the source database belongs
To obtain the ID of the Alibaba Cloud account to which the source instance belongs, log on to the Security Settings page by using the account and view the Account ID.
Obtain the ID of the Alibaba Cloud account to which the destination database belongs
To obtain the ID of the Alibaba Cloud account to which the destination instance belongs, log on to the Security Settings page by using the account and view the Account ID.
Obtain the ID of the Alibaba Cloud account that is used to create a DTS task
To obtain the ID of the Alibaba Cloud account that is used to create a DTS task, log on to the Security Settings page by using the account and view the Account ID.
Scenario 1: A cross-account DTS task where the source database does not belong to the Alibaba Cloud account that is used to create the DTS task
Step 1: Create a RAM role
Log on to the RAM console using the Alibaba Cloud account to which the source database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Click Create Role on the Roles page.
In the Create Role panel, select Alibaba Cloud Account as the trusted entity and then click Next.
Configure the RAM role in the page that appears.
Parameters
Description
RAM Role Name
The name of the RAM role. In this example, ram-for-dts is specified.
NoteThe role name must be equal to or less than 64 characters in length and can contain letters, digits, and hyphens (-).
Note
Optional. The description for the RAM role.
Select Trusted Alibaba Cloud Account
Select Other Alibaba Cloud Account, and enter the ID of the Alibaba Cloud account to which the destination database belongs.
NoteFor more information, see Obtain the ID of the Alibaba Cloud account to which the destination database belongs in the Preparations section of this topic.
Click OK.
Step 2: Grant permissions to the RAM role
On the page where a role is successfully created
Click Input and Attach.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, select Type to System Policy.
Enter a Policy Name. In this example, AliyunDTSRolePolicy is specified.
Click OK.
Click Close in the panel that appears.
On the Roles page
Go to the Roles page.
Log on to the RAM console using the Alibaba Cloud account to which the source database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Find and click a role that you want to manage on the Roles page.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, select Type to System Policy.
Enter a Policy Name. In this example, AliyunDTSRolePolicy is specified.
Click OK.
Click Close in the panel that appears.
Step 3: Edit the trust policy of a RAM role
On the Trust Policy tab
Click the Trust Policy tab.
Click Edit Trust Policy.
Replace the policy text with the following sample code.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }Replace the two
<Alibaba Cloud account IDs>in the sample code with the ID of the Alibaba Cloud account to which the destination database belongs.NoteFor more information, see Obtain the ID of the Alibaba Cloud account to which the destination database belongs in the Preparations section of this topic.
Click Save trust policy document.
On the Roles page
Go to the Roles page.
Log on to the RAM console using the Alibaba Cloud account to which the source database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Find and click a role that you want to manage on the Roles page.
Click the Trust Policy tab.
Click Edit Trust Policy.
Replace the policy text with the following sample code.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }Replace the two
<Alibaba Cloud account IDs>in the sample code with the ID of the Alibaba Cloud account to which the destination database belongs.NoteFor more information, see Obtain the ID of the Alibaba Cloud account to which the destination database belongs in the Preparations section of this topic.
Click Save trust policy document.
Scenario 2: A cross-account DTS task where the destination database does not belong to the Alibaba Cloud account that is used to create the DTS task
Step 1: Create a RAM role
Log on to the RAM console using the Alibaba Cloud account to which the destination database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Click Create Role on the Roles page.
In the Create Role panel, select Alibaba Cloud Account as the trusted entity and then click Next.
Configure the RAM role in the page that appears.
Configuration options
Configuration description
RAM Role Name
The name of the RAM role. In this example, ram-for-dts is specified.
NoteThe role name must be equal to or less than 64 characters in length and can contain letters, digits, and hyphens (-).
Note
Optional. The description for the RAM role.
Select Trusted Alibaba Cloud Account
Select Other Cloud Account, and enter the ID of the Alibaba Cloud account to which the source database belongs.
NoteFor more information, see Obtain the ID of the Alibaba Cloud account to which the source database belongs in the Preparations section of this topic.
Click OK.
Step 2: Grant permissions to the RAM role
On the page where a role is successfully created
Click Input and Attach.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, select Type to System Policy.
Enter a Policy Name. In this example, AliyunDTSRolePolicy is specified.
Click OK.
Click Close in the panel that appears.
On the Roles page
Go to the Roles page.
Log on to the RAM console using the Alibaba Cloud account to which the destination database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Find and click a role that you want to manage on the Roles page.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, select Type to System Policy.
Enter a Policy Name. In this example, AliyunDTSRolePolicy is specified.
Click OK.
Click Close in the panel that appears.
Step 3: Edit the trust policy of the RAM role
On the Trust Policy tab
Click the Trust Policy tab.
Click Edit Trust Policy.
Replace the policy text with the following sample code.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }Replace the two
<Alibaba Cloud account IDs>in the sample code with the ID of the Alibaba Cloud account to which the source database belongs.NoteFor more information, see Obtain the ID of the Alibaba Cloud account to which the source database belongs in the Preparations section of this topic.
Click Save trust policy document.
On the Roles page
Go to the Roles page.
Log on to the RAM console using the Alibaba Cloud account to which the destination database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Find and click a role that you want to manage on the Roles page.
Click the Trust Policy tab.
Click Edit Trust Policy.
Replace the policy text with the following sample code.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }Replace the two
<Alibaba Cloud account IDs>in the sample code with the ID of the Alibaba Cloud account to which the source database belongs.NoteFor more information, see Obtain the ID of the Alibaba Cloud account to which the source database belongs in the Preparations section of this topic.
Click Save trust policy document.
Scenario 3: A cross-account DTS task where the source and destination databases do not belong to the Alibaba Cloud account that is used to create the DTS task
Step 1: Configure RAM authorization by using the Alibaba Cloud account to which the source database belongs
Create a RAM role.
Log on to the RAM console using the Alibaba Cloud account to which the source database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Click Create Role on the Roles page.
In the Create Role panel, select Alibaba Cloud Account as the trusted entity and then click Next.
Configure the RAM role in the page that appears.
Parameter
Description
RAM Role Name
The name of the RAM role. In this example, ram-for-dts is specified.
NoteThe role name must be equal to or less than 64 characters in length and can contain letters, digits, and hyphens (-).
Note
Optional. The description for the RAM role.
Select Trusted Alibaba Cloud Account
Select Other Cloud Account, and enter the ID of the Alibaba Cloud account that is used to create a DTS task.
NoteFor more information, see Obtain the ID of the Alibaba Cloud account that is used to create a DTS task in the Preparations section of this topic.
Click OK.
Grant permissions to the RAM role.
On the page where a role is successfully created
Click Input and Attach.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, select Type to System Policy.
Enter a Policy Name. In this example, AliyunDTSRolePolicy is specified.
Click OK.
Click Close in the panel that appears.
On the Roles page
Go to the Roles page.
Log on to the RAM console using the Alibaba Cloud account to which the source database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Find and click a role that you want to manage on the Roles page.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, select Type to System Policy.
Enter a Policy Name. In this example, AliyunDTSRolePolicy is specified.
Click OK.
Click Close in the panel that appears.
Edit the trust policy of the RAM role.
On the Trust Policy tab
Click the Trust Policy tab.
Click Edit Trust Policy.
Replace the policy text with the following sample code.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }Replace the two
<Alibaba Cloud account IDs>in the sample code with the ID of the Alibaba Cloud account that is used to create a DTS task.NoteFor more information, see Obtain the ID of the Alibaba Cloud account that is used to create a DTS task in the Preparations section of this topic.
Click Save trust policy document.
On the Roles page
Go to the Roles page.
Log on to the RAM console using the Alibaba Cloud account to which the source database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Find and click a role that you want to manage on the Roles page.
Click the Trust Policy tab.
Click Edit Trust Policy.
Replace the policy text with the following sample code.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }Replace the two
<Alibaba Cloud account IDs>in the sample code with the ID of the Alibaba Cloud account that is used to create a DTS task.NoteFor more information, see Obtain the ID of the Alibaba Cloud account that is used to create a DTS task in the Preparations section of this topic.
Click Save trust policy document.
Step 2: Configure RAM authorization by using the Alibaba Cloud account to which the destination database belongs
Create a RAM role.
Log on to the RAM console using the Alibaba Cloud account to which the destination database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Click Create Role on the Roles page.
In the Create Role panel, select Alibaba Cloud Account as the trusted entity and then click Next.
Configure the RAM role in the page that appears.
Parameters
Description
RAM Role Name
The name of the RAM role. In this example, ram-for-dts is specified.
NoteThe role name must be equal to or less than 64 characters in length and can contain letters, digits, and hyphens (-).
Note
Optional. The description for the RAM role.
Select Trusted Alibaba cloud Account
Select Other Cloud Account, and enter the ID of the Alibaba Cloud account that is used to create a DTS task.
NoteFor more information, see Obtain the ID of the Alibaba Cloud account that is used to create a DTS task in the Preparations section of this topic.
Click OK.
Grant permissions to the RAM role.
On the page where a role is successfully created
Click Input and Attach.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, select Type to System Policy.
Enter a Policy Name. In this example, AliyunDTSRolePolicy is specified.
Click OK.
Click Close in the panel that appears.
On the Roles page
Go to the Roles page.
Log on to the RAM console using the Alibaba Cloud account to which the destination database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Find and click a role that you want to manage on the Roles page.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, select Type to System Policy.
Enter a Policy Name. In this example, AliyunDTSRolePolicy is specified.
Click OK.
Click Close in the panel that appears.
Edit the trust policy of the RAM role.
On the Trust Policy tab
Click the Trust Policy tab.
Click Edit Trust Policy.
Replace the policy text with the following sample code.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }Replace the two
<Alibaba Cloud account IDs>in the sample code with the ID of the Alibaba Cloud account that is used to create a DTS task.NoteFor more information, see Obtain the ID of the Alibaba Cloud account that is used to create a DTS task in the Preparations section of this topic.
Click Save trust policy document.
On the Roles page
Go to the Roles page.
Log on to the RAM console using the Alibaba Cloud account to which the destination database belongs.
In the left-side navigation pane, choose .
ImportantDo not choose , as this will prevent DTS from accessing the database instance, resulting in an error.
Find and click a role that you want to manage on the Roles page.
Click the Trust Policy tab.
Click Edit Trust Policy.
Replace the policy text with the following sample code.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::<Alibaba Cloud account ID>:root" ], "Service": [ "<Alibaba Cloud account ID>@dts.aliyuncs.com" ] } } ], "Version": "1" }Replace the two
<Alibaba Cloud account IDs>in the sample code with the ID of the Alibaba Cloud account that is used to create a DTS task.NoteFor more information, see Obtain the ID of the Alibaba Cloud account that is used to create a DTS task in the Preparations section of this topic.
Click Save trust policy document.
What to do next
After you grant permissions to the RAM role, you can create a cross-account DTS task. For more information, see Configure a DTS task across Alibaba Cloud accounts.