All Products
Search

This Product

    Data Online Migration:Attach policies to RAM roles for cross-account data migration

    Document Center

    Data Online Migration:Attach policies to RAM roles for cross-account data migration

    Last Updated:Sep 03, 2024

    Cross-account data migration refers to data migration between buckets that belong to different Alibaba Cloud accounts. This topic describes how to attach policies to Resource Access Management (RAM) roles for cross-account data migration.

    Prerequisites

    Note

    If the account used to log on to the Data Online Migration console is the same as the source account, the destination account, and the account used to store an inventory list, create a RAM role and attach the required policies to the RAM role. For more information, see the "Migrate data within the same Alibaba Cloud account" section of the Preparations topic. Types of the inventory list include AWS S3 Inventory, HTTP/HTTPS, and Alibaba OSS Inventory. In this topic, an Alibaba Cloud account, Account D, is used to store an inventory list. If Account D uses Object Storage Service (OSS) to store the inventory list and is different from the account used to log on to the Data Online Migration console, see the "Migrate data across Alibaba Cloud accounts" section of the "Preparations" topic.

    The following items describe the accounts and buckets that are used in this topic:

    • An Alibaba Cloud account, Account A, is created and is used to log on to the Data Online Migration console, create source and destination data addresses, and create a migration task.

    • An Alibaba Cloud account, Account B, is created. A bucket, Bucket B, is created in a region within Account B as the source bucket for cross-account data migration. The UID of Account B, the name of Bucket B, and the region in which Bucket B resides are recorded.

    • An Alibaba Cloud account, Account C, is created. A bucket, Bucket C, is created in a region within Account C as the destination bucket for cross-account data migration. The UID of Account C, the name of Bucket C, and the region in which Bucket C resides are recorded.

    • An Alibaba Cloud account, Account D, is created. A bucket, Bucket D, is created in a region within Account D to store the inventory list for cross-account data migration. The UID of Account D, the name of Bucket D, and the region in which Bucket D resides are recorded.

    Create a RAM role for data migration

    An AccessKey pair is required when you grant permissions by using an Alibaba Cloud account. To ensure data security, we recommend that you create a RAM role and attach the required policies to the RAM role based on the principle of least privilege for data migration.

    Note

    If you need to migrate data across accounts, we recommend that you use Account A to create a RAM role Role B for Account B, a RAM role Role C for Account C, and a RAM role Role D for Account D based on your business requirements. Then, attach the required policies to the RAM roles.

    1. Log on to the RAM console with Account A.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the Select Role Type step of the Create Role wizard, select Alibaba Cloud Service and click Next.

    5. In the Selected Trusted Entity section, select Normal Service Role as Role Type, enter a RAM role name in the RAM Role Name field, and select Data Online Migration from the Select Trusted Service drop-down list. Then, click OK.

    Attach policies to the RAM role for data migration in the OSS console

    Important

    If you configure a bucket policy by specifying policy statements to grant the RAM role the required permissions, the new bucket policy overwrites the existing bucket policy. Make sure that the new bucket policy contains the content of the existing bucket policy. Otherwise, the authorization of the existing bucket policy may fail. Replace the custom role name with the name of the role that you created based on your business requirements. If the created role name contains uppercase letters, you need to convert them to lowercase letters. For example, if the created role name is AliyunSrcRoleA, you need to convert the name to aliyunsrcrolea.

    Use Account B to attach a policy to Role B of Account A

    • Log on to the OSS console with Account B and go to the details page of Bucket B.

    • In the left-side navigation pane, choose Permission Control > Bucket Policy.

    • Click the Add by Syntax tab. In the code editor, add the following policy content.

      • Custom policy:

        The policy grants a RAM role the permissions to list and read objects in the source OSS bucket.

        Note

        The following policy content is for reference only. Replace <mybucket> with the name of Bucket B, <myuid> with the UID of Account B, <uid> with the UID of Account A, and <rolename> with the name of Role B. For more information about RAM policies for OSS, see Common examples of RAM policies. 

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:List*",
        "oss:Get*"
      ],
      "Principal": [
         "arn:sts::<uid>:assumed-role/<rolename>/*"
      ],
      "Resource": [
        "acs:oss:*:<myuid>:<mybucket>",
        "acs:oss:*:<myuid>:<mybucket>/*"
      ]
    }
  ]
}

    Use Account C to attach a policy to Role C of Account A

    • Log on to the OSS console with Account C and go to the details page of Bucket C.

    • In the left-side navigation pane, choose Permission Control > Bucket Policy.

    • Click the Add by Syntax tab. In the code editor, add the following policy content.

      • Custom policy:

        The policy grants a RAM role the permissions to list, read, delete, and write objects in the destination OSS bucket.

        Note

        The following policy content is for reference only. Replace <mybucket> with the name of Bucket C, <myuid> with the UID of Account C, <uid> with the UID of Account A, and <rolename> with the name of Role C. For more information about RAM policies for OSS, see Common examples of RAM policies. 

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:List*",
        "oss:Get*",
        "oss:Put*",
        "oss:AbortMultipartUpload"
      ],
      "Principal": [
         "arn:sts::<uid>:assumed-role/<rolename>/*"
      ],
      "Resource": [
        "acs:oss:*:<myuid>:<mybucket>",
        "acs:oss:*:<myuid>:<mybucket>/*"
      ]
    }
  ]
}

    Use Account D to attach a policy to Role D of Account A

    • Log on to the OSS console with Account D and go to the details page of Bucket D.

    • In the left-side navigation pane, choose Permission Control > Bucket Policy.

    • Click the Add by Syntax tab. In the code editor, add the following policy content.

      • Custom policy:

        The policy grants a RAM role the permissions to list and read objects in the bucket in which the inventory list resides.

        Note

        The following policy content is for reference only. Replace <mybucket> with the name of Bucket D, <myuid> with the UID of Account D, <uid> with the UID of Account A, and <rolename> with the name of Role D. For more information about RAM policies for OSS, see Common examples of RAM policies. 

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:List*",
        "oss:Get*"
      ],
      "Principal": [
         "arn:sts::<uid>:assumed-role/<rolename>/*"
      ],
      "Resource": [
        "acs:oss:*:<myuid>:<mybucket>",
        "acs:oss:*:<myuid>:<mybucket>/*"
      ]
    }
  ]
}