This topic describes the operations that you must perform before you migrate data.
Step 1: Create a destination bucket
Create a destination bucket in the Object Storage Service (OSS) console to store the migrated data. For more information, see Create buckets.
Step 2: Grant permissions to the RAM user that is used to log on to the console
The Resource Access Management (RAM) user is used to perform the data migration task. You must create RAM roles and perform migration as the RAM user. We recommend that you create the RAM user within the Alibaba Cloud account that owns the source or destination OSS bucket.
For more information, see Create a RAM user and grant permissions to the RAM user.
For more information, see Create a RAM user and grant permissions to the RAM user.
Log on to the RAM console with an Alibaba Cloud account. On the Users page, find the RAM user that you created and click Add Permissions in the Actions column.
System policy: Attach the AliyunOSSImportFullAccess policy to the RAM user.
Custom policy: Attach a custom policy that includes the
ram:CreateRole
,ram:CreatePolicy
,ram:AttachPolicyToRole
, andram:ListRoles
permissions to the RAM user.For more information about how to attach a custom policy, see Create custom policies. The following sample code provides an example of the custom policy:
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "ram:CreateRole", "ram:CreatePolicy", "ram:AttachPolicyToRole", "ram:ListRoles" ], "Resource":"*" } ] }
Step 3: Grant permissions on the destination bucket
Perform the corresponding operations based on whether the destination bucket belongs to the current Alibaba Cloud account.
The destination bucket belongs to the current Alibaba Cloud account
Automatic authorization
We recommend that you use automatic authorization in the Data Online Migration console. For more information, see the "Step 3: Create a destination data address" section of the Migrate data topic.
Manual authorization
NoteYou can perform manual authorization in the following scenarios:
You want to grant permissions on multiple source buckets to a RAM role. This allows you to effectively manage multiple source buckets.
You do not want to create more RAM roles because the number of RAM roles within the current Alibaba Cloud account is close to the upper limit.
Automatic authorization is not applicable or cannot be used.
1. Create a RAM role that is used to migrate data
Log on to the RAM console in which the RAM user is created. On the Roles page, click Create Role.
Select Alibaba Cloud Service for the Select Trusted Entity parameter.
Select Normal Service Role for the Role Type parameter.
Enter the role name in the RAM Role Name field. The role name must be lowercase.
Select Data Online Migration for the Select Trusted Service parameter.
2. Grant permissions on the destination bucket to the RAM role
On the Roles page, find the created RAM role and click Grant Permission in the Actions column.
Custom policy: Attach a custom policy that includes the
oss:List*
,oss:Get*
,oss:Put*
, andoss:AbortMultipartUpload*
permissions to the RAM role.
For more information about how to attach a custom policy, see Create custom policies. The following sample code provides an example of the custom policy:
NoteThe following policy is for reference only. Replace <myDestBucket> with the name of the destination bucket.
For more information about RAM policies for OSS, see Common examples of RAM policies.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:List*", "oss:Get*", "oss:Put*", "oss:AbortMultipartUpload" ], "Resource": [ "acs:oss:*:*:<myDestBucket>", "acs:oss:*:*:<myDestBucket>/*" ] } ] }
The destination bucket does not belong to the current Alibaba Cloud account
1. Create a RAM role that is used to migrate data
Log on to the RAM console in which the RAM user is created. On the Roles page, click Create Role.
Select Alibaba Cloud Service for the Select Trusted Entity parameter.
Select Normal Service Role for the Role Type parameter.
Enter the role name in the RAM Role Name field. The role name must be lowercase.
Select Data Online Migration for the Select Trusted Service parameter.
2. Grant permissions on the destination bucket to the RAM role
If you configure a bucket policy by specifying policy statements to grant the RAM role the required permissions, the new bucket policy overwrites the existing bucket policy. Make sure that the new bucket policy contains the content of the existing bucket policy. Otherwise, the authorization based on the existing bucket policy may fail.
Log on to the OSS console with the Alibaba Cloud account that owns the destination bucket.
In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the destination bucket.
In the left-side pane of the bucket details page, choose Permission Control > Bucket Policy.
On the Bucket Policy tab, click Add by Syntax. On the page that appears, click Edit, enter the custom bucket policy in the code editor, and then click Save.
Grant the RAM role the permissions to query, read, delete, and write all resources in the destination bucket.
The following policy is for reference only. Replace <otherDestBucket> with the name of the destination bucket, <otherUid> with the ID of the Alibaba Cloud account that owns the destination bucket, <myUid> with the ID of the Alibaba Cloud account that is used to log on to the Data Online Migration console, and <roleName> with the name of the RAM role that you created. For more information about RAM policies for OSS, see Common examples of RAM policies.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:List*",
"oss:Get*",
"oss:Put*",
"oss:AbortMultipartUpload"
],
"Principal": [
"arn:sts::<myUid>:assumed-role/<roleName>/*"
],
"Resource": [
"acs:oss:*:<otherUid>:<otherDestBucket>",
"acs:oss:*:<otherUid>:<otherDestBucket>/*"
]
}
]
}