Preparations
Create a destination bucket and configure permissions before migrating data with Data Online Migration.
Prerequisites
-
An Alibaba Cloud account
-
A Resource Access Management (RAM) user in the same account as your source or destination bucket
If you haven't created a RAM user: Create a RAM user and grant permissions.
Step 1: Create the destination bucket
Create a destination OSS bucket to store migrated data. Create buckets.
Step 2: Grant permissions to the RAM user
Grant the following permissions to the RAM user that creates roles and runs migration tasks.
| Permission type | Policy | Purpose |
|---|---|---|
| System policy | AliyunOSSImportFullAccess |
Manage Online Migration Service |
| Custom policy | Custom RAM policy (see below) | Create and manage RAM roles for migration |
Log on to the RAM console. On the Users page, find your RAM user and click Add Permissions in the Actions column.
-
System policy: Search for and attach
AliyunOSSImportFullAccess. -
Custom policy: Create a custom policy with the
ram:CreateRole,ram:CreatePolicy,ram:AttachPolicyToRole, andram:ListRolespermissions, then attach it. Example:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateRole", "ram:CreatePolicy", "ram:AttachPolicyToRole", "ram:ListRoles" ], "Resource": "*" } ] }
Step 3: Grant permissions on the destination bucket
The method depends on whether the destination bucket is in your account or a different account.
-
Same-account destination: Use automatic authorization (recommended) or manual authorization.
-
Cross-account destination: Create a RAM role and configure a bucket policy.
Same-account destination
Automatic authorization (recommended)
The Data Online Migration console automatically creates the required RAM role and attaches the correct policies.
Step 3: Create a destination data address in the Migrate data topic.
Manual authorization
Use manual authorization when:
-
You need one RAM role to access multiple source buckets.
-
Your account is near the RAM role limit.
-
Automatic authorization is unavailable.
1. Create a RAM role for migration
Log on to the RAM console (same account as the RAM user). On the Roles page, click Create Role:
-
Principal Type: Select Cloud Service.
-
Principal Name: Select Data Transport.
-
Role Name: Enter a name for the RAM role. The name must be in lowercase.
2. Grant permissions to the RAM role
On the Roles page, find the role and click Grant Permission in the Actions column. Attach a custom policy with the oss:List*, oss:Get*, oss:Put*, and oss:AbortMultipartUpload permissions.
Create a custom policy. For OSS-specific policy examples: Common examples of RAM policies.
In the following policy, replace <myDestBucket> with the name of your destination bucket.{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:List*",
"oss:Get*",
"oss:Put*",
"oss:AbortMultipartUpload"
],
"Resource": [
"acs:oss:*:*:<myDestBucket>",
"acs:oss:*:*:<myDestBucket>/*"
]
}
]
}Cross-account destination
When the destination bucket belongs to a different account, create a RAM role in your account and configure a bucket policy on the destination bucket.
1. Create a RAM role for migration
Log on to the RAM console (same account as the RAM user). On the Roles page, click Create Role:
-
Principal Type: Select Cloud Service.
-
Principal Name: Select Data Transport.
-
Role Name: Enter a name for the RAM role. The name must be in lowercase.
2. Configure a bucket policy on the destination bucket
A new bucket policy overwrites the existing policy. Include all previous statements in your new policy to preserve existing permissions.
-
Log on to the OSS console with the Alibaba Cloud account that owns the destination bucket.
-
In the left-side navigation pane, click Buckets. On the Buckets page, click the name of the destination bucket.
-
In the left-side pane of the bucket details page, choose Permission Control > Bucket Policy.
-
On the Bucket Policy tab, click Add by Syntax, and then click Edit. In the code editor, enter the following bucket policy and click Save.
Replace the following placeholders with your actual values. For OSS policy examples: Common examples of RAM policies.
| Placeholder | Description |
|---|---|
<otherDestBucket> |
The name of the destination bucket |
<otherUid> |
The ID of the Alibaba Cloud account that owns the destination bucket |
<myUid> |
The ID of your current Alibaba Cloud account (the one used for migration) |
<roleName> |
The name of the RAM role you created |
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:List*",
"oss:Get*",
"oss:Put*",
"oss:AbortMultipartUpload"
],
"Principal": [
"arn:sts::<myUid>:assumed-role/<roleName>/*"
],
"Resource": [
"acs:oss:*:<otherUid>:<otherDestBucket>",
"acs:oss:*:<otherUid>:<otherDestBucket>/*"
]
}
]
}Encryption considerations
If the destination bucket uses server-side encryption, additional configuration is required.
SSE-KMS encryption
If SSE-KMS is configured for the destination bucket, attach the AliyunKMSFullAccess system policy to the RAM role. This applies to both same-account and cross-account destinations.
Custom Key Management Service (KMS) key (cross-account only)
If the destination bucket is encrypted with a custom KMS key, configure the key policy in addition to attaching the AliyunKMSFullAccess system policy:
-
Log on to the KMS console and find the custom key.
-
On the Key Policy tab of the key details page, click Configure Key Policy. In the Key Policy panel, enter the ARN of the RAM role in the Cross-account User field.
