Prerequisites
This topic describes the prerequisites for data migration.
Step 1: Create a destination bucket
Create a destination bucket to store the migrated data. For more information, see Create a bucket.
Step 2: Create a RAM user and grant permissions
-
You must use this RAM user to create roles and perform migration tasks. We recommend that you create this RAM user under the Alibaba Cloud account that owns the source or destination bucket.
-
To create a RAM user, see Quick start: Create a RAM user and grant permissions.
Log on to the RAM console with your Alibaba Cloud account. On the Users page, find the RAM user that you created and click Add Permissions in the Actions column.
-
System policy: Permissions for managing Online Migration Service (AliyunOSSImportFullAccess).
-
Custom policy: This policy must include the
ram:CreateRole,ram:CreatePolicy,ram:AttachPolicyToRole, andram:ListRolespermissions.For more information about how to manage permissions, see Create a custom policy. The following is a sample policy:
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "ram:CreateRole", "ram:CreatePolicy", "ram:AttachPolicyToRole", "ram:ListRoles" ], "Resource":"*" } ] }
Step 3: Authorize the source bucket
Follow the steps that correspond to your source bucket's ownership.
In this topic, "your account" refers to the Alibaba Cloud account that you use to access the Data Online Migration console. A bucket is "owned by your account" if you use the same Alibaba Cloud account for both the bucket and the console.
Your source bucket
-
Automatic authorization
We strongly recommend using the automatic role authorization feature. You can perform this one-click operation in the Data Online Migration console at Migration Implementation > Step 2 > Authorize Role.
-
Manual authorization
Use manual authorization in the following scenarios:
-
You want to use a single role to grant permissions on multiple source buckets for efficient management.
-
The number of existing RAM roles in your account is approaching the limit, and you want to avoid creating more roles.
-
Automatic authorization is unsuitable or unavailable for your use case.
1. Create a RAM role
Log on to the RAM console as the RAM user that you created. On the Roles page, click Create Role.
-
For Select Trusted Entity, select Alibaba Cloud Service.
-
For Role Type, select Normal Service Role and select Data Transport from the drop-down list.
-
Enter a Role Name (the role name must be all lowercase).
For Select Trusted Entity, select Alibaba Cloud Service. For Role Type, select Data Transport mgw.aliyuncs.com, and then click OK.
For example, enter
role-test, and then click OK.
2. Grant source bucket permissions
On the Roles page, find the RAM role that you created and click Add Permissions in the Actions column.
-
Custom policy: This policy must include the
oss:List*andoss:Get*permissions.
For more information about how to manage permissions, see Create a custom policy. The following is a sample policy:
This policy is for reference only. Replace
For more information about OSS permission policies, see Common examples of RAM policies.
If the source bucket contains objects encrypted with Key Management Service (KMS), you must also grant the AliyunKMSFullAccess system policy to the role.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:List*",
"oss:Get*"
],
"Resource": [
"acs:oss:*:*:<mySrcBucket>",
"acs:oss:*:*:<mySrcBucket>/*"
]
}
]
}Bucket in another account
1. Create a RAM role
Log on to the RAM console as the RAM user that you created. On the Roles page, click Create Role.
-
For Select Trusted Entity, select Alibaba Cloud Service.
-
For Role Type, select Normal Service Role and select Data Transport from the drop-down list.
-
Enter a Role Name (the role name must be all lowercase).
2. Grant source bucket permissions
When you add a bucket policy, it overwrites any existing policies. To prevent losing existing permissions, combine the new policy with any existing policies before you save.
-
Log on to the OSS console with the Alibaba Cloud account that owns the source bucket.
-
In the left-side navigation pane, click Buckets, and then click the name of the source bucket.
-
In the left-side navigation pane, choose Permission Control > Bucket Policy.
-
On the Add by Syntax tab, click Edit to add a custom bucket policy.
-
Grant the RAM role permissions to list, get, put, and abort multipart uploads for all objects in the bucket.
NoteThis policy is for reference only. Replace the following placeholders with your actual values:
with the source bucket name, with the UID of the Alibaba Cloud account that owns the source bucket, with the UID of the Alibaba Cloud account that you use to access the Data Online Migration console, and with the name of the RAM role that you created. For more information about OSS permission policies, see Common examples of RAM policies. { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:List*", "oss:Get*", "oss:Put*", "oss:AbortMultipartUpload" ], "Principal": [ "arn:sts::<myUid>:assumed-role/<roleName>/*" ], "Resource": [ "acs:oss:*:<otherUid>:<otherSrcBucket>", "acs:oss:*:<otherUid>:<otherSrcBucket>/*" ] } ] }
3. Grant KMS permissions
-
If the source bucket contains objects encrypted with KMS, you must also grant the AliyunKMSFullAccess system policy to the role.
-
If objects in the source bucket are encrypted with a custom KMS key, you must also grant the role access to that key. To do this, perform the following steps:
-
Log on to the Key Management Service console and find the key.
-
Set the Key Policy, select Users in Other Accounts, and then enter the principal ARN. For more information, see Set a key policy. On the key details page, open the Key Policy configuration dialog box and configure Administrators, Users, and Users in Other Accounts. For the first two options, you can perform a fuzzy search by entering the name of a RAM user or RAM role in the drop-down search box. For Users in Other Accounts, you must enter the principal ARN in a format such as
acs:ram::<userId>:role/<ramrole>oracs:ram::<userId>:user/<ramuser>. You can click Add ARN of User in Other Account to add multiple ARNs.
-
Step 4: Authorize the destination bucket
Follow the steps that correspond to your destination bucket's ownership.
Your destination bucket
-
Automatic authorization
We strongly recommend using the automatic role authorization feature. You can perform this one-click operation in the Data Online Migration console at Migration Implementation > Step 3 > Authorize Role.
-
Manual authorization
Grant destination bucket permissions
On the Roles page, find the RAM role that you created and click Add Permissions in the Actions column.
-
Custom policy: This policy must include the
oss:List*,oss:Get*,oss:Put*, andoss:AbortMultipartUploadpermissions.
For more information about how to manage permissions, see Create a custom policy. The following is a sample policy:
NoteThis policy is for reference only. Replace
with the name of the destination bucket in your account. For more information about OSS permission policies, see Common examples of RAM policies.
ImportantIf server-side encryption with KMS is configured for the destination bucket, you must also grant the AliyunKMSFullAccess system policy to the role.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:List*", "oss:Get*", "oss:Put*", "oss:AbortMultipartUpload" ], "Resource": [ "acs:oss:*:*:<myDestBucket>", "acs:oss:*:*:<myDestBucket>/*" ] } ] } -
Bucket in another account
1. Grant destination bucket permissions
When you add a bucket policy, it overwrites any existing policies. To prevent losing existing permissions, combine the new policy with any existing policies before you save.
-
Log on to the OSS console with the Alibaba Cloud account that owns the destination bucket.
-
In the left-side navigation pane, click Buckets, and then click the name of the destination bucket.
-
In the left-side navigation pane, choose Permission Control > Bucket Policy.
-
On the Add by Syntax tab, click Edit to add a custom bucket policy.
-
Grant the RAM role permissions to list, get, put, and abort multipart uploads for all objects in the bucket.
-
This policy is for reference only. Replace the following placeholders with your actual values:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:List*",
"oss:Get*",
"oss:Put*",
"oss:AbortMultipartUpload"
],
"Principal": [
"arn:sts::<myUid>:assumed-role/<roleName>/*"
],
"Resource": [
"acs:oss:*:<otherUid>:<otherDestBucket>",
"acs:oss:*:<otherUid>:<otherDestBucket>/*"
]
}
]
}2. Grant KMS permissions
-
If server-side encryption with KMS is configured for the destination bucket, you must also grant the AliyunKMSFullAccess system policy to the role.
-
If server-side encryption for the destination bucket uses a custom KMS key, you must also grant the role access to that key. To do this, perform the following steps:
-
Log on to the Key Management Service console and find the key.
-
Configure the key policy. Select Cross-account Users and enter the principal's ARN. For more information, see Set a key policy.
-
Step 5: Restore data in the source bucket
-
You must manually restore objects from the Archive storage class before creating a source data address and migration task.
-
Set the restoration period (the number of days the object stays restored) to be long enough to complete the entire migration. This prevents objects from returning to the archived state mid-migration.
-
You may be charged for the restoration operation. The fee may be relatively high. For more information about the billing methods, contact the service provider that offers the source bucket.
Data Online Migration will not automatically restore archived objects. Objects that are still archived or in the process of being restored cannot be migrated and will be skipped.
To restore objects in Alibaba Cloud OSS, see Restore objects.