Same-account same-region replication refers to automatically and asynchronously (near real-time) replicating the creation, update, and deletion operations of files (Objects) in a source bucket in a specific account and region to a target bucket in the same region of the current account. This topic describes how to configure same-account same-region replication.
Prerequisites
-
Bucket A (source bucket) has been created in a specific account and region, and the account UID, Bucket A name, and region have been recorded.
-
Bucket B (target bucket) has been created in the same account and region, and the Bucket B name has been recorded.
Role Types
When performing same-account same-region replication, you need to specify a role for executing replication operations between the source bucket and target bucket. You can choose any of the following roles to complete the same-account same-region replication task.
You can choose to create roles through RAM users. RAM users must have the following permissions: ram:CreateRole、ram:GetRole、ram:ListPoliciesForRole、ram:AttachPolicyToRole. Considering that granting RAM users ram:CreateRole, ram:GetRole and other role-related permissions carries high risk, we recommend that you create RAM roles and complete role authorization through the Alibaba Cloud account associated with the RAM user. After authorization is complete, RAM users can directly reuse RAM roles created by the Alibaba Cloud account.
(Recommended) Create New Role
When creating replication rules for the same account and region, you can choose to create a new role to complete the replication task. After selecting create new role, the system will automatically create a role in the format oss-replication-{uuid} and grant different permission policies based on whether you choose to replicate KMS encrypted objects.
-
Choose to replicate KMS encrypted objects
After creating a new role, you need to complete the role authorization operation according to the page guidance. After authorization is completed, the role has precise permission policies for synchronizing from source Bucket to target Bucket as well as AliyunKMSCryptoUserAccess (permission to manage Key Management Service KMS).
-
Choose not to replicate KMS encrypted objects
After creating a new role, you need to complete the role authorization operation according to the page guidance. After authorization is completed, the role has precise permission policies for synchronizing from source Bucket to target Bucket.
AliyunOSSRole
When creating replication rules for the same account in the same region, you can choose the AliyunOSSRole to complete the replication task. After selecting this role, the backend will grant different permission policies based on whether you choose to replicate KMS encrypted objects.
-
Select Copy KMS encrypted objects
After selecting the AliyunOSSRole role, the system will automatically grant the following permission policies to the AliyunOSSRole role: AliyunOSSFullAccess (permissions to manage Object Storage Service OSS) and AliyunKMSCryptoUserAccess (permissions to manage Key Management Service KMS).
WarningThis role has all operation permissions for all Buckets and KMS under the current account. The permission scope is extensive, please use with caution.
-
Select Do not copy KMS encrypted objects
After selecting the AliyunOSSRole role, the system will automatically grant AliyunOSSFullAccess (permissions to manage Object Storage Service OSS) to the AliyunOSSRole role.
WarningThis role has all operation permissions for all buckets under the current account. The permission scope is extensive, so please use it with caution.
Custom Role
When creating same-account same-region replication rules, you can use custom roles to complete replication tasks. You need to create a custom role through the RAM console and grant relevant permissions to the role.
-
Create a normal service role.
During role creation, select Cloud Service for the trusted entity type and select Object Storage Service for the trusted entity name. For detailed steps, see Create a RAM role for a trusted Alibaba Cloud service。
-
Grant permissions to the role.
You can choose any of the following methods to grant permissions to the role.
Grant system policies to the RAM role
WarningYou can choose to grant the
AliyunOSSFullAccesssystem policy to the RAM role.AliyunOSSFullAccessgrants all operation permissions on all buckets in the current account by default. Use this policy with caution.If you want to copy KMS-encrypted objects to the destination bucket, you also need to grant the
AliyunKMSFullAccesssystem policy to the role.For specific steps, see Manage a RAM role's permissions。
Grant custom policies to the RAM role
We recommend that you choose to grant the RAM role the minimum permissions required for copying between the source bucket (src-bucket) and destination bucket (dest-bucket).
NoteIn actual use, please replace the source Bucket and target Bucket names accordingly.
{ "Version":"1", "Statement":[ { "Effect":"Allow", "Action":[ "oss:ReplicateList", "oss:ReplicateGet" ], "Resource":[ "acs:oss:*:*:src-bucket", "acs:oss:*:*:src-bucket/*" ] }, { "Effect":"Allow", "Action":[ "oss:ReplicateList", "oss:ReplicateGet", "oss:ReplicatePut", "oss:ReplicateDelete" ], "Resource":[ "acs:oss:*:*:dest-bucket", "acs:oss:*:*:dest-bucket/*" ] } ] }For detailed steps, see Manage a RAM role's permissions。
NoteIf you want to copy KMS-encrypted objects to the target Bucket, you also need to grant the
AliyunKMSFullAccesssystem policy to the role.
When copying data in the same region under the same account, OSS only verifies the RAM role permission policy for the copy operation and does not verify the Bucket Policy configured for the source or target Bucket.