tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Data Transfer Service
    Documentation
    Download PDF

    Cross-Account TencentDB Instance Sync

    Last updated: 2023-11-21 20:41:18
    Download PDF

      Overview

      This document describes how to use ‍the DTS data sync feature to sync data between TencentDB instances under different accounts.

      Application Scope

      Cross-account data sync is supported between TencentDB for MySQL, TDSQL for MySQL, TDSQL-C for MySQL, TencentDB for MariaDB, and TencentDB for PostgreSQL instances. For more information, see the Cross-Account Sync column of the Key features supported by sync table in Databases Supported by Data Sync.

      Prerequisite

      You have created the target database instance.

      Note

      This operation involves multiple account information configuration items. The following lists the main configuration logic for easier understanding and configuration.
      Data sync direction: Source database (database instance under another account) > target database (database instance under the current account).
      The account executing the sync task can be the root account or a sub-account of the target database.
      Use the root account to execute the sync task: Before executing the task, ask the source database's root account to grant the target database's root account access to the source database through a role.
      Use the sub-account to execute the sync task: Before executing the task, ask the source database's root account to grant the target database's root account access to the source database through a role. Then, ask the target database's root account to grant its sub-account access to the source database through policies.

      Authorizing an Account

      To execute the sync task with a root account or a sub-account, follow steps 1–6 or steps 1–11 respectively.
      1. Log in to the CAM console with the Tencent Cloud root account of the source database. If a sub-account has CAM and role permissions, you can also log in with the sub-account.
      2. Click Roles on the left sidebar to enter the Role Management page. Then, click Create Role.
      3. On the Select role entity page, select Tencent Cloud Account.
      
      4. On the Enter Role Entity Info page, configure the information and click Next.
      
      Tencent Cloud account: Select Other root account.
      Account ID: Enter the Tencent Cloud ‍root account ID of the target database, which can be viewed on the Account Information page. Enter the root account ID here even if the target database instance is under the sub-account.
      External ID: You can set it as needed.
      Note
      If an external ID is used, record and keep it on your own, as it is required for subsequent configurations.
      5. On the Configure Role Policy page, select the DTS service policy and the source database's corresponding policies and click Next.
      DTS service policy: Select QcloudDTSReadOnlyAccess.
      The source database's corresponding policies are detailed below:
      If the source database is TencentDB for MySQL, select QcloudCDBReadOnlyAccess (for read-only access to TencentDB for MySQL resources) and QcloudCDBInnerReadOnlyAccess (for TencentDB for MySQL list query).
      If the source database is TencentDB for MariaDB, select QcloudMariaDBReadOnlyAccess (for read-only access to TencentDB for MariaDB).
      ‌If the source database is TDSQL for MySQL, select QcloudTDSQLReadOnlyAccess (for read-only access to TDSQL for MySQL).
      ‌‌If the source database is TDSQL-C for MySQL, select QcloudCynosDBReadOnlyAccess (for read-only access to TDSQL-C for MySQL).
      If the source database is TencentDB for PostgreSQL, select QcloudPostgreSQLReadOnlyAccess (for read-only access to TencentDB for PostgreSQL).
      
      6. Configure role tags. Then, on the Review page, set the role name and click Complete.
      Note
      Record the configured name, which needs to be entered when you create the sync task later.
      
      Note
      To execute a sync task with the root account, just follow the steps above; to execute a sync task with a sub-account, you also need to complete steps 7–11 below to ask the root account to authorize the sub-account as follows:
      7. (Optional) Log in to the CAM console with the Tencent Cloud root account of the target database and click Policies on the left sidebar. Then, click Create Custom Policy on the right and select Create by Policy Syntax.
      
      8. (Optional) Select Blank Template and click Next.
      
      9. (Optional) Create a policy and enter the policy name and description as needed. After copying the sample code to the Policy Content, replace the content in the red box with the actual information.
      
      Sample policy syntax:
      {
          "version": "2.0",
          "statement": [
          {
              "effect": "allow",
              "action": ["name/sts:AssumeRole"],
        "resource": ["qcs::cam::uin/10*******8:roleName/DTS-role"]
          }
       ]
      }
      10. (Optional) Click Complete, return to the Policy List page, and click Associate Users/Groups.
      
      11. (Optional) Select the sub-account of the target database instance (that is, the sub-account executing the sync task) and click OK.
      

      Creating a Sync Task

      1. Log in to the DTS console with the Tencent Cloud account of the target database instance.
      2. Select Data Sync > Create Sync Task and purchase a sync task.
      3. After making the purchase, return to the data sync task list and click Configure in the Operation column to enter the sync task configuration page.
      4. In the Set source and target databases step, configure the source and target database information. The following is an example of data sync between TencentDB for MySQL instances.
      
      Configure the key parameters for cross-account data migration as follows:
      Access Type: Select Database, indicating that the source database is a TencentDB instance.
      Cross-/Intra-Account: Select Cross-account.
      Cross-Account ID: Enter the root account ID of the source database.
      Cross-Account Role Name: The Role Name configured in step 6 of Authorizing an Account. For more information on roles, see Role Overview and Cross-Account Access Role‍.
      External Role ID: If you ‍have set the external ID in step 4 of Authorizing an Account, here you need to enter the correct external ID to avoid permission errors. If the external role ID is not set, leave this parameter empty.
      Note
      After completing the above configuration, select the Region to obtain the instance list under the source database account. If an error occurs while obtaining the instance list, the configuration may be incorrect, or no authorization has been performed. For more information, see FAQs.
      5. On the Set sync options and objects page, set the data initialization, data sync, and sync object options and click Save and Go Next.
      6. On the task verification page, complete the verification. After all check items are passed, click Start Task. If the verification fails, troubleshoot as instructed in Check Item Overview and initiate the verification again.
      7. Return to the data sync task list, and you can see that the task has entered the Running status.
      Note
      You can click More > Stop in the Operation column to stop a sync task. Before doing so, ensure that data sync has been completed.

      Common Issues

      1. What should I do if the error "role not exist[InternalError.GetRoleError]" is reported while pulling the instance list across accounts?

      Check whether the Cross-Account ID (the root account ID of the source database) and Cross-Account Role Name (the Role Name configured in step 6 of Authorizing an Account) have been correctly configured. If the problem persists, try obtaining the source database service permissions as instructed in step 5 of Authorizing an Account.

      2. What should I do if the error InternalError:InternalInnerCommonError is reported while obtaining the database instance list? Grant the source database's corresponding policies to the role as instructed in step 5 of Authorizing an Account.

      3. What should I do if the error "you are not authorized to perform operation (sts:AssumeRole), resource (qcs::cam::uin/1xx5:roleName/xxxx) has no permission" is reported while pulling the instance list across accounts?

      Error cause: The account that you use to create the sync task is a sub-account without the sts:AssumeRole permission. Solution:
      Use the root account to create the sync task.
      Ask the root account of the target database to authorize the sub-account as instructed in Authorizing an Account and set resource in the policy syntax to the field in blue in the error message.

      4. What should I do if a permission error is reported or if I fail to pull the database instance list due to an incorrect or missing external role ID?

      Error cause: You have set the external ID in Authorizing an Account, but you configured the DTS task with no external ID or a wrong one. This will cause a permission error or the failure to pull the database instance list.
      Solution: If you have set the external ID in the account authorization step, you must enter it correctly when configuring the DTS task. If it is not set, you don't need to enter it here.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy