Skip to content

added cross-account OSS bucket configuration #22632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wildpcww wants to merge 8 commits into
base: release-8.5
Choose a base branch
from
Open

added cross-account OSS bucket configuration #22632

Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
9838e39
cloud-premium: add manual backup support for premium instances
wildpcww Mar 23, 2026
fdd5c15
Apply suggestions from code review
hfxsd Mar 24, 2026
df26b42
Apply suggestions from code review
hfxsd Mar 24, 2026
03a47b9
Update tidb-cloud/premium/backup-and-restore-premium.md
hfxsd Mar 24, 2026
f070954
Apply suggestions from code review
hfxsd Mar 24, 2026
094e0a7
Merge branch 'pingcap:release-8.5' into release-8.5
wildpcww Mar 25, 2026
120659c
docs: add cross-account OSS bucket configuration for Alibaba Cloud au…
wildpcww Mar 25, 2026
2c02d9d
Apply suggestions from code review
hfxsd Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions tidb-cloud/premium/tidb-cloud-auditing-premium.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,51 @@ For more information, see [Create a bucket](https://www.alibabacloud.com/help/en

5. Copy the **Role ARN** (for example: `acs:ram::<Your-Account-ID>:role/tidb-cloud-audit-role`) for later use.


**Cross-Account OSS Bucket Configuration**

If the OSS bucket storing the audit logs and the role accessing the OSS bucket are in different cloud accounts, the configuration process is slightly different.

**1. RAM Policy Configuration**
When creating the RAM policy, you need to add the information of User Account 2 in the Resource field. Define the policy using the following JSON script:
Comment thread
hfxsd marked this conversation as resolved.
Outdated

```json
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:PutObject",
"Resource": "acs:oss:oss-<region>:<User Account 2>:<bucket-name>/*"
}
]
}
```

**2. Bucket Policy Configuration**
In addition, you also need to configure a Bucket Policy on the destination OSS bucket to allow the assumed role from the different account to access it. Use the following configuration:
Comment thread
hfxsd marked this conversation as resolved.
Outdated

```json
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject"
],
"Effect": "Allow",
"Principal": [
"arn:sts::<User Account 1>:assumed-role/<role-name>/*"
],
"Resource": [
"acs:oss:*:<User Account 2>:<bucket-name>/*"
]
}
]
}
```
Comment on lines +181 to +224
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Hello! As a senior technical writer, I've reviewed this section and have a suggestion to improve its technical accuracy, clarity, and adherence to our documentation style guide.

Here's a summary of the proposed changes:

  • Technical Accuracy:

    • The bucket policy's Action has been corrected from oss:GetObject to oss:PutObject, which is required for TiDB Cloud to write audit logs. This is to ensure technical accuracy as per the style guide.
    • The Principal in the bucket policy has been updated to use the correct format for an Alibaba Cloud RAM role, as the previous format appeared to be for AWS.

  • Clarity and Readability:

    • The guide now explicitly defines which account holds which resource to avoid ambiguity.
    • Placeholders like <User Account 1> have been replaced with more descriptive ones like <role-account-id>.
    • Added clear instructions on what to replace the placeholders with.

  • Style and Formatting:

    • The heading is now in sentence case and uses a standard heading level (#####) for better document structure.
    • The two configuration parts are now presented as a numbered list of steps.

I've provided a ready-to-commit suggestion that incorporates all these improvements. Thank you for your contribution!

##### Cross-account OSS bucket configuration

If your OSS bucket and RAM role are in different Alibaba Cloud accounts, you need to perform additional configurations for cross-account access. For the purpose of this guide, assume that the RAM role for TiDB Cloud is in `Account 1` and the OSS bucket is in `Account 2`.

1.  **Configure the RAM policy in `Account 1`**

    When you create the RAM policy for the role in `Account 1`, you need to specify the bucket in `Account 2` as the resource. Use the following policy:

    ```json
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "oss:PutObject",
          "Resource": "acs:oss:oss-<region>:<bucket-account-id>:<bucket-name>/*"
        }
      ]
    }
    ```

    In the policy, replace `<bucket-account-id>` with the ID of `Account 2`.

2.  **Configure the bucket policy in `Account 2`**

    In `Account 2`, you also need to configure a bucket policy on the destination OSS bucket to grant the RAM role from `Account 1` permission to write objects. Use the following policy:

    ```json
    {
        "Version": "1",
        "Statement": [
            {
                "Action": "oss:PutObject",
                "Effect": "Allow",
                "Principal": {
                    "RAM": [
                        "acs:ram::<role-account-id>:role/<role-name>"
                    ]
                },
                "Resource": "acs:oss:*:<bucket-account-id>:<bucket-name>/*"
            }
        ]
    }
    ```

    In the policy, make the following replacements:
    - Replace `<role-account-id>` with the ID of `Account 1`.
    - Replace `<role-name>` with the name of the RAM role you created in `Account 1`.
    - Replace `<bucket-account-id>` with the ID of `Account 2`.
References
  1. The suggested changes improve technical accuracy, clarity, and readability, as outlined in lines 14 and 16 of the repository's style guide. (link)
  2. The heading has been changed to sentence case to follow the style guide (line 32). (link)
  3. The configuration parts have been formatted as an ordered list for steps, as recommended by the style guide (line 33). (link)


Comment thread
hfxsd marked this conversation as resolved.

#### Step 3. Enable audit logging

In the TiDB Cloud console, go back to the **Database Audit Log Storage Configuration** dialog where you got the TiDB Cloud account ID, and then take the following steps:
Expand Down
Loading