You can clone an Autonomous Database instance from one tenancy, source
tenancy, to a different tenancy (destination tenancy).
About Cross Tenancy Cloning When you create a cross tenancy clone you can either select that the clone is created in the same region as the source tenancy or in a different region than the source tenancy (cross-region).
Prerequisites for Cross Tenancy Cloning Describes prerequisites for creating a cross tenancy clone where the source database is in one tenancy and the cloned database is in a different tenancy.
Create a Cross Tenancy or Cross-Region Clone Shows the steps to create a cross tenancy clone when the source database and the cloned database are in the same region, or when the source database and the cloned database are in different regions (cross-region).
When you
create a cross tenancy clone you can either select that the clone is created in the same
region as the source tenancy or in a different region than the source tenancy
(cross-region).
Note
The cross tenancy cloning option is
only available using the CLI or the Autonomous Database REST APIs. This option is not available using the Oracle Cloud
Infrastructure Console.
Note the following for cross tenancy cloning:
All clone types are supported: the cloned database can be a Full
clone, a Metadata clone, or a Refreshable clone.
A clone can be created from a source Autonomous Database instance or from a
backup (using the latest backup, a specified backup, or by selecting a long-term
backup).
The source Autonomous Database instance can use either the ECPU or OCPU compute model.
Depending on your workload type, you can clone from a source that uses the OCPU
compute model to a clone that uses the ECPU compute model (this is allowed for
the Data Warehouse and the Transaction Processing workload types).
The cloned database can be in the same region or in a different
region (cross-region).
The cross tenancy cloning option does not support cloning with
customer managed keys on the source. See Manage Encryption Keys on Autonomous Database for more information on customer managed keys.
Describes
prerequisites for creating a cross tenancy clone where the source database is in one
tenancy and the cloned database is in a different tenancy.
You must run the commands to create a cross tenancy clone on
the destination tenancy. Before you create a cross tenancy clone you
need to define OCI Identity and Access Management groups and policies on the source tenancy, the tenancy that
contains the instance you are cloning, and on the destination
tenancy. The groups and policies you define allow you to run
commands to create the clone on the destination tenancy and allow
the destination tenancy to contact the source tenancy where the
source Autonomous Database
instance resides.
The OCI Identity and Access Management groups and policies you add support the following:
A member of a group in the source tenancy
allows a group in the destination tenancy to access
(read) the source Autonomous Database instance on the source tenancy.
You do not need to allow other actions on the
source Autonomous Database instance (for example,
start, stop terminate, or any write operations).
A member of a group in the destination
tenancy is allowed to create a clone in the
destination tenancy using the Autonomous Database instance in the source tenancy as
the clone source.
On the destination tenancy you also add a
policy that allows a group to manage the Autonomous Database instance on the source tenancy. For
example, this policy allows the group to create the
clone database, and allows a refreshable clone to
run commands that contact the source tenancy, such
as Refresh and
Disconnect.
To create a cross tenancy clone use OCI Identity and Access Management to create the required groups and to define the policies that
authorize cross tenancy cloning:
Create a group on the destination tenancy that contains the
user that will be allowed to create a clone.
On the destination tenancy, in the Oracle Cloud
Infrastructure Console click Identity &
Security.
Under Identity click
Domains and select an
identity domain (or create a new identity
domain).
Under Identity domain,
click Groups.
To add a group, click Create
group.
On the Create group page, enter a Name and a
Description.
For example, enter the Name:
DestinationGroup.
On the Create group page, click
Create.
Click Create to save the
group.
On the Group page, click
Assign user to groups and
select the users you want to add to the
group.
Click Add.
On the Group page, from
the Group information tab
copy the OCID for use in Step 2.
On the source tenancy, define OCI Identity and Access Management policies for the source Autonomous Database instance.
On the source tenancy, in the Oracle Cloud
Infrastructure Console click Identity &
Security.
Under Identity, click
Policies.
To write a policy, click Create
Policy.
On the Create Policy page enter a Name and a
Description.
On the Create Policy page, select
Show manual editor.
In the policy builder, add policies so that the
group in the destination tenancy is allowed to
create a clone using an Autonomous Database instance on the source tenancy as
the clone source.
For example, define the following
generic policies:
define tenancy DestinationTenancy as ocid1.tenancy.oc1..unique_ID
define group DestinationGroup as ocid1.group.region1..unique_ID
admit group DestinationGroup of tenancy DestinationTenancy to read autonomous-database-family
in compartment ocid1.compartment.region1..unique_ID
where target.id = 'oc1.autonomousdatabase.oc1..unique_ID'
This policy specifies the
following:
Line 1: the OCID is the OCID of
the destination tenancy. This is the tenancy where
you are going to create the clone.
Line 2: the OCID is the OCID of
the group to which the user who will create the
clone belongs. This is the OCID you created in
Step 1.
Line 3: The first OCID is the OCID
of the compartment where the source database
resides. The second OCID, after the
where clause, is the OCID of the
source Autonomous Database instance.
Note
The
where clause is optional and provides a more fine
grained way to grant access to a specific
database.
For example, set these policies on
the source tenancy to allow cross tenancy
cloning:
define tenancy DestinationTenancy as ocid1.tenancy.oc1..aaa_example_rcyx2a
define group DestinationGroup as ocid1.group.oc1..aaa_example_6vctn6xsaq
admit group DestinationGroup of tenancy DestinationTenancy to read autonomous-database-family in compartment
ocid1.compartment.region1..bbb_example_rcyx2b where target.id = 'oc1.autonomousdatabase.oc1.aaaabbbbcccc'
This policy specifies a user in the
DestinationGroup of the
DestinationTenancy can read from
a specific Autonomous Database instance in the
specified compartment (on the source tenancy). To
create a cross tenancy clone the policy only needs
to allow read on the source Autonomous Database instance.
Click Create to save the
policy.
Define policies on the destination tenancy.
On the destination tenancy, in the Oracle Cloud
Infrastructure Console click Identity &
Security.
Under Identity, click
Policies.
To write a policy, click Create
Policy.
On the Create Policy page enter a Name and a
Description.
On the Create Policy page, select
Show manual editor.
In the policy builder, add policies so that a
group is endorsed to manage Autonomous Databases on the source tenancy.
For example:
Define tenancy SourceTenancy as ocid1.tenancy.oc1..unique_ID
Endorse group DestinationGroup to manage autonomous-database-family in tenancy SourceTenancy
This policy specifies the
following:
Line 1: The OCID is the source
tenancy OCID. This is the tenancy where the source
Autonomous Database instance resides.
Line 2: Specifies that the
DestinationGroup group can manage Autonomous Databases in the source tenancy.
Notes for defining policies on the destination
tenancy:
For the following policy:
Endorse group DestinationGroup to manage autonomous-database-family in tenancy SourceTenancy
This policy allows the group
DestinationGroup to create
Autonomous Databases and Autonomous
Database clones in the source tenancy. You can limit cloning permissions so
that the group can only clone Autonomous Databases but cannot create Autonomous Databases,
or further limit permission to only create a particular type of
clone: Full Clone, Metadata Clone, or Refreshable Clone. See IAM Permissions and API Operations for Autonomous Database for more information and examples.
If these polices are revoked, cross tenancy
cloning is no longer allowed.
Shows
the steps to create a cross tenancy clone when the source database and the cloned database
are in the same region, or when the source database and the cloned database are in different
regions (cross-region).
The cross tenancy cloning option is
only available using the CLI or the Autonomous Database REST APIs. This option is not available using the Oracle Cloud
Infrastructure Console.
To create a cross tenancy clone:
Perform the prerequisite steps to define the OCI Identity and Access Management policies to authorize cross tenancy cloning.
On the tenancy where you want to create the clone, on the destination tenancy
in the destination region, use the CLI or call the REST API with a valid clone
type FULL or METADATA and provide the OCID of the source database, where the
source database resides in a different tenancy (the source tenancy).
The cross tenancy cloning option is
only available using the CLI or the Autonomous Database REST APIs. This option is not available using the Oracle Cloud
Infrastructure Console.
To create a cross tenancy clone from a backup:
Perform the prerequisite steps to define the OCI Identity and Access Management policies to authorize cross tenancy cloning.
On the tenancy where you want to create the clone, on the destination tenancy
in the destination region, use the CLI or call the REST API with a valid clone
type FULL or METADATA and provide the OCID of the backup (on the source
tenancy), where the source database resides in a different tenancy (the source
tenancy).