All Products
Search
Document Center

ApsaraDB for MongoDB:ModifyDBInstanceTDE

Last Updated:Mar 15, 2024

Modifies the transparent data encryption (TDE) status of an ApsaraDB for MongoDB instance.

Operation description

TDE allows you to perform real-time I/O encryption and decryption on data files. Data is encrypted before it is written to a disk and is decrypted when it is read from the disk to the memory. For more information, see Configure TDE.

Note TDE cannot be disabled after it is enabled.

Before you call this operation, make sure that the ApsaraDB for MongoDB instance meets the following requirements:

  • A replica set or sharded cluster instance is used.
  • The storage engine of the instance is WiredTiger.
  • The instance uses local disks to store data.
  • The database engine version of the instance is 4.0 or 4.2. If the database engine version is earlier than 4.0, you can call the UpgradeDBInstanceEngineVersion operation to upgrade the database engine.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
dds:ModifyDBInstanceTDEWRITE
  • dbinstance
    acs:dds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
DBInstanceIdstringYes

The ID of the instance.

dds-bpxxxxxxxx
TDEStatusstringYes

The TDE status. When the value of this parameter is set to Enabled, TDE is enabled.

Note You cannot disable TDE after it is enabled. Proceed with caution.
enabled
EncryptorNamestringNo

The encryption method. Set the value to aes-256-cbc.

Note This parameter is valid only when the TEDStatus parameter is set to enabled.
aes-256-cbc
EncryptionKeystringNo

The ID of the custom key.

749c1df7-xxxx-xxxx-xxxx-xxxxxxxxxxxx
RoleARNstringNo

The Alibaba Cloud Resource Name (ARN) of the specified Resource Access Management (RAM) role. The ARN is displayed in the acs:ram::$accountID:role/$roleName format.

Note
  • $accountID: specifies the ID of the Alibaba Cloud account. To view the account ID, log on to the Alibaba Cloud Management Console, move your pointer over your profile picture in the upper-right corner, and then click Security Settings.
  • Note
  • $roleName: specifies the name of the RAM role. To view the RAM role name, log on to the RAM console. In the left-side navigation pane, choose Identities > Roles. On the Roles page, view the name of the RAM role.
  • acs:ram::123456789012****:role/adminrole

    Response parameters

    ParameterTypeDescriptionExample
    object
    RequestIdstring

    The ID of the request.

    434D7127-6229-4355-BA50-7A3685A725DF

    Examples

    Sample success responses

    JSONformat

    {
      "RequestId": "434D7127-6229-4355-BA50-7A3685A725DF"
    }

    Error codes

    HTTP status codeError codeError messageDescription
    400UnsupportedDBTdeStatusSpecified DB TDEStatus does not support this operation.TDE already enabled for the specified instance.
    403UnsupportedEngineCurrent DB Instance engine does not support this operation.-
    403IncorrectCharacterTypeCurrent DB instance CharacterType does not support this operation.-
    403IncorrectEngineVersionCurrent engine version does not support operations.-
    403IncorrectDBInstanceStateCurrent DB instance state does not support this operation.This operation is not supported while the instance is in the current state. Wait until the instance state changes to running and try again.
    403IncorrectDBInstanceLockModeCurrent DB instance lock mode does not support this operation.The specified instance is locked and no operations are allowed on this instance. Unlock this instance and try again.
    404InvalidClusterKmsthis cluster not kms service.-
    404InvalidParamSpecified parameters is not valid.-

    For a list of error codes, visit the Service error codes.

    Change history

    Change timeSummary of changesOperation
    No change history