To use the disk encryption feature for an ApsaraDB RDS for MySQL instance, you must authorize the instance to access Key Management Service (KMS). This topic describes how to authorize your RDS instance to access KMS by using the RAM console.

Prerequisites

You are logged on to the RAM console by using your Alibaba Cloud account.

Create a permission policy named AliyunRDSInstanceEncryptionRolePolicy

  1. Go to the Policies page.
  2. Click Create Policy.
    Note A permission policy is a set of permissions that are described by using a specific syntax. You can use permission policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Terms.
  3. Configure the following parameters.
    Parameter Description
    Policy Name The name of the permission policy. Enter AliyunRDSInstanceEncryptionRolePolicy.
    Note The information that is used to identify the permission policy. Example: Allows ApsaraDB RDS to access KMS.
    Configuration Mode The configuration mode of the permission policy. Select the Script configuration mode. Then, copy the following script and paste it to the edit box below Policy Document.

    Copy and paste the following script:

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "kms:List*",
                    "kms:DescribeKey",
                    "kms:TagResource",
                    "kms:UntagResource"
                ],
                "Resource": [
                    "acs:kms:*:*:*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:GenerateDataKey"
                ],
                "Resource": [
                    "acs:kms:*:*:*"
                ],
                "Effect": "Allow",
                "Condition": {
                    "StringEqualsIgnoreCase": {
                        "kms:tag/acs:rds:instance-encryption": "true"
                    }
                }
            }
        ]
    }
  4. Click OK.

Create and authorize a RAM role named AliyunRDSInstanceEncryptionDefaultRole

After you create the AliyunRDSInstanceEncryptionRolePolicy permission policy, you must create a RAM role and add the permission policy to the RAM role. Then, ApsaraDB RDS can access KMS.

  1. Go to the RAM Roles page.
  2. Click Create RAM Role.
  3. In the Create RAM Role pane, select Alibaba Cloud Account and click Next.
  4. Configure the following parameters.
    Parameter Description
    RAM Role Name The name of the RAM role. Enter AliyunRDSInstanceEncryptionDefaultRole.
    Note The information that is used to identify the RAM role.
    Select Trusted Alibaba Cloud Account The trusted Alibaba Cloud account of the RAM role. Select Current Alibaba Cloud Account.
  5. When the "The Role has been created" message appears, click Add Permissions to RAM Role.
    RAM role created
    Note If you have closed the "The Role has been created" message, you can open the RAM Roles page, find the AliyunRDSInstanceEncryptionDefaultRole role, and then click Add Permissions in the Actions column .
  6. In the Add Permissions pane, click the AliyunRDSInstanceEncryptionRolePolicy permission policy to add the permission policy to the Selected list.
    Add Permissions pane
  7. Click OK.

View the ARN of a RAM user (Optional)

Alibaba Cloud Resource Name (ARN) is the global resource descriptor of a RAM role. The ARN of a RAM role describes the resources that the RAM role can access. When you call an API operation to enable the disk encryption feature, you must specify the ARN of a RAM role that has the permissions to access KMS. For more information, see CreateDBInstance.

  1. Go to the RAM Roles page.
  2. Find the RAM role that you want to use. Then, click the name of the RAM role.
  3. In the Basic Information section of the page that appears, view the ARN of the RAM role.