RDS must be able to access Key Management Service (KMS) before SSD encryption can be enabled. This topic describes how to authorize access to KMS in the RAM console.

Authorization procedure

  1. Visit the Policies page in the RAM console.
  2. Click Create Policy, and follow these steps to create a permission policy:
    Note A permission policy is a set of permissions that are described in syntax structures. A policy specifies the authorized resources, authorized actions, and authorization conditions.
    1. Configure the following parameters.
      Parameter Description
      Policy Name Enter the name of the permission policy to be created. The name of the permission policy must be unique.
      Note Enter information to better identify the permission policy.
      Configuration Mode Select a configuration mode.
      • Visualized: Click Add Statement to specify the permission effect, product or service, and actions among others.
      • Script: Select a policy schema to set the permission policy. You can copy the script from the following "Note."
      Note An example script is as follows:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                      "kms:List*",
                      "kms:DescribeKey",
                      "kms:TagResource",
                      "kms:UntagResource"
                  ],
                  "Resource": [
                      "acs:kms:*:*:*"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "kms:Encrypt",
                      "kms:Decrypt",
                      "kms:GenerateDataKey"
                  ],
                  "Resource": [
                      "acs:kms:*:*:*"
                  ],
                  "Effect": "Allow",
                  "Condition": {
                      "StringEqualsIgnoreCase": {
                          "kms:tag/acs:rds:instance-encryption": "true"
                      }
                  }
              }
          ]
      }
      Create Policy
    2. Click OK.
  3. In the left-side navigation pane, click RAM Roles.
  4. Click Create RAM Role, and follow these steps to create a RAM role.
    1. Select Alibaba Cloud Service for Trusted entity type and click Next.
    2. Configure the following parameters.
      Parameter Description
      RAM Role Name Enter the name of the RAM role to be created. The name of the RAM role must be unique.
      Note Enter information to better identify the RAM role.
      Select Trusted Service Select RDS from the drop-down list.
      Create a RAM role
    3. Click OK.
  5. Click Add Permissions to RAM role under the message The Role has been created, and associate the permission policy that you created with the RAM role.
    1. In the Select Policy section, select Custom Policy from the drop-down list, and in the search bar enter the name of the permission policy that you created. After you find the permission policy, click to add it to the Selected list.
    2. Click OK.

What to do next

An Alibaba Cloud Resource Name (ARN) is the globally unique resource identifier of a RAM role. ARNs follow the naming conventions stipulated by Alibaba Cloud. For example, the ARN of the role named devops under an Alibaba Cloud account is acs:ram::123456789012****:role/samplerole.

  1. Visit the RAM Roles page in the RAM console.
  2. Find the target RAM role and click the role name.
  3. In the upper-right corner of the page that appears, view the ARN of the RAM role.