Before you enable the disk encryption feature for an ApsaraDB RDS for MySQL instance, you must authorize the RDS instance to access Alibaba Cloud Key Management Service (KMS). This topic describes how to authorize your RDS instance to access KMS by using the RAM console.


  1. Log on to the RAM console and open the Policies page.
  2. Click Create Policy and perform the following steps to create a permission policy:
    Note Permission policies are sets of permissions that are described in syntax structures. A permission policy specifies the authorized resource sets, authorized operation sets, and authorization conditions.
    1. Configure the following parameters.
      Parameter Description
      Policy Name Enter the name of the permission policy. The name must be unique.
      Note Enter information that helps identify the permission policy.
      Configuration Mode Select the configuration mode of the permission policy.
      • Visualized: Click Add Statement to specify properties such as the permission effect, product or service, and actions.
      • Script: Specify the format that is used to configure the permission policy. You can copy the code snippet from the edit box below.
      Note The following code snippet is an example:
          "Version": "1",
          "Statement": [
                  "Action": [
                  "Resource": [
                  "Effect": "Allow"
                  "Action": [
                  "Resource": [
                  "Effect": "Allow",
                  "Condition": {
                      "StringEqualsIgnoreCase": {
                          "kms:tag/acs:rds:instance-encryption": "true"
      Create Policy
    2. Click OK.
  3. In the left-side navigation pane, click RAM Roles.
  4. Find AliyunRDSInstanceEncryptionDefaultRole and in the Actions column click Add Permissions.
  5. In the Select Policy section, click Custom Policy, find the permission policy that you created, and then click the name of the permission policy to add the permission policy to the Selected list.
  6. Click OK.

What to do next

An Alibaba Cloud Resource Name (ARN) is the globally unique resource identifier of a RAM role. ARNs follow the naming conventions that are provided by Alibaba Cloud. For example, the ARN of the devops RAM role of an Alibaba Cloud account is acs:ram::123456789012****:role/samplerole.

  1. Log on to the RAM console and open the RAM Roles page.
  2. Find the RAM role whose ARN you want to view, and click its name.
  3. In the Basic Information section of the page that appears, view the ARN of the RAM role.