Background information

The service-linked role AliyunServiceRoleForADSDiskEncrypt authorizes AnalyticDB for MySQL to access Key Management Service (KMS) and implement the disk encryption feature.

AliyunServiceRoleForADSDiskEncrypt

Role name: AliyunServiceRoleForADSDiskEncrypt

Policy attached to the role: AliyunServiceRolePolicyForADSDiskEncrypt

Permission description:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "kms:ListKeys",
        "kms:ListAliases",
        "kms:ListResourceTags",
        "kms:DescribeKey",
        "kms:TagResource",
        "kms:UntagResource"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "kms:tag/acs:ads:instance-encryption": "true"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "diskencryption.ads.aliyuncs.com"
        }
      }
    }
  ]
}

Method to delete the service-linked role

Before you delete the AliyunServiceRoleForADSDiskEncrypt role, you must release all the clusters that depend on the role.