AliyunServiceRoleForHBaseEncryption is a service-linked role for ApsaraDB for HBase. This topic describes the scenarios of the service-linked role and how to delete the service-linked role.

Background information

AliyunServiceRoleForHBaseEncryption is a Resource Access Management (RAM) role that allows ApsaraDB for HBase to access other Alibaba Cloud services to implement a specific feature. For more information about service-linked roles, see Service-linked roles.

Scenarios

ApsaraDB for HBase requires the AliyunServiceRoleForHBaseEncryption role to implement the disk encryption feature. If you select CloudDisk for Encryption Type when you create an ApsaraDB for HBase cluster, the system automatically creates this role.

Introduction

The name of the RAM role is AliyunServiceRoleForHBaseEncryption.

The policy that is attached to the RAM role is AliyunServiceRolePolicyForHBaseEncryption.

The policy specifies the following permissions:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "kms:Listkeys",
        "kms:Listaliases",
        "kms:ListResourceTags",
        "kms:DescribeKey",
        "kms:UntagResource",
        "kms:TagResource",
        "kms:DescribeAccountKmsStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "kms:tag/acs:hbase:instance-encryption": "true"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "encryption.hbase.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForHBaseEncryption role

Before you delete the AliyunServiceRoleForHBaseEncryption role, you must release all the ApsaraDB for HBase clusters with which the role is associated.

For more information about how to delete a service-linked role, see Delete a service-linked role.