This topic describes the scenarios, permissions, creation, and deletion of the service-linked role AliyunServiceRoleForKMSKeyStore for Dedicated Key Management Service (KMS).

Scenarios

When you create and use a dedicated KMS instance, KMS uses a service-linked role to access your hardware security modules (HSMs) cluster in Data Encryption Service.

For more information about service-linked roles, see Service-linked roles.

Permissions

Role name: AliyunServiceRoleForKMSKeyStore.

Policy: AliyunServiceRolePolicyForKMSKeyStore.

Permissions: KMS uses the service-linked role AliyunServiceRoleForKMSKeyStore to access HSM clusters in Data Encryption Service and resources in cloud services such as Elastic Compute Service (ECS), and Virtual Private Cloud (VPC).

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroups",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:DescribeSecurityGroupAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-hsm:DescribeInstances",
        "yundun-hsm:DescribeClusters"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "keystore.kms.aliyuncs.com"
        }
      }
    }
  ]
}

Create a service-linked role

When you create a dedicated KMS instance in the KMS console by using an Alibaba Cloud account, the service-linked role AliyunServiceRoleForKMSKeyStore is automatically created.

If you create a dedicated KMS instance by using a RAM user, you must attach the following custom policy to the RAM user. This way, the service-linked role AliyunServiceRoleForKMSKeyStore is automatically created when you create the dedicated KMS instance in the KMS console. For more information, see Grant permissions to a RAM user.

{
    "Action": "ram:CreateServiceLinkedRole",
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "keystore.kms.aliyuncs.com"
        }
     }
}

Delete a service-linked role

Before you can delete the service-linked role AliyunServiceRoleForKMSKeyStore, you must release the dedicated KMS instance in your Alibaba Cloud account. If the dedicated KMS instance expires and you do not renew the instance, the instance is automatically released.

You can delete the service-linked role AliyunServiceRoleForKMSKeyStore in the RAM console. For more information, see Delete a RAM role.