Service-linked role - Key Management Service - Alibaba Cloud Documentation Center

This topic describes the scenarios and the permissions of the service-linked role AliyunServiceRoleForKMSKeyStore for Dedicated Key Management Service (KMS) of the Standard edition. This topic also describes how to create and delete the service-linked role.

Scenarios

When you create and use a dedicated KMS instance of the Standard edition, KMS uses a service-linked role to access your hardware security module (HSM) cluster in Data Encryption Service.

For more information, see Service-linked roles.

Permissions

Role name: AliyunServiceRoleForKMSKeyStore.

Policy: AliyunServiceRolePolicyForKMSKeyStore.

Permissions: KMS uses the service-linked role AliyunServiceRoleForKMSKeyStore to access HSM clusters in Data Encryption Service and resources in cloud services such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC).

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:CreateNetworkInterface",
        "ecs:DescribeNetworkInterfaces",
        "ecs:DescribeSecurityGroups",
        "ecs:CreateSecurityGroup",
        "ecs:DeleteSecurityGroup",
        "ecs:AuthorizeSecurityGroup",
        "ecs:AuthorizeSecurityGroupEgress",
        "ecs:RevokeSecurityGroup",
        "ecs:RevokeSecurityGroupEgress",
        "ecs:DescribeSecurityGroupAttribute"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "yundun-hsm:DescribeInstances",
        "yundun-hsm:DescribeClusters"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "keystore.kms.aliyuncs.com"
        }
      }
    }
  ]
}

Create a service-linked role

When you create a dedicated KMS instance of the Standard edition in the KMS console by using an Alibaba Cloud account, the service-linked role AliyunServiceRoleForKMSKeyStore is automatically created.

If you create a dedicated KMS instance of the Standard edition by using a RAM user, you must attach the following custom policy to the RAM user. This way, the service-linked role AliyunServiceRoleForKMSKeyStore is automatically created when you create the dedicated KMS instance in the KMS console. For more information, see Grant permissions to a RAM user.

{
    "Action": "ram:CreateServiceLinkedRole",
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "keystore.kms.aliyuncs.com"
        }
     }
}

Delete a service-linked role

Before you can delete the service-linked role AliyunServiceRoleForKMSKeyStore, you must release the dedicated KMS instance of the Standard edition in your Alibaba Cloud account. If you do not renew the dedicated KMS instance of the Standard edition after the instance expires, the instance is automatically released.

You can delete the service-linked role AliyunServiceRoleForKMSKeyStore in the RAM console. For more information, see Delete a RAM role.