AliyunServiceRoleForKMSKeyStore is a service-linked role that allows Dedicated KMS of the Standard edition to access your hardware security module (HSM) cluster in Data Encryption Service, along with the Elastic Compute Service (ECS) and Virtual Private Cloud (VPC) resources required to establish that connection.
For background on how service-linked roles work in Alibaba Cloud, see Service-linked roles.
How it works
When you create a Dedicated KMS instance of the Standard edition, KMS connects to an HSM cluster in Data Encryption Service. To do this, KMS assumes AliyunServiceRoleForKMSKeyStore, which grants it the permissions to manage the network interfaces and security groups required for that connection.
Permissions
Role name: AliyunServiceRoleForKMSKeyStore
Policy name: AliyunServiceRolePolicyForKMSKeyStore
KMS uses the service-linked role AliyunServiceRoleForKMSKeyStore to access HSM clusters in Data Encryption Service and resources in cloud services such as Elastic Compute Service (ECS) and Virtual Private Cloud (VPC).
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:CreateNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:DescribeSecurityGroupAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"yundun-hsm:DescribeInstances",
"yundun-hsm:DescribeClusters"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "keystore.kms.aliyuncs.com"
}
}
}
]
}The policy covers four groups of actions:
| Action group | Actions |
|---|---|
| ECS | Create, delete, and describe network interfaces and security groups |
| VPC | Describe vSwitches and VPCs |
| Data Encryption Service | Describe HSM instances and clusters |
| RAM | Delete the service-linked role (restricted by condition to keystore.kms.aliyuncs.com) |
Create the service-linked role
How the role is created depends on whether you use an Alibaba Cloud account or a RAM user.
Alibaba Cloud account
The role is created automatically when you create a Dedicated KMS instance of the Standard edition in the KMS console. No additional steps are required.
RAM user
Attach the following custom policy to the RAM user before creating the instance. Once the policy is in place, the role is created automatically when the RAM user creates the instance in the KMS console.
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "keystore.kms.aliyuncs.com"
}
}
}For instructions on attaching a policy to a RAM user, see Grant permissions to a RAM user.
Delete the service-linked role
Before deleting AliyunServiceRoleForKMSKeyStore, release the Dedicated KMS instance of the Standard edition in your Alibaba Cloud account. If you do not renew the instance after it expires, it is released automatically.
You can delete the service-linked role AliyunServiceRoleForKMSKeyStore in the RAM console. For instructions, see Delete a RAM role.