Service-linked role for transparent data encryption on Lindorm - Lindorm

Lindorm uses the AliyunServiceRoleForTSDBLindormEncryption service-linked role to access Key Management Service (KMS) when transparent data encryption (TDE) is enabled. The system creates this role automatically when you enable TDE on a Lindorm instance — no manual setup required.

Background

A service-linked role is a Resource Access Management (RAM) role that a cloud service creates and manages automatically. Unlike standard RAM roles, service-linked roles have the following restrictions:

You cannot modify or delete the attached policy.
You cannot attach policies to or detach policies from the role.

For more information, see Service-linked roles.

AliyunServiceRoleForTSDBLindormEncryption

Attribute	Value
Role name	AliyunServiceRoleForTSDBLindormEncryption
Policy name	AliyunServiceRoleForTSDBLindormEncryption
Trusted service	encryption.hitsdb.aliyuncs.com
When created	Automatically when TDE is enabled on a Lindorm instance

This role grants Lindorm access to KMS for TDE operations. The attached policy includes two permission groups:

Key query (kms:ListKeys, kms:ListResourceTags, kms:DescribeKey): applies to all KMS resources in your account.
Key operations (kms:Encrypt, kms:Decrypt, kms:GenerateDataKey, kms:CreateAlias): applies only to KMS keys tagged with acs:lindorm:instance-encryption=true.

Full policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "kms:ListResourceTags",
        "kms:DescribeKey"
      ],
      "Resource": [
        "acs:kms:*:*:*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:CreateAlias"
      ],
      "Resource": [
        "acs:kms:*:*:*"
      ],
      "Condition": {
        "StringEqualsIgnoreCase": {
          "kms:tag/acs:lindorm:instance-encryption": "true"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "encryption.hitsdb.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForTSDBLindormEncryption role

Before deleting this role, confirm that no instances in your account are using it. To delete the role, follow the steps in Delete a service-linked role.

Grant a RAM user permission to create the role

In most cases, Alibaba Cloud account administrators already have the permissions needed to create service-linked roles. If a RAM user has insufficient permissions, grant the RAM user the ram:CreateServiceLinkedRole permission scoped to Lindorm's encryption service.

Create a custom policy with the following content and attach it to the RAM user. For steps, see Create a custom policy and Grant permissions to a RAM user.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "encryption.hitsdb.aliyuncs.com"
        }
      }
    }
  ]
}