All Products
Search

This Product

    PolarDB:ModifyDBClusterTDE

    Document Center

    PolarDB:ModifyDBClusterTDE

    Last Updated:Dec 11, 2025

    ModifyDBClusterTDE

    Operation description

    Note

    • You must activate Key Management Service (KMS) before you perform this operation. For more information, see Purchase a dedicated KMS instance.

    • You cannot disable transparent data encryption (TDE) after you enable it.

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

    • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

    • API: The API that you can call to perform the action.

    • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

    • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

      • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

      • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

    • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

    • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

    Action

    Access level

    Resource type

    Condition key

    Dependent action

    polardb:ModifyDBClusterTDE

    update

    *DBCluster

    acs:polardb:{#regionId}:{#accountId}:dbcluster/{#DbClusterId}

    		 None None

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    DBClusterId

    string

    Yes

    The cluster ID.

    pc-************
    TDEStatus

    string

    Yes

    The TDE status. Set the value to Enable.

    Enable
    RoleArn

    string

    No

    The Global Resource Descriptor of the role. You can use this parameter to specify a role. For more information, see Overview of RAM roles.

    acs:ram::1406926*****:role/aliyunrdsinstanceencryptiondefaultrole
    EncryptionKey

    string

    No

    The ID of the custom key.

    749c1df7-****-****-****-*********
    EncryptNewTables

    string

    No

    Specifies whether to automatically encrypt all new tables. Valid values:

    • ON

    • OFF

    Note

    This parameter is valid only when the database engine is compatible with MySQL.

    ON
    EnableAutomaticRotation

    string

    No

    Specifies whether to automatically rotate the TDE key of the instance during the next O&M window after a new version of the KMS key is available. This parameter is valid only for custom keys.

    • true

    • false

    Note

    This parameter is supported only when the database engine is compatible with PostgreSQL or Oracle.

    false

    Response elements

    Element

    Type

    Description

    Example

    object

    RequestId

    string

    The request ID.

    5F859238-2A36-4A8D-BD0F-732112******

    Examples

    Success response

    JSON format

    {
  "RequestId": "5F859238-2A36-4A8D-BD0F-732112******"
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description
    400 InvalidTDEStatus.AlreadyEnabled TDE has already enabled in the this cluster. TDE is already enabled for the cluster.
    400 InvalidDBType.Malformed The Specified DBType is not valid. The specified database type is invalid.
    400 InvalidTDEEnabledType.Malformed The specified parameter TDEStatus is not valid. The specified TDEStatus parameter is invalid.
    400 InvalidAutoTableTransparentEncryption.Malformed The specified AutoTableTransparentEncryption is not valid. The specified AutoTableTransparentEncryption parameter is invalid.
    403 UnsupportedKmsService.NotEnabled KMS service is not enabled. Key Management Service is not enabled.
    403 OperationDenied.DBNodeType The operation is not permitted due to type of node. The specified node type does not support this operation.
    403 IncorrectGdnState db instance %s status is not available:%s. The %s status is invalid: %s.
    404 InvalidDBCluster.NotFound The DBClusterId provided does not exist in our records. The specified DBClusterId parameter does not exist in the current record.
    404 InvalidDBClusterId.Malformed The specified parameter DBClusterId is not valid. The specified DBClusterId parameter is invalid.

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.