All Products
Search

This Product

    PolarDB:Authorize a PolarDB cluster to access KMS

    Document Center

    PolarDB:Authorize a PolarDB cluster to access KMS

    Last Updated:Mar 28, 2026

    Transparent Data Encryption (TDE) encrypts data on disk to protect against unauthorized access to the underlying storage. To enable TDE on a PolarDB cluster, you must first authorize the cluster to access Key Management Service (KMS). This involves two steps: creating a permission policy that defines the allowed KMS actions, then creating a RAM role that trusts the RDS service and attaching the policy to it.

    Prerequisites

    Before you begin, ensure that you have:

    • Logged on to the RAM console with your Alibaba Cloud account

    Step 1: Create a permission policy

    Create a policy named AliyunRDSInstanceEncryptionRolePolicy that grants PolarDB the KMS actions it needs.

    1. Go to the Policies page.

    2. Click Create Policy.

      A policy is a set of permissions that are described by using a specific syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Terms.

    3. On the JSON tab, paste the following policy document into the code editor:

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        }
    ]
}

    4. Click Next to edit policy information and configure the following parameters:

      ParameterValue
      NameAliyunRDSInstanceEncryptionRolePolicy
      DescriptionExample: Allows PolarDB to access to KMS

    5. Click OK.

    Step 2: Create and authorize a RAM role

    Create a RAM role named AliyunRDSInstanceEncryptionDefaultRole and attach the policy from Step 1 to it.

    1. Go to the RAM Roles page.

    2. Click Create Role.

    3. Select Alibaba Cloud Service and click Next.

    4. Configure the following parameters and click OK:

      ParameterValue
      Role TypeNormal Service Role
      Role NameAliyunRDSInstanceEncryptionDefaultRole
      RemarksThe information that is used to identify the RAM role.
      Select Trusted ServiceRDS

    5. After the The Role has been created message appears, click Add Permissions to RAM Role.

      If you close the confirmation panel before clicking Add Permissions to RAM Role, go to the RAM Roles page, find AliyunRDSInstanceEncryptionDefaultRole, and click Grant Permissions in the Actions column.

    6. In the Grant Permissions panel, click AliyunRDSInstanceEncryptionRolePolicy to add it to the Selected section.

    7. Click Grant Permissions.

    PolarDB can now access KMS, and you can enable TDE on your cluster.