All Products
Search

This Product

    PolarDB:Grant PolarDB access to KMS

    Document Center

    PolarDB:Grant PolarDB access to KMS

    Last Updated:Nov 21, 2025

    To use the TDE feature, you must grant PolarDB permission to access Key Management Service (KMS). You can grant this permission in the Resource Access Management (RAM) console.

    Prerequisites

    You must use an Alibaba Cloud account.

    1. Create the AliyunRDSInstanceEncryptionRolePolicy access policy

    1. Log on to the Policy Management page of the RAM console.

    2. Click Create Policy.

      Note

      An access policy is a collection of permissions that uses a specific syntax to define authorized resources, operations, and conditions.

    3. Click the JSON tab and copy the following script to the code editor.

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        }
    ]
}

    4. Click OK. In the dialog box that appears, enter the following information:

      Parameter

      Description

      Policy Name

      Enter a policy name. Enter AliyunRDSInstanceEncryptionRolePolicy.

      Description

      Enter a note. For example: Used for PolarDB to access KMS.

    5. Click OK.

    2. Create and authorize the AliyunRDSInstanceEncryptionDefaultRole RAM role

    After you create the policy, you must attach it to a RAM role. This allows PolarDB to access KMS resources.

    1. Log on to the Role Management page of the RAM console.

    2. Click Create Role.

    3. Select Cloud Service. From the Principal Name drop-down list, select the ApsaraDB RDS option that ends with rds.aliyuncs.com, and then click OK.

    4. In the Create Role dialog box, set Role Name to AliyunRDSInstanceEncryptionDefaultRole and then click OK.

    5. After the role is created, on the role details page, click the Permissions tab and then click Grant Permission.

    6. On the Grant Permission page, search for the AliyunRDSInstanceEncryptionRolePolicy policy that you created. Click the policy name to move it to the Selected Policy box on the right.

    7. Click Grant Permissions.

    What to do next

    After you create the access policy and the RAM role, you can enable TDE for your cluster. You can also enable TDE when you create a cluster.