All Products
Search

This Product

    PolarDB:Grant PolarDB access to KMS

    Document Center

    PolarDB:Grant PolarDB access to KMS

    Last Updated:Mar 28, 2026

    Transparent Data Encryption (TDE) requires PolarDB to access Key Management Service (KMS). To grant this access, create a dedicated access policy and RAM role in the Resource Access Management (RAM) console.

    Prerequisites

    Before you begin, make sure that you have:

    • An Alibaba Cloud account (RAM users cannot perform this operation)

    Step 1: Create the AliyunRDSInstanceEncryptionRolePolicy access policy

    1. Log on to the Policy Management page of the RAM console.

    2. Click Create Policy.

      Note

      An access policy is a collection of permissions that uses a specific syntax to define authorized resources, operations, and conditions.

    3. Click the JSON tab and paste the following JSON into the code editor.

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        }
    ]
}

      The policy grants two sets of permissions:

      PermissionActionsPurpose
      Key managementkms:List*, kms:DescribeKey, kms:TagResource, kms:UntagResourceList and describe KMS keys across all resources
      Data encryption (scoped)kms:Encrypt, kms:Decrypt, kms:GenerateDataKeyEncrypt and decrypt data, and generate data encryption keys — restricted to keys tagged with acs:rds:instance-encryption: true

    4. Click OK. In the dialog box, fill in the following fields:

      ParameterValue
      Policy NameAliyunRDSInstanceEncryptionRolePolicy
      DescriptionFor example: Used for PolarDB to access KMS

    5. Click OK.

    Step 2: Create and authorize the AliyunRDSInstanceEncryptionDefaultRole RAM role

    After creating the policy, attach it to a RAM role so that PolarDB can assume the role to access KMS.

    1. Log on to the Role Management page of the RAM console.

    2. Click Create Role.

    3. Select Cloud Service. From the Principal Name drop-down list, select the ApsaraDB RDS option that ends with rds.aliyuncs.com, and then click OK.

    4. In the Create Role dialog box, set Role Name to AliyunRDSInstanceEncryptionDefaultRole and click OK.

    5. On the role details page, click the Permissions tab, and then click Grant Permission.

    6. On the Grant Permission page, search for AliyunRDSInstanceEncryptionRolePolicy. Click the policy name to move it to the Selected Policy box on the right.

    7. Click Grant Permissions.

    What's next

    With the access policy and RAM role in place, PolarDB has the permissions it needs to access KMS. You can now enable TDE for your cluster, or enable TDE when creating a new cluster.