All Products
Search

This Product

    PolarDB:Authorize a PolarDB cluster to access KMS

    Document Center

    PolarDB:Authorize a PolarDB cluster to access KMS

    Last Updated:Mar 30, 2026

    Before you can enable Transparent Data Encryption (TDE) on a PolarDB cluster, you must grant PolarDB permission to access Key Management Service (KMS). You complete this in the Resource Access Management (RAM) console by creating an access policy and attaching it to a RAM role.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account. RAM users cannot perform these operations.

    • Access to the RAM console.

    Step 1: Create the AliyunRDSInstanceEncryptionRolePolicy access policy

    1. Go to the Policy Management page of the RAM console.

    2. Click Create Policy.

    3. Click the JSON tab and paste the following policy into the code editor:

      The policy contains two permission blocks. The first grants KMS key listing, description, and tag management permissions for all KMS keys. The second grants encrypt, decrypt, and data key generation permissions only to KMS keys tagged with acs:rds:instance-encryption=true, limiting PolarDB to keys designated for instance encryption.
      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        }
    ]
}

    4. Click OK. In the dialog box that appears, set the following fields:

      Field Value
      Policy Name AliyunRDSInstanceEncryptionRolePolicy
      Description For example: Used for PolarDB to access KMS

    5. Click OK.

    Step 2: Create and authorize the AliyunRDSInstanceEncryptionDefaultRole RAM role

    After you create the policy, attach it to a RAM role so PolarDB can use it to access KMS.

    1. Go to the Role Management page of the RAM console.

    2. Click Create Role.

    3. Select Cloud Service as the role type.

    4. From the Principal Name drop-down list, select the ApsaraDB RDS option that ends with rds.aliyuncs.com, then click OK.

    5. In the Create Role dialog box, set Role Name to AliyunRDSInstanceEncryptionDefaultRole, then click OK.

    6. On the role details page, click the Permissions tab, then click Grant Permission.

    7. On the Grant Permission page, search for AliyunRDSInstanceEncryptionRolePolicy. Click the policy name to move it to the Selected Policy box on the right.

    8. Click Grant Permissions.

    What's next

    With the access policy and RAM role in place, you can enable TDE for an existing cluster or during cluster creation.