Authorize RDS to access KMS - ApsaraDB RDS - Alibaba Cloud Documentation Center

To use the Transparent Data Encryption (TDE) feature of ApsaraDB RDS, you must authorize RDS to access Key Management Service (KMS). This topic describes how to authorize RDS to access KMS in the Resource Access Management (RAM) console.

Prerequisites

You are logged on to the RAM console with your Alibaba Cloud account.

Background information

You can use the cloud encryption feature to ensure data security without the need to modify your business and applications. For more information about the cloud encryption feature for RDS instances that run different database engines, see the following documentation:

Create the AliyunRDSInstanceEncryptionRolePolicy

Go to the Policies page.
On the Policies page, click Create Policy.
Note
A policy is a set of permissions that are defined by using a specific syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Terms.

On the JSON tab, copy and paste the following code to the code editor:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        }
    ]
}

Click OK. On the dialog box that appears, configure the parameters described in the following table.

Parameter	Description
Policy Name	The name of the policy. Enter AliyunRDSInstanceEncryptionRolePolicy.
Description	The description of the policy. Example: Authorize RDS to access KMS.
Tag	Add a tag for the new policy.

Create and authorize a RAM role named AliyunRDSInstanceEncryptionDefaultRole

After you create the AliyunRDSInstanceEncryptionRolePolicy policy, you must create a RAM role and attach the policy to the RAM role. Then, RDS can access KMS.

Go to the Roles page.
On the Roles page, click Create Role.
On the page that appears, select Cloud Service. Then, select ApsaraDB RDS with the suffix of rds.aliyuncs.com from the Principal Name drop-down list and click OK.
In the Create Role dialog box, set the Role Name parameter to AliyunRDSInstanceEncryptionDefaultRole and click OK.
After the The Role has been created message appears, click Add Permissions to RAM Role.
Note
If you have closed the page on which the The Role has been created message appears, you can go to the Roles page, find the AliyunRDSInstanceEncryptionDefaultRole role, and then click Grant Permission in the Actions column.
In the Grant Permission panel, select the AliyunRDSInstanceEncryptionRolePolicy policy that you created to add the policy to the Selected Policy section.
Click Grant permissions.

(Optional) View a role ARN

Alibaba Cloud Resource Name (ARN) is the global resource descriptor of a RAM role. The ARN of a RAM role describes the resources that the RAM role can access. When you call an API operation to enable the cloud disk encryption feature, you must specify the ARN of a RAM role that has the permissions to access KMS. For more information, see CreateDBInstance.

Go to the Roles page.
Find the required role and click the role name.
In the upper-right corner of the page the appears, view the role ARN.