Authorize ApsaraDB RDS for MySQL to access KMS - ApsaraDB RDS

To use the disk encryption feature for an ApsaraDB RDS for MySQL instance, you must authorize the instance to access Key Management Service (KMS). This topic describes how to authorize your RDS instance to access KMS by using the RAM console.

Prerequisites

You are logged on to the RAM console with your Alibaba Cloud account.

Create a permission policy named AliyunRDSInstanceEncryptionRolePolicy

Go to the Policies page.
On the Policies page, click Create Policy.
Note
A policy is a set of permissions that are described by using a specific syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Terms.

On the JSON tab, copy and paste the following code to the code editor:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        }
    ]
}

Click Next to edit policy information and configure the following parameters.

Parameter	Description
Name	The name of the policy. Enter AliyunRDSInstanceEncryptionRolePolicy.
Description	The information that is used to identify the policy. Example: Allows ApsaraDB RDS to access KMS.

Click OK.

Create and authorize a RAM role named AliyunRDSInstanceEncryptionDefaultRole

After you create the AliyunRDSInstanceEncryptionRolePolicy permission policy, you must create a RAM role and attach the permission policy to the RAM role. Then, ApsaraDB RDS can access KMS.

Go to the RAM Roles page.
On the Roles page, click Create Role.
On the Create Role page, select Alibaba Cloud Service and click Next.

Configure the following parameters and click OK.

Parameter	Description
Role Type	Select Normal Service Role.
RAM Role Name	The name of the RAM role. Enter AliyunRDSInstanceEncryptionDefaultRole.
Note	The information that is used to identify the RAM role.
Select Trusted Service	The trusted service of the RAM role. Select RDS.

After the The Role has been created message appears, click Add Permissions to RAM Role.
Note
If you have closed the panel in which the message "The Role has been created" appears, you can go to the Roles page, find the AliyunRDSInstanceEncryptionDefaultRole role, and then click Grant Permissions in the Actions column.
In the Grant Permissions panel, click the AliyunRDSInstanceEncryptionRolePolicy policy to add the policy to the Selected section.
Click Grant permissions.

(Optional) View the ARN of a RAM user

Alibaba Cloud Resource Name (ARN) is the global resource descriptor of a RAM role. The ARN of a RAM role describes the resources that the RAM role can access. When you call an API operation to enable the disk encryption feature, you must specify the ARN of a RAM role that has the permissions to access KMS. For more information, see CreateDBInstance.

Go to the RAM Roles page.
Find the RAM role that you want to use. Then, click the name of the RAM role.
In the Basic Information section of the page that appears, view the ARN of the RAM role.