All Products
Search

This Product

    ApsaraDB RDS:Authorize ApsaraDB RDS to access KMS

    Document Center

    ApsaraDB RDS:Authorize ApsaraDB RDS to access KMS

    Last Updated:Sep 20, 2025

    To use the disk encryption feature, you must authorize ApsaraDB RDS to access Key Management Service (KMS). You can grant the required permissions in the Resource Access Management (RAM) console.

    Prerequisites

    An Alibaba Cloud account is required.

    Background information

    Disk encryption helps ensure data security without requiring you to modify your business or applications. For more information about disk encryption for ApsaraDB RDS instances that run different database engines, see the following topics:

    Create the AliyunRDSInstanceEncryptionRolePolicy access policy

    1. Log on to the Policies page in the RAM console.

    2. Click Create Policy.

      Note

      An access policy is a set of permissions that are described using a specific syntax. A policy defines the authorized resources, operations, and conditions.

    3. Click the Script tab and copy the following script into the script editor.

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        }
    ]
}

    4. Click OK. In the dialog box that appears, configure the following information and click OK.

      Parameter

      Description

      Policy Name

      Enter a name for the policy. Use AliyunRDSInstanceEncryptionRolePolicy.

      Description

      Enter a description. For example: Authorize ApsaraDB RDS to access KMS.

      Tag

      Attach a tag to the new policy.

    Create and authorize the AliyunRDSInstanceEncryptionDefaultRole RAM role

    After you create the policy, you must attach it to a RAM role. This grants ApsaraDB RDS access to KMS resources.

    1. Log on to the Roles page in the RAM console.

    2. Click Create Role.

    3. Select Alibaba Cloud Service. From the Select Trusted Service drop-down list, select ApsaraDB RDS that has the rds.aliyuncs.com suffix. Then, click OK.

    4. In the Create Role dialog box, set Role Name to AliyunRDSInstanceEncryptionDefaultRole and click OK.

    5. When a message appears indicating that the role is created, click Grant Permission.

      Note

      If you have closed the Role Created Successfully page, you can also search for AliyunRDSInstanceEncryptionDefaultRole on the RAM Role Management page and click Grant Permission.

    6. On the Grant Permission page, search for the AliyunRDSInstanceEncryptionRolePolicy policy that you created. Click the policy to move it to the Selected section on the right.

    7. Click OK.

    (Optional) View the ARN of the role

    An Alibaba Cloud Resource Name (ARN) is a Global Resource Descriptor that uniquely identifies a RAM role. When you call an API operation to enable disk encryption, you must pass the ARN of a RAM role that has permissions to access KMS. For more information, see CreateDBInstance.

    1. Log on to the Roles page in the RAM console.

    2. Find the role and click its name.

    3. Locate the ARN in the upper-right corner.