Authorize RDS to access KMS - ApsaraDB RDS - Alibaba Cloud Documentation Center

To use transparent data encryption (TDE) on ApsaraDB RDS, you must authorize the RDS service to call Key Management Service (KMS). This involves two steps in the Resource Access Management (RAM) console: creating a policy that defines the required KMS permissions, then creating a service role that trusts RDS and attaching the policy to it.

Prerequisites

Before you begin, ensure that you have:

An Alibaba Cloud account with access to the RAM console

How it works

The authorization requires two RAM objects working together:

Policy (AliyunRDSInstanceEncryptionRolePolicy): Defines the KMS actions RDS is allowed to perform. The policy grants read and tag management access to KMS keys (kms:List*, kms:DescribeKey, kms:TagResource, kms:UntagResource) and restricts encryption operations (kms:Encrypt, kms:Decrypt, kms:GenerateDataKey) to keys that carry the acs:rds:instance-encryption: true tag — ensuring RDS can only use keys designated for RDS encryption.
Service role (AliyunRDSInstanceEncryptionDefaultRole): A RAM role that trusts the RDS service. Attaching the policy to this role lets RDS assume the role and call KMS on your behalf.

Create a policy

Go to the Policies page.
Click Create Policy.

On the JSON tab, replace the existing content with the following:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        }
    ]
}

Click OK. In the dialog that appears, configure the following parameters and click OK.
Parameter Description
Name Enter AliyunRDSInstanceEncryptionRolePolicy
Description Enter a description, for example: Authorize RDS to access KMS

Parameter	Description
Name	Enter `AliyunRDSInstanceEncryptionRolePolicy`
Description	Enter a description, for example: `Authorize RDS to access KMS`

Create and authorize a RAM role

After creating the policy, create a service role and attach the policy to it.

Go to the Roles page.
Click Create Role.
Select Alibaba Cloud Service and click Next.
Configure the following parameters and click OK.
Parameter Description
Role Type Select Normal Service Role
RAM Role Name Enter AliyunRDSInstanceEncryptionDefaultRole
Note Enter a description for the role
Select Trusted Service Select RDS
After the The Role has been created message appears, click Add Permissions to RAM Role.
If you closed the confirmation page, go to the Roles page, find AliyunRDSInstanceEncryptionDefaultRole, and click Grant Permission in the Actions column.
In the Grant Permission panel, select AliyunRDSInstanceEncryptionRolePolicy to add it to the Selected Policy section.
Click Grant permissions.

Parameter	Description
Role Type	Select Normal Service Role
RAM Role Name	Enter `AliyunRDSInstanceEncryptionDefaultRole`
Note	Enter a description for the role
Select Trusted Service	Select RDS

RDS can now access KMS using this role. Return to the cloud disk encryption setup for your database engine to complete the TDE configuration: