To use the disk encryption feature for an ApsaraDB RDS for MySQL instance, you must authorize ApsaraDB RDS for MySQL to access Key Management Service (KMS). This topic describes how to authorize ApsaraDB RDS for MySQL to access KMS in the RAM console.


You are logged on to the RAM console with your Alibaba Cloud account.

Create a policy named AliyunRDSInstanceEncryptionRolePolicy

  1. Go to the Policies page.
  2. On the Policies page, click Create Policy.
    Note A policy is a set of permissions that are described by using a specific syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Terms.
  3. On the JSON tab, copy and paste the following code to the code editor:
        "Version": "1",
        "Statement": [
                "Action": [
                "Resource": [
                "Effect": "Allow"
                "Action": [
                "Resource": [
                "Effect": "Allow",
                "Condition": {
                    "StringEqualsIgnoreCase": {
                        "kms:tag/acs:rds:instance-encryption": "true"
  4. Click Next to edit policy information and configure the following parameters.
    NameThe name of the policy. Enter AliyunRDSInstanceEncryptionRolePolicy.
    DescriptionThe information that is used to identify the policy. Example: Allows ApsaraDB RDS to access KMS.
  5. Click OK.

Create and authorize a RAM role named AliyunRDSInstanceEncryptionDefaultRole

After you create the AliyunRDSInstanceEncryptionRolePolicy permission policy, you must create a RAM role and attach the permission policy to the RAM role. Then, ApsaraDB RDS can access KMS.

  1. Go to the Roles page.
  2. On the Roles page, click Create Role.
  3. In the Create Role panel, select Alibaba Cloud Service and click Next.
  4. Configure the following parameters and click OK.
    Role TypeSelect Normal Service Role.
    RAM Role NameThe name of the RAM role. Enter AliyunRDSInstanceEncryptionDefaultRole.
    NoteThe information that is used to identify the RAM role.
    Select Trusted ServiceThe trusted service of the RAM role. Select RDS.
  5. After the The Role has been created message appears, click Add Permissions to RAM Role.
    Note If you have closed the panel in which the message "The Role has been created" appears, you can go to the Roles page, find the AliyunRDSInstanceEncryptionDefaultRole role, and then click Add Permissions in the Actions column.
  6. In the Add Permissions panel, click the AliyunRDSInstanceEncryptionRolePolicy policy to add the policy to the Selected section.
  7. Click OK.

(Optional) View the ARN of a RAM user

Alibaba Cloud Resource Name (ARN) is the global resource descriptor of a RAM role. The ARN of a RAM role describes the resources that the RAM role can access. When you call an API operation to enable the disk encryption feature, you must specify the ARN of a RAM role that has the permissions to access KMS. For more information, see CreateDBInstance.

  1. Go to the RAM Roles page.
  2. Find the RAM role that you want to use. Then, click the name of the RAM role.
  3. In the Basic Information section of the page that appears, view the ARN of the RAM role.