This topic describes the scenarios and permissions of AliyunServiceRoleForOceanBaseEncryption, a role linked to ApsaraDB for OceanBase.
Background information
AliyunServiceRoleForOceanBaseEncryption is a Resource Access Management (RAM) role provided by ApsaraDB for OceanBase to gain access to other cloud services for performing a task in ApsaraDB for OceanBase. For more information about the role, see Service-linked roles.
Scenarios
The key used by the transparent data encryption (TDE) feature of ApsaraDB for OceanBase is protected by KMS. ApsaraDB for OceanBase obtains access to KMS by using the service-linked role AliyunServiceRoleForOceanBaseEncryption.
Permissions
Role name: AliyunServiceRoleForOceanBaseEncryption
Role policy: AliyunServiceRolePolicyForOceanBaseEncryption
The permissions are described as follows:
{
"Statement": [
{
"Action": [
"kms:ListKeys",
"kms:ListAliasesByKeyId",
"kms:ListAliases",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "acs:kms:*:*:*"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/oceanbase:encryption": "true"
}
},
"Effect": "Allow",
"Resource": "acs:kms:*:*:*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "encryption.oceanbase.aliyuncs.com"
}
}
}
],
"Version": "1"
}FAQ
Why cannot the service-linked role AliyunServiceRoleForOceanBaseEncryption be automatically created by using my RAM user?
You must be granted the specified permissions before AliyunServiceRoleForOceanBaseEncryption can be automatically created or deleted. To automatically create the role, you must specify the following permission policy for your RAM user:
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "encryption.oceanbase.aliyuncs.com"
}
}
}