Service-linked roles of Lindorm - - Alibaba Cloud Documentation Center

To use the transparent data encryption (TDE) feature of Lindorm, you must assign the AliyunServiceRoleForTSDBLindormEncryption service-linked role to Lindorm. After the role is assigned to Lindorm, Lindorm can use the data encryption feature in the current Alibaba Cloud account.

Background information

A service-linked role is a Resource Access Management (RAM) role that is associated with a specific cloud service. In most cases, the cloud service automatically creates or deletes a service-linked role as needed. You do not need to manually create or delete the service-linked role. For example, the AliyunServiceRoleForTSDBLindormEncryption service-linked role can help Lindorm obtain permissions to access Key Management Service (KMS) in some scenarios. When the TDE feature is enabled, the system automatically creates service-linked roles. For information about service-linked roles, see Service-linked roles.

Note The policy that is attached to a service-linked role is predefined by the linked cloud service. You cannot modify or delete this policy. You cannot attach policies to or detach policies from a service-linked role.

AliyunServiceRoleForTSDBLindormEncryption

Role name: AliyunServiceRoleForTSDBLindormEncryption

Role policy: AliyunServiceRoleForTSDBLindormEncryption

Permission description: This service-linked role allows Lindorm to access related resources in KMS. When the TDE feature of Lindorm is enabled, you can use the service-linked role to query and manage keys. The following sample code provides an example of the policy content.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "kms:ListResourceTags",
        "kms:DescribeKey"
      ],
      "Resource": [
        "acs:kms:*:*:*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:CreateAlias"
      ],
      "Resource": [
        "acs:kms:*:*:*"
      ],
      "Condition": {
        "StringEqualsIgnoreCase": {
          "kms:tag/acs:lindorm:instance-encryption": "true"
        }
      }
    },
    {
      "Action": "ram:DeleteServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "encryption.hitsdb.aliyuncs.com"
        }
      }
    }
  ]
}

Delete the AliyunServiceRoleForGwsDiskEncryption role

If you want to delete the AliyunServiceRoleForTSDBLindormEncryption service-linked role, make sure that no instances in your account use the service-linked role. For more information, see Delete a service-linked role.

Permissions that are required by a RAM user to create a service-linked role

In most cases, the permissions that are required to create a service-linked role are included in the administrator policy of the corresponding cloud service. You can create a service-linked role for the cloud service if you are granted the administrator permissions on the cloud service.

If your RAM user has insufficient permissions, you can grant the following permissions before you assign the service-linked role to the RAM user. For information about how to grant permissions, see Create a custom policy and Grant permissions to a RAM user. You can also assign the service-linked role to the Alibaba Cloud account.

    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "encryption.hitsdb.aliyuncs.com"
        }
      }
    }