Authorize RDS to access KMS - ApsaraDB RDS - Alibaba Cloud Documentation Center

To use the Transparent Data Encryption (TDE) feature of ApsaraDB RDS, you must authorize RDS to access Key Management Service (KMS). This topic describes how to authorize RDS to access KMS in the Resource Access Management (RAM) console.

Prerequisites

You are logged on to the RAM console with your Alibaba Cloud account.

Background information

You can use the cloud encryption feature to ensure data security without the need to modify your business and applications. For more information about the cloud encryption feature for RDS instances that run different database engines, see the following documentation:

Create a policy named AliyunRDSInstanceEncryptionRolePolicy

Go to the Policies page.
On the Policies page, click Create Policy.
Note
A policy is a set of permissions that are defined by using a specific syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions. For more information, see Terms.

On the JSON tab, copy and paste the following code to the code editor:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "kms:List*",
                "kms:DescribeKey",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:*:*:*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/acs:rds:instance-encryption": "true"
                }
            }
        }
    ]
}

Click OK. On the dialog box that appears, configure the parameters described in the following table.
Parameter
Description
Name
The name of the policy. Enter AliyunRDSInstanceEncryptionRolePolicy.
Description
The description of the policy. Example: Authorize RDS to access KMS.
Click OK.

Create and authorize a RAM role named AliyunRDSInstanceEncryptionDefaultRole

After you create the AliyunRDSInstanceEncryptionRolePolicy policy, you must create a RAM role and attach the policy to the RAM role. Then, RDS can access KMS.

Go to the Roles page.
On the Roles page, click Create Role.
On the Create Role page, select Alibaba Cloud Service and click Next.

Configure the parameters that are described in the following table and click OK.

Parameter	Description
Role Type	The type of the role. Select Normal Service Role.
RAM Role Name	The name of the RAM role. Enter AliyunRDSInstanceEncryptionDefaultRole.
Note	The description of the RAM role.
Select Trusted Service	The trusted service of the RAM role. Select RDS.

After the The Role has been created message appears, click Add Permissions to RAM Role.
Note
If you have closed the page on which the The Role has been created message appears, you can go to the Roles page, find the AliyunRDSInstanceEncryptionDefaultRole role, and then click Grant Permission in the Actions column.
In the Grant Permission panel, select the AliyunRDSInstanceEncryptionRolePolicy policy that you created to add the policy to the Selected Policy section.
Click Grant permissions.

Parameter	Description
Name	The name of the policy. Enter AliyunRDSInstanceEncryptionRolePolicy.
Description	The description of the policy. Example: Authorize RDS to access KMS.