Creating IAM Policies for Block Storage Encryption using KMS key

Create Oracle Cloud Infrastructure Identity and Access Management (IAM) policies to allow Block Storage and Big Data Service to use the KMS keys in a compartment.

Big Data Service minimally requires:

A policy with the following policy statement:
allow service blockstorage to use keys in compartment <name_of_compartment> where target.key.id='<ocid_of_key>'
That policy statement grants Block Storage the right to use the KMS keys in the <name_of_compartment> with a target key ID of <ocid_of_key>.
A policy with the following policy statement:
allow service bdsprod to use key-delegate in compartment <name_of_compartment> where target.key.id='<ocid_of_key>'
That policy statement grants Big Data Service the right to key-delegate the KMS key in the <name_of_compartment> with a target key ID of <ocid_of_key>.
A policy with the following policy statement:
allow service bdsprod to read keys in compartment <name_of_compartment> where target.key.id='<ocid_of_key>'
That policy statement grants the Big Data Service the right to read the KMS keys in the <name_of_compartment> with a target key ID of <ocid_of_key>.
A policy with the following policy statement:
allow group <user-group> to use key-delegate in compartment <name_of_compartment> where target.key.id='<ocid_of_key>'
That policy statement grants the system <user-group> the right to key-delegate the KMS keys in the <name_of_compartment> with a target key ID of <ocid_of_key>.

Oracle Cloud Infrastructure Documentation

Creating IAM Policies for Block Storage Encryption using KMS key