All Products
Search
Document Center

Key Management Service:SetSecretPolicy

Last Updated:Nov 14, 2024

Configures a policy for a secret in a Key Management Service (KMS) instance.

For more information about secret policies, see Overview.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter

Type

Required

Example

Description

Action String Yes SetSecretPolicy

The operation that you want to perform. Set the value to SetSecretPolicy.

SecretName String Yes secret_test

The Alibaba Cloud Resource Name (ARN) of the secret or secret resource.

Note If you access a secret within another Alibaba Cloud account, you must enter the ARN of the secret. The ARN is in the acs:kms:${region}:${account}:secret/${secret-name} format.
PolicyName String No default

The name of the secret policy. Set the value to default.

Policy String Yes {"Version":"1","Statement": [{"Sid":"kms default secret policy","Effect":"Allow","Principal":{"RAM": ["acs:ram::119285303511****:*"]},"Action":["kms:*"],"Resource": ["*"] }] }

The content of the secret policy. The value is in the JSON format. The value can be up to 32,768 bytes in length.

A secret policy contains the following content:

  • Version: the version of the secret policy. Set the value to 1.
  • Statement: the statement of the secret policy. Each secret policy contains one or more statements.

Example:

{
    "Version": "1",
    "Statement": [
        {
            "Sid": "Enable RAM User Permissions",
            "Effect": "Allow",
            "Principal": {
              "RAM": ["acs:ram::12345678****:*"]
            },
            "Action": [
                "kms:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Statement description:

  • Sid: optional. The statement identifier of a custom statement. The value can be up to 128 characters in length and can contain letters, digits, and the following special characters: _ / + = . @ -
  • Effect: required. Specifies whether the permissions in a policy statement are allowed or denied. Valid values: Allow and Deny.
  • Principal: required. The authorization principal of the policy. The following principals are supported: the current Alibaba Cloud account to which the secret belongs, RAM users and RAM roles of the current Alibaba Cloud account, and RAM users and RAM roles of other Alibaba Cloud accounts.
  • Action: required. The operations that you want to allow or deny. The value must start with kms:. For more information about the API operation scope, see Overview. If you specify an operation outside the scope, the operation does not take effect.
  • Resource: required. Set the value to an asterisk (*), which specifies the current secret.
  • Condition: optional. The conditions that are required for a policy to take effect. You can use conditions to evaluate the context of an API request to determine whether a policy statement applies. Format: "Condition": {"condition operator": {"condition key": "condition value"}}. For more information, see Overview.
Note If you grant a RAM user or RAM role of other Alibaba Cloud accounts permissions to use a secret, you must use the Alibaba Cloud account of the RAM user or RAM role to grant the RAM user or RAM role permissions to use the secret in RAM. For more information, see Custom policies, Grant permissions to a RAM user, and Grant permissions to a RAM role.

Response parameters

Parameter

Type

Example

Description

RequestId String 381D5D33-BB8F-395F-8EE4-AE3BB4B523C8

The request ID.

Description

Sample requests

http(s)://[Endpoint]/?Action=SetSecretPolicy
&SecretName=secret_test
&PolicyName=default
&Policy={"Version":"1","Statement": [{"Sid":"kms default secret policy","Effect":"Allow","Principal":{"RAM": ["acs:ram::119285303511****:*"]},"Action":["kms:*"],"Resource": ["*"] }] }
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<SetSecretPolicyResponse>
    <RequestId>381D5D33-BB8F-395F-8EE4-AE3BB4B523C8</RequestId>
</SetSecretPolicyResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "381D5D33-BB8F-395F-8EE4-AE3BB4B523C8"
}

Error codes

HTTP status code

Error code

Error message

Description

400 MissingParameter The parameter needed but no provided. The required parameters are not specified.
400 InvalidParameter The specified parameter is not valid. An invalid value is specified for the parameter.
400 Forbidden.NoPermission This operation is forbidden by permission system. You are not authorized to perform this operation.
400 Forbidden.KeyPolicyUnSupported The specified key does not support key policy. The key does not support key policies.
400 Rejected.ShareQuotaExceedLimit Instance Share Quota Exceed Limit. The access management quota is exceeded.
403 Forbidden.DKMSInstanceStateInvalid The DKMS instance state is invalid. Your dedicated KMS instance is invalid.
404 Forbidden.ResourceNotFound Resource not found. The resource is not found.
404 Forbidden.KeyNotFound The specified Key is not found. The key does not exist.
404 Forbidden.ResourceNotFound Policy not found. The policy is not found.
503 SerivceUnvailableTemporary Service Unvailable Temporary The service is temporarily unavailable.

For a list of error codes, see Service error codes.