All Products
Search
Document Center

Key Management Service:CreatePolicy

Last Updated:Oct 11, 2023

Creates a permission policy to configure the keys and secrets that are allowed to access.

Usage notes

To perform cryptographic operations and retrieve secret values, self-managed applications must use a client key to access a Key Management Service (KMS) instance. The following process shows how to create a client key-based application access point (AAP):

1. Create an access control rule: You can configure the private IP addresses or private CIDR blocks that are allowed to access a KMS instance. For more information, see CreateNetworkRule.

2. Create a permission policy: You can configure the keys and secrets that are allowed to access and bind access control rules to the keys and secrets.

3. Create an AAP: You can configure an authentication method and bind a permission policy to an AAP. For more information, see CreateApplicationAccessPoint.

4. Create a client key: You can configure the encryption password and validity period of a client key and bind the client key to an AAP. For more information, see CreateClientKey.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter

Type

Required

Example

Description

Action String Yes CreatePolicy

The operation that you want to perform. Set the value to CreatePolicy.

Name String Yes policy_test

The name of the permission policy.

Description String No policy description

The description.

KmsInstance String No kst-hzz634e67d126u9p9****

The scope of the permission policy. You need to specify the KMS instance that you want to access.

Permissions String Yes ["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"]

The operations that can be performed. Valid values:

  • RbacPermission/Template/CryptoServiceKeyUser: allows you to perform cryptographic operations.
  • RbacPermission/Template/CryptoServiceSecretUser: allows you to perform secret-related operations.

You can select both.

Resources String Yes ["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"]

The key and secret that are allowed to access.

  • Key: Enter a key in the key/${KeyId} format. To allow access to all keys of a KMS instance, enter key/*.
  • Secret: Enter a secret in the secret/${SecretName} format. To allow access to all secrets of a KMS instance, enter secret/*.
AccessControlRules Map No {"NetworkRules":["kst-hzz62ee817bvyyr5x****.efkd","kst-hzz62ee817bvyyr5x****.eyyp"]}

The name of the access control rule.

Note For more information about how to query created access control rules, see ListNetworkRules.

Response parameters

Parameter

Type

Example

Description

RequestId String 3bf02f7a-015b-4f34-be0f-c4543fda2d33

The ID of the request, which is used to locate and troubleshoot issues.

Arn String acs:kms:cn-hangzhou:119285303511****:policy/policy_test

The ARN of the permission policy.

Name String policy_test

The name of the permission policy.

Description String policy description

The description.

KmsInstance String kst-hzz634e67d126u9p9****

The scope of the permission policy.

Permissions String ["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"]

The operations that can be performed.

Resources String ["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"]

The key and secret that are allowed to access.

  • key/* indicates that all keys of the KMS instance can be accessed.
  • secret/* indicates all secrets of the KMS instance can be accessed.
AccessControlRules String {"NetworkRules":["kst-hzz62ee817bvyyr5x****.efkd","kst-hzz62ee817bvyyr5x****.eyyp"]}

The name of the access control rule.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreatePolicy
&Name=policy_test
&Description=policy  description
&KmsInstance=kst-hzz634e67d126u9p9****
&Permissions=["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"]
&Resources=["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"]
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<CreatePolicyResponse>
    <RequestId>3bf02f7a-015b-4f34-be0f-c4543fda2d33</RequestId>
    <Arn>acs:kms:cn-hangzhou:119285303511****:policy/policy_test</Arn>
    <Name>policy_test</Name>
    <Description>policy  description</Description>
    <KmsInstance>kst-hzz634e67d126u9p9****</KmsInstance>
    <Permissions>["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"]</Permissions>
    <Resources>["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"]</Resources>
    <AccessControlRules>{"NetworkRules":["kst-hzz62ee817bvyyr5x****.efkd","kst-hzz62ee817bvyyr5x****.eyyp"]}</AccessControlRules>
</CreatePolicyResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "3bf02f7a-015b-4f34-be0f-c4543fda2d33",
  "Arn" : "acs:kms:cn-hangzhou:119285303511****:policy/policy_test",
  "Name" : "policy_test",
  "Description" : "policy  description",
  "KmsInstance" : "kst-hzz634e67d126u9p9****",
  "Permissions" : "[\"RbacPermission/Template/CryptoServiceKeyUser\", \"RbacPermission/Template/CryptoServiceSecretUser\"]",
  "Resources" : "[\"secret/acs/ram/user/ram-secret\", \"secret/acs/ram/user/acr-master\", \"key/key-hzz63d9c8d3dfv8cv****\"]",
  "AccessControlRules" : "{\"NetworkRules\":[\"kst-hzz62ee817bvyyr5x****.efkd\",\"kst-hzz62ee817bvyyr5x****.eyyp\"]}"
}

Error codes

HTTP status code

Error code

Error message

Description

400 InvalidParameter The specified parameter is not valid. The specified parameter is invalid.
404 InvalidAccessKeyId.NotFound The Access Key ID provided does not exist in our records. The specified AccessKey ID does not exist.

For a list of error codes, see Service error codes.