SetKeyPolicy - Key Management Service - Alibaba Cloud Documentation Center

For more information about key policies, see Overview.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter	Type	Required	Example	Description
Action	String	Yes	SetKeyPolicy	The operation that you want to perform. Set the value to SetKeyPolicy.
KeyId	String	Yes	key-hzz630494463ejqjx****	The ID or Alibaba Cloud Resource Name (ARN) of the key. Note When you access a key within another Alibaba Cloud account, you must enter the ARN of the key. The key ARN is in the `acs:kms:${region}:${account}:key/${keyid}` format.
PolicyName	String	No	default	The name of the key policy. Set the value to default.
Policy	String	Yes	{"Statement":[{"Action":["kms:"],"Effect":"Allow","Principal":{"RAM":["acs:ram::119285303511**:"]},"Resource":[""],"Sid":"kms default key policy"},{"Action":["kms:List","kms:Describe","kms:Create","kms:Enable","kms:Disable","kms:Get","kms:Set","kms:Update","kms:Delete","kms:Cancel","kms:TagResource","kms:UntagResource","kms:ImportKeyMaterial","kms:ScheduleKeyDeletion"],"Effect":"Allow","Principal":{"RAM":["acs:ram::119285303511**:user/for_test_policy"]},"Resource":[""]}],"Version":"1"}	The content of the key policy. The value is in the JSON format. The value can be up to 32,768 bytes in length. A key policy contains the following content: Version: the version of the key policy. Set the value to 1. Statement: the statements of the key policy. Each key policy contains one or more statements. Example: `{ "Version": "1", "Statement": [ { "Sid": "Enable RAM User Permissions", "Effect": "Allow", "Principal": { "RAM": ["acs:ram::112890462***:"] }, "Action": [ "kms:" ], "Resource": [ "" ] } ] }` Statement description: Sid: optional. The identifier of a custom statement. The value can be up to 128 characters in length and can contain letters, digits, and the following special characters: _ / + = . @ - Effect: required. Specifies whether the permissions in a policy statement are allowed or denied. Valid values: Allow and Deny. Principal: required. The authorization principal of the policy. The following principals are supported: the current Alibaba Cloud account to which the key belongs, RAM users and RAM roles of the current Alibaba Cloud account, and RAM users and RAM roles of other Alibaba Cloud accounts. Action: required. The operations that you want to allow or deny. The value must start with kms:. For more information about the operation scope, see Overview. If you specify an operation outside the scope, the operation does not take effect. Resource: required. Set the value to an asterisk (), which specifies the current key. Condition: optional. Specify the conditions that are required for a policy to take effect. You can use conditions to evaluate the context of an API request to determine whether a policy statement applies. Format: `"Condition": {"condition operator": {"condition key": "condition value"}}`. For more information, see Overview. Note* If you grant a RAM user or RAM role of other Alibaba Cloud accounts permissions to use a key, you must use the Alibaba Cloud account of the RAM user or RAM role to grant the RAM user or RAM role permissions to use the key in RAM. For more information, see Custom policies, Grant permissions to a RAM user, and Grant permissions to a RAM role.

Response parameters

Parameter	Type	Example	Description
RequestId	String	381D5D33-BB8F-395F-8EE4-AE3BB4B523C8	The request ID.

Description

Sample requests

http(s)://[Endpoint]/?Action=SetKeyPolicy
&KeyId=key-hzz630494463ejqjx****
&PolicyName=default
&Policy={"Statement":[{"Action":["kms:*"],"Effect":"Allow","Principal":{"RAM":["acs:ram::119285303511****:*"]},"Resource":["*"],"Sid":"kms default key policy"},{"Action":["kms:List*","kms:Describe*","kms:Create*","kms:Enable*","kms:Disable*","kms:Get*","kms:Set*","kms:Update*","kms:Delete*","kms:Cancel*","kms:TagResource","kms:UntagResource","kms:ImportKeyMaterial","kms:ScheduleKeyDeletion"],"Effect":"Allow","Principal":{"RAM":["acs:ram::119285303511****:user/for_test_policy"]},"Resource":["*"]}],"Version":"1"}
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<SetKeyPolicyResponse>
    <RequestId>381D5D33-BB8F-395F-8EE4-AE3BB4B523C8</RequestId>
</SetKeyPolicyResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "381D5D33-BB8F-395F-8EE4-AE3BB4B523C8"
}

Error codes

HTTP status code	Error code	Error message	Description
400	MissingParameter	The parameter needed but no provided.	The required parameters are not specified.
400	InvalidParameter	The specified parameter is not valid.	An invalid value is specified for the parameter.
400	Forbidden.NoPermission	This operation is forbidden by permission system.	You are not authorized to perform this operation.
400	Forbidden.KeyPolicyUnSupported	The specified key does not support key policy.	The key does not support key policies.
400	Rejected.ShareQuotaExceedLimit	Instance Share Quota Exceed Limit.	The access management quota is exceeded.
403	Forbidden.DKMSInstanceStateInvalid	The DKMS instance state is invalid.	Your dedicated KMS instance is invalid.
404	Forbidden.KeyNotFound	The specified Key is not found.	The specified key does not exist.
404	Forbidden.ResourceNotFound	Policy not found.	The policy is not found.
500	InternalFailure	Internal Failure	An internal error has occurred.

For a list of error codes, see Service error codes.