Grant permissions to access keys and secrets - Key Management Service

This topic describes how to grant permissions to a Resource Access Management (RAM) user.

Procedure

Log on to the RAM console by using an Alibaba Cloud account.
Create a custom policy.
1. In the left-side navigation pane, choose Permissions > Policies.
2. On the Policies page, click Create Policy.
3. On the Create Policy page, click the JSON tab.
  Note
  RAM provides the visual editing and document editing modes to create policies. When you create a custom policy for Key Management Service (KMS) resources, you must use the document editing mode. If you use the visual editing mode, you can select only all KMS resources and all operations.
4. Modify the policy document and click Next to edit policy information.
  When you edit a KMS policy document, you must specify a custom authorization statement. A statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information, see Appendix: Supported resources, actions, and conditions.
  Note
  For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
5. Specify the policy name and description. Then, check and optimize the policy document as prompted.
6. Click OK.

Attach custom policies to a RAM user.

In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach custom policies and click Add Permissions in the Actions column.

In the Grant Permission panel, configure the parameters and click Grant Permissions.

Parameter	Description
Resource Scope	The scope in which you want the permissions to take effect. KMS does not support the resource group feature. You must select Account.
Principal	The RAM user to which you want to grant permissions. The Principal parameter is automatically set to a specific RAM user. You can specify a different RAM user.
Policy	Select custom policies based on your business requirements.

Appendix: Supported resources, actions, and conditions

Resource

KMS defines the following resource types: key container, secret container, alias container, key, secret, and alias. You can configure the Resource element in a RAM policy based on the Alibaba Cloud Resource Name (ARN) of your resource. In the following example, the ARN of a key resource is queried.

Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Keys.

On the Keys tab, find the key whose ARN you want to query and click Details in the Actions column. On the details page, you can view the ARN of the key. 密钥详情 The following table describes the ARN formats for different resource types.

Note

Replace ${region} and ${account} with your actual region and Alibaba Cloud account. You can also narrow the scope of resources based on your business requirements. ${region} supports the asterisk (*) wildcard character, which specifies all supported regions.

Resource type	ARN
Key container	acs:kms:${region}:${account}:key
Secret container	acs:kms:${region}:${account}:secret
Alias container	acs:kms:${region}:${account}:alias
Key	acs:kms:${region}:${account}:key/${key-id} Note The ARN of a key resource supports the asterisk () wildcard character. Examples: `acs:kms:${region}:${account}:key/`: specifies all keys in a region within an account. `acs:kms::${account}:key/`: specifies all keys in all regions within an account.
Secret	acs:kms:${region}:${account}:secret/${secret-name} Note The ARN of a secret resource supports the asterisk () wildcard character. `acs:kms:${region}:${account}:secret/`: specifies all secrets in a region within an account. `acs:kms:${region}:${account}:secret/prefix*`: specifies all secrets that start with `prefix` in a region within an account.
Alias	acs:kms:${region}:${account}:alias/${alias-name}

Action

KMS defines actions for each API operation that requires access control. In RAM policies, actions are in the kms:<api-name> format.

Note

The DescribeRegions operation does not require access control. The operation can be called by Alibaba Cloud accounts, RAM users, or RAM roles after they pass RAM authentication. Alibaba Cloud accounts, RAM users, or RAM roles after they pass RAM authentication.

The following tables describe the RAM actions and resource types that correspond to each API operation.

Note

Key-related API operations

Operation	Action	Resource type	ARN format
ListKeys	kms:ListKeys	Key container	`acs:kms:${region}:${account}:key`
CreateKey	kms:CreateKey	Key container	`acs:kms:${region}:${account}:key`
DescribeKey	kms:DescribeKey	Key	`acs:kms:${region}:${account}:key/${key-id}`
UpdateKeyDescription	kms:UpdateKeyDescription
EnableKey	kms:EnableKey
DisableKey	kms:DisableKey
ScheduleKeyDeletion	kms:ScheduleKeyDeletion
CancelKeyDeletion	kms:CancelKeyDeletion
GetParametersForImport	kms:GetParametersForImport
ImportKeyMaterial	kms:ImportKeyMaterial
DeleteKeyMaterial	kms:DeleteKeyMaterial
ListAliasesByKeyId	kms:ListAliasesByKeyId
CreateKeyVersion	kms:CreateKeyVersion
DescribeKeyVersion	kms:DescribeKeyVersion
ListKeyVersions	kms:ListKeyVersions
UpdateRotationPolicy	kms:UpdateRotationPolicy
Encrypt	kms:Encrypt
Decrypt	kms:Decrypt
ReEncrypt	kms:ReEncryptFrom Note You must have the kms:ReEncryptFrom permission on the source key. kms:ReEncryptTo Note You must have the kms:ReEncryptTo permission on the destination key.
GenerateDataKey	kms:GenerateDataKey
GenerateDataKeyWithoutPlaintext	kms:GenerateDataKeyWithoutPlaintext
ExportDataKey	kms:ExportDataKey
GenerateAndExportDataKey	kms:GenerateAndExportDataKey
AsymmetricSign	kms:AsymmetricSign
AsymmetricVerify	kms:AsymmetricVerify
AsymmetricEncrypt	kms:AsymmetricEncrypt
AsymmetricDecrypt	kms:AsymmetricDecrypt
GetPublicKey	kms:GetPublicKey
ListAliases	kms:ListAliases	Alias container	`acs:kms:${region}:${account}:alias`
CreateAlias	kms:CreateAlias	Alias and key	Alias: `acs:kms:${region}:${account}:alias/${alias-name}` Key: `acs:kms:${region}:${account}:key/${key-id}`
UpdateAlias	kms:UpdateAlias
DeleteAlias	kms:DeleteAlias

Secret-related API operations

Operation	Action	Resource type	ARN
CreateSecret	kms:CreateSecret	Secret container	`acs:kms:${region}:${account}:secret`
ListSecrets	kms:ListSecrets	Secret container	`acs:kms:${region}:${account}:secret`
DescribeSecret	kms:DescribeSecret	Secret	`acs:kms:${region}:${account}:secret/${secret-name}`
DeleteSecret	kms:DeleteSecret
UpdateSecret	kms:UpdateSecret
RestoreSecret	kms:RestoreSecret
GetSecretValue	kms:GetSecretValue kms:Decrypt Note You must have the kms:Decrypt permission only if a self-managed key is used as the encryption key for a secret.
PutSecretValue	kms:PutSecretValue kms:GenerateDataKey Note You must have the kms:GenerateDataKey permission only if a self-managed key is used as the encryption key for a secret.
ListSecretVersionIds	kms:ListSecretVersionIds
UpdateSecretVersionStage	kms:UpdateSecretVersionStage
GetRandomPassword	kms:GetRandomPassword	None	None

Tag-related API operations

Operation	Action	Resource type	ARN
ListResourceTags	kms:ListResourceTags	Key	Key: `acs:kms:${region}:${account}:key/${key-id}` Secret: `acs:kms:${region}:${account}:secret/${secret-name}`
UntagResource	kms:UntagResource	Key or secret
TagResource	kms:TagResource	Key or secret

Condition

The Condition element specifies the conditions that are required for a policy to take effect. This element is optional. You can add a condition key in RAM policies to manage access to KMS. RAM authentication is successful only if the added conditions are met.

Use common condition keys: The condition key is in the acs:<condition-key> format. For example, you can use acs:CurrentTime to specify the validity period of a RAM policy.
For more information, see Policy elements.
Use condition keys specific to an Alibaba Cloud service: The condition key is in the kms:<condition-key> format. For more information about condition keys specific to an Alibaba Cloud service that are supported by KMS, see Condition keys.