All Products
Search
Document Center

Key Management Service:Authorization information

Last Updated:Jul 09, 2024

This topic describes how to grant permissions to a Resource Access Management (RAM) user.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account.

  2. Create a custom policy.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON tab.

      Note

      RAM provides the visual editing and document editing modes to create policies. When you create a custom policy for Key Management Service (KMS) resources, you must use the document editing mode. If you use the visual editing mode, you can select only all KMS resources and all operations.

    4. Modify the policy document and click Next to edit policy information.

      When you edit a KMS policy document, you must specify a custom authorization statement. A statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information, see Appendix: Supported resources, actions, and conditions.

      Note

      For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

    5. Specify the policy name and description. Then, check and optimize the policy document as prompted.

    6. Click OK.

  3. Attach custom policies to a RAM user.

    1. In the left-side navigation pane, choose Identities > Users.

    2. On the Users page, find the RAM user to which you want to attach custom policies and click Add Permissions in the Actions column.

    3. In the Grant Permission panel, configure the parameters and click Grant Permissions.

      Parameter

      Description

      Resource Scope

      The scope in which you want the permissions to take effect. KMS does not support the resource group feature. You must select Account.

      Principal

      The RAM user to which you want to grant permissions. The Principal parameter is automatically set to a specific RAM user. You can specify a different RAM user.

      Policy

      Select custom policies based on your business requirements.

Appendix: Supported resources, actions, and conditions

Resource

KMS defines the following resource types: key container, secret container, alias container, key, secret, and alias. You can configure the Resource element in a RAM policy based on the Alibaba Cloud Resource Name (ARN) of your resource. In the following example, the ARN of a key resource is queried.

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Keys.

  2. On the Keys tab, find the key whose ARN you want to query and click Details in the Actions column. On the details page, you can view the ARN of the key. 密钥详情The following table describes the ARN formats for different resource types.

    Note

    Replace ${region} and ${account} with your actual region and Alibaba Cloud account. You can also narrow the scope of resources based on your business requirements. ${region} supports the asterisk (*) wildcard character, which specifies all supported regions.

    Resource type

    ARN

    Key container

    acs:kms:${region}:${account}:key

    Secret container

    acs:kms:${region}:${account}:secret

    Alias container

    acs:kms:${region}:${account}:alias

    Key

    acs:kms:${region}:${account}:key/${key-id}

    Note

    The ARN of a key resource supports the asterisk (*) wildcard character. Examples:

    • acs:kms:${region}:${account}:key/*: specifies all keys in a region within an account.

    • acs:kms:*:${account}:key/*: specifies all keys in all regions within an account.

    Secret

    acs:kms:${region}:${account}:secret/${secret-name}

    Note

    The ARN of a secret resource supports the asterisk (*) wildcard character.

    • acs:kms:${region}:${account}:secret/*: specifies all secrets in a region within an account.

    • acs:kms:${region}:${account}:secret/prefix*: specifies all secrets that start with prefix in a region within an account.

    Alias

    acs:kms:${region}:${account}:alias/${alias-name}

Action

KMS defines actions for each API operation that requires access control. In RAM policies, actions are in the kms:<api-name> format.

Note

The DescribeRegions operation does not require access control. The operation can be called by Alibaba Cloud accounts, RAM users, or RAM roles after they pass RAM authentication. Alibaba Cloud accounts, RAM users, or RAM roles after they pass RAM authentication.

The following tables describe the RAM actions and resource types that correspond to each API operation.

Note

Replace ${region} and ${account} with your actual region and Alibaba Cloud account. You can also narrow the scope of resources based on your business requirements. ${region} supports the asterisk (*) wildcard character, which specifies all supported regions.

Key-related API operations

Operation

Action

Resource type

ARN format

ListKeys

kms:ListKeys

Key container

acs:kms:${region}:${account}:key

CreateKey

kms:CreateKey

DescribeKey

kms:DescribeKey

Key

acs:kms:${region}:${account}:key/${key-id}

UpdateKeyDescription

kms:UpdateKeyDescription

EnableKey

kms:EnableKey

DisableKey

kms:DisableKey

ScheduleKeyDeletion

kms:ScheduleKeyDeletion

CancelKeyDeletion

kms:CancelKeyDeletion

GetParametersForImport

kms:GetParametersForImport

ImportKeyMaterial

kms:ImportKeyMaterial

DeleteKeyMaterial

kms:DeleteKeyMaterial

ListAliasesByKeyId

kms:ListAliasesByKeyId

CreateKeyVersion

kms:CreateKeyVersion

DescribeKeyVersion

kms:DescribeKeyVersion

ListKeyVersions

kms:ListKeyVersions

UpdateRotationPolicy

kms:UpdateRotationPolicy

Encrypt

kms:Encrypt

Decrypt

kms:Decrypt

ReEncrypt

  • kms:ReEncryptFrom

    Note

    You must have the kms:ReEncryptFrom permission on the source key.

  • kms:ReEncryptTo

    Note

    You must have the kms:ReEncryptTo permission on the destination key.

GenerateDataKey

kms:GenerateDataKey

GenerateDataKeyWithoutPlaintext

kms:GenerateDataKeyWithoutPlaintext

ExportDataKey

kms:ExportDataKey

GenerateAndExportDataKey

kms:GenerateAndExportDataKey

AsymmetricSign

kms:AsymmetricSign

AsymmetricVerify

kms:AsymmetricVerify

AsymmetricEncrypt

kms:AsymmetricEncrypt

AsymmetricDecrypt

kms:AsymmetricDecrypt

GetPublicKey

kms:GetPublicKey

ListAliases

kms:ListAliases

Alias container

acs:kms:${region}:${account}:alias

CreateAlias

kms:CreateAlias

Alias and key

  • Alias: acs:kms:${region}:${account}:alias/${alias-name}

  • Key: acs:kms:${region}:${account}:key/${key-id}

UpdateAlias

kms:UpdateAlias

DeleteAlias

kms:DeleteAlias

Secret-related API operations

Operation

Action

Resource type

ARN

CreateSecret

kms:CreateSecret

Secret container

acs:kms:${region}:${account}:secret

ListSecrets

kms:ListSecrets

DescribeSecret

kms:DescribeSecret

Secret

acs:kms:${region}:${account}:secret/${secret-name}

DeleteSecret

kms:DeleteSecret

UpdateSecret

kms:UpdateSecret

RestoreSecret

kms:RestoreSecret

GetSecretValue

  • kms:GetSecretValue

  • kms:Decrypt

Note

You must have the kms:Decrypt permission only if a self-managed key is used as the encryption key for a secret.

PutSecretValue

  • kms:PutSecretValue

  • kms:GenerateDataKey

Note

You must have the kms:GenerateDataKey permission only if a self-managed key is used as the encryption key for a secret.

ListSecretVersionIds

kms:ListSecretVersionIds

UpdateSecretVersionStage

kms:UpdateSecretVersionStage

GetRandomPassword

kms:GetRandomPassword

None

None

Tag-related API operations

Operation

Action

Resource type

ARN

ListResourceTags

kms:ListResourceTags

Key

  • Key: acs:kms:${region}:${account}:key/${key-id}

  • Secret: acs:kms:${region}:${account}:secret/${secret-name}

UntagResource

kms:UntagResource

Key or secret

TagResource

kms:TagResource

Condition

The Condition element specifies the conditions that are required for a policy to take effect. This element is optional. You can add a condition key in RAM policies to manage access to KMS. RAM authentication is successful only if the added conditions are met.

  • Use common condition keys: The condition key is in the acs:<condition-key> format. For example, you can use acs:CurrentTime to specify the validity period of a RAM policy.

    For more information, see Policy elements.

  • Use condition keys specific to an Alibaba Cloud service: The condition key is in the kms:<condition-key> format. For more information about condition keys specific to an Alibaba Cloud service that are supported by KMS, see Condition keys.