A condition specifies the restrictions under which an authorization takes effect. You can use condition keys in key policies, credential policies, and Resource Access Management (RAM) custom policies to control access to Key Management Service (KMS). This topic describes the Alibaba Cloud universal condition keys and KMS-specific condition keys.
The Principal field in the examples is required for key policies and credential policies. If you use a RAM custom policy, you do not need to set this field.
Alibaba Cloud universal condition keys
acs:SourceIp
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
acs:SourceIp | The public IP address of the client that sends the request. | String | All KMS OpenAPI operations. For a list of operations, see API overview. | An IP address. Examples:
|
|
RAM policy example
You can generate a data key only if the request originates from the 116.62.XX.XX/24 IP address range.
{
"Statement": [
{
"Action": "kms:GenerateDataKey",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": "116.62.XX.XX/24"
}
}
}
],
"Version": "1"
}Key/Credential policy example
Access is allowed only for the Resource Access Management (RAM) user ramuser1 from the IP address 203.0.XX.XX.
{
"Version":"1",
"Statement":[
{
"Sid":"kms policy",
"Effect":"Allow",
"Action":"kms:*",
"Principal":{
"RAM":[
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource":"*",
"Condition":{
"IpAddress":{
"acs:SourceIp":[
"203.0.XX.XX"
]
}
}
}
]
}acs:SourceVpc
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
acs:SourceVpc | The VPC to which the client that sends the request belongs. This condition key is valid only when the request is sent from an Alibaba Cloud VPC. | String | All KMS OpenAPI operations. For a list of operations, see API overview. | The ID of the VPC. Example: vpc-bp1717bgs34gj****. |
|
Limits:
All actions in the
Statementfield of the policy must start withkms:, such as"Action":"kms:*"and"Action":"kms:GenerateDataKey"."Action":"*"and"Action":"k*"are invalid.This condition key is supported only in some regions.
Key/Credential policy example: Access is allowed only for the RAM user ramuser1 from vpc-bp1l8j1t3l3j5****.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:SourceVpc": [
"vpc-bp1l8j1t3l3j5****"
]
}
}
}
]
}acs:VpcSourceIp
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
acs:VpcSourceIp | The IP address of the client that sends the request. This condition key is valid only when the request is sent from an Alibaba Cloud VPC. | String | All KMS OpenAPI operations. For a list of operations, see API overview. | An IP address in a VPC. Examples:
|
|
Limits: This condition key is supported only in some regions.
RAM policy example
Requests are allowed only from the 172.168.XX.XX/24 CIDR block in vpc-bp1717bghfnkqg5wn****.
{
"Statement": [
{
"Action": "kms:GenerateDataKey",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:SourceVpc": "vpc-bp1717bghfnkqg5wn****"
},
"IpAddress": {
"acs:VpcSourceIp": "172.168.**.**/24"
}
}
}
],
"Version": "1"
}Key/Credential policy example
Access is allowed only for the RAM user ramuser1 from the VPC IP address 192.168.XX.XX.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:VpcSourceIp": [
"192.168.XX.XX"
]
}
}
}
]
}acs:SecureTransport
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
acs:SecureTransport | Indicates whether the request is sent over a secure channel (HTTPS). | Boolean | All KMS OpenAPI operations. For a list of operations, see API overview. |
|
|
RAM policy example
You can perform any operation on all KMS resources, provided that the request is sent over HTTPS.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
]
}Key/Credential policy example
Access is allowed only for the RAM user ramuser1 over an HTTPS secure channel.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
]
}acs:CurrentTime
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
acs:CurrentTime | The time when the server-side receives the request. | Date and time | All KMS OpenAPI operations. For a list of operations, see API overview. | The time is in UTC and must follow the ISO 8601 standard. For example, 20:00:00 on January 10, 2024 (UTC+8) is expressed as |
|
Key/Credential policy example: Access is allowed only for the RAM user ramuser1 before 2099-12-31T12:00:00Z.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"DateLessThan": {
"acs:CurrentTime": "2099-12-31T12:00:00Z"
}
}
}
]
}acs:MFAPresent
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
acs:MFAPresent | Indicates whether multi-factor authentication (MFA) is used for logon. | Boolean | All KMS OpenAPI operations. For a list of operations, see API overview. |
|
|
Key/Credential policy example: Access is allowed only for the RAM user ramuser1 if MFA is enabled.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": [
"true"
]
}
}
}
]
}KMS product condition keys (key-related)
kms:tag
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:tag | Filters access to API operations based on key tags. | String |
| A custom key tag. |
|
kms:EncryptionAlgorithm
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:EncryptionAlgorithm | Filters access to encryption operations based on the encryption algorithm in the request. | String |
| An encryption algorithm, such as SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_256, or ECIES_DH_SHA_1_XOR_HMAC. For more information about the encryption algorithms that KMS supports, see Key management types and key specifications. |
|
For example, this example shows that only the Resource Access Management (RAM) user key_ramuser1 can perform encryption, decryption, or re-encryption with the RSAES-OAEP-SHA-256 algorithm. This enhances the security and compliance of encryption key usage, ensures that only the specified encryption algorithm is used, and prevents the misuse of non-compliant or insecure encryption algorithms.
{
"Sid": "Allow only one encryption algorithm with this asymmetric KMS key",
"Effect": "Deny",
"Principal": {
"RAM": [
"acs:ram::119285303511****:user/key_ramuser1"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"kms:EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}
}
}kms:EncryptionContext:${EncryptionContextKey}
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:EncryptionContext:${EncryptionContextKey} | Filters access to KMS symmetric keys based on the encryption context in the encryption operation. This condition evaluates the key and value in each key-value pair of the encryption context. | String |
| A custom encryption context. |
|
The following example allows all RAM users under the Alibaba Cloud account 119285303511**** to perform the kms:GenerateDataKey operation when the value of Project in the kms:EncryptionContext is ProjectA.
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:Project": "ProjectA"
}
}
}kms:EncryptionContextKeys
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:EncryptionContextKeys | Filters access to KMS symmetric keys based on the encryption context in the encryption operation. Filters only the keys in the key-value pairs of the encryption context. | Array of strings |
| A custom key from an encryption context key-value pair. | Key policy |
The following example allows all RAM users under the Alibaba Cloud account 119285303511**** to perform the kms:GenerateDataKey operation when the encryption context contains the key named Project.
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContextKeys": "Project"
}
}
}kms:ExpirationModel
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:ExpirationModel | Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request. | String | ImportKeyMaterial |
|
|
The following example allows all RAM users under the Alibaba Cloud account 119285303511**** to perform the kms:ImportKeyMaterial operation only if the expiration model of the key material is KEY_MATERIAL_DOES_NOT_EXPIRE.
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
}
}
}kms:ValidTo
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:ValidTo | Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only if it expires on a specified date. | Date | ImportKeyMaterial | UNIX timestamp format |
|
The following example allows all RAM users under the Alibaba Cloud account 119285303511**** to import key material only before June 20, 2024.
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ValidTo": "1718841600"
}
}
}kms:KeyOrigin
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:KeyOrigin | Filters access to API operations based on the Origin property of the KMS key that is created or used in the operation. You can use it to restrict authorization for the CreateKey operation or any operation that grants authorization for KMS key resources. | String | All key-related OpenAPI operations. For a list of operations, see API overview. |
|
|
kms:KeySpec
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:KeySpec | Filters access to API operations based on the KeySpec property of the KMS key that is created or used in the operation. | String | All key-related OpenAPI operations. For a list of operations, see API overview. | A key specification, such as Aliyun_AES_256 or RSA_2048. For more information about the key specifications that KMS supports, see Key management types and key specifications. |
|
The following example allows all RAM users and RAM roles under the Alibaba Cloud account 119285303511**** to perform the kms:CreateKey operation, but only to create RSA keys.
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Resource": "*",
"Condition": {
"StringLike": {
"kms:KeySpec": "RSA_*"
}
}
}kms:KeyUsage
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:KeyUsage | Filters access to API operations based on the KeyUsage property of the KMS key that is created or used in the operation. | String | All key-related OpenAPI operations. For a list of operations, see API overview. |
|
|
The following example allows the kms:CreateKey operation, but only to create keys for the ENCRYPT_DECRYPT purpose.
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KeyUsage": "ENCRYPT_DECRYPT"
}
}
}kms:ScheduleKeyDeletionPendingWindowInDays
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:ScheduleKeyDeletionPendingWindowInDays | Filters access to the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in the request. | Number | ScheduleKeyDeletion | The scheduled deletion period of the key, in days. |
|
The following example denies all users and roles permission to perform the kms:ScheduleKeyDeletion operation if the scheduled deletion period is less than or equal to 21 days.
{
"Effect": "Deny",
"Action": "kms:ScheduleKeyDeletion",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ScheduleKeyDeletionPendingWindowInDays": "21"
}
}
}kms:SigningAlgorithm
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:SigningAlgorithm | Filters access to the Sign and Verify operations based on the signature algorithm in the request. | String |
| A signature algorithm, such as RSA_PSS_SHA_256 or ECDSA_SHA_256. For a list of supported signature algorithms, see Key management types and key specifications. |
|
kms:WrappingAlgorithm
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:WrappingAlgorithm | Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request. | String | GetParametersForImport | A wrapping algorithm. For more information about the wrapping algorithms that KMS supports, see Import symmetric key material and Import asymmetric key material. |
|
kms:WrappingKeySpec
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:WrappingKeySpec | Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request. | String | GetParametersForImport | The type of the wrapping public key. For more information about the wrapping public key types that KMS supports, see Import symmetric key material and Import asymmetric key material. |
|
kms:KmsInstanceId
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:KmsInstanceId | Controls access permissions based on the ID of the KMS instance associated with the request. | String | Cryptographic operations:
Management API:
Tag API:
| Instance ID |
|
Examples:
RAM custom policy
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KmsInstanceId": "kst-**"
}
}
}Key policy
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KmsInstanceId": "kst-**"
}
}
}kms:RecipientAttestation
Condition key | Description | Condition operator type | API operations |
kms:RecipientAttestation:PCR8 | The measure of the enclave runtime image file. | String | The authorization takes effect only if all the following conditions are met:
|
kms:RecipientAttestation:PCR9 | The measure of the kernel and bootloader. | ||
kms:RecipientAttestation:PCR11 | Application metrics. |
Examples:
RAM custom policy
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "acs:kms:cn-hangzhou:119******460:key/key-hzz******sg5",
"Condition": {
"StringEquals": {
"kms:RecipientAttestation:PCR8": "300705e44da926d8ec85bb7e840******710f303e22de0869a",
"kms:RecipientAttestation:PCR9": "b5753ad8242e1c3b8150caf7098f******440bef5401e02575",
"kms:RecipientAttestation:PCR11": "f9189a4331f1d4ba93d77672401******04a19be1b4d4a5de"
}
}
}
]
}
Key policy
{
"Statement": [
{
"Action": [
"kms:*"
],
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119*******460:*"
]
},
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"kms:RecipientAttestation:PCR8": "f193c1e72c226a2212d4d8865964239******ca6f02f79ea85e91af"
}
},
"Sid": "kms default key policy"
}
],
"Version": "1"
}KMS product condition keys (credential-related)
kms:tag
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:tag | Filters access to API operations based on credential tags. | String |
| A custom credential tag. |
|
kms:SecretName
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:SecretName | Filters access to API operations based on the value of SecretName in the request. | String | All credential-related OpenAPI operations. For a list of operations, see API overview. | A custom credential name. |
|
kms:EncryptionKeyId
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:EncryptionKeyId | Filters access to API operations based on the ID of the encryption key in the credential access request. | String |
| Key ID. |
|
kms:SecretVersionId
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:SecretVersionId | Filters access to API operations based on the unique identifier of the credential version in the request. | String |
| The version number of the credential. |
|
kms:SecretVersionStage
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:SecretVersionStage | Filters access to API operations based on the credential version stages in the request. | String |
|
|
|
kms:SecretType
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:SecretType | Filters access to API operations based on the credential type in the request. | String | All credential-related OpenAPI operations. For a list of operations, see API overview. |
|
|
kms:ForceDeleteWithoutRecovery
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:ForceDeleteWithoutRecovery | Indicates whether to force delete the credential without allowing recovery. | Boolean value | DeleteSecret |
|
|
kms:RecoveryWindowInDays
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:RecoveryWindowInDays | Deletes a credential in a recoverable manner and specifies the recovery window in days. | Number | DeleteSecret | Number of days. |
|
The following example denies all users and roles permission to perform the kms:DeleteSecret operation if the specified recovery window is less than or equal to 10 days.
{
"Statement": [
{
"Effect": "Deny",
"Action": "kms:DeleteSecret",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:RecoveryWindowInDays": "10"
}
}
}
]
}
kms:KmsInstanceId
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:KmsInstanceId | Controls access permissions based on the ID of the KMS instance associated with the request. | String |
| Instance ID |
|
Examples:
RAM custom policy
{
"Effect": "Allow",
"Action": "kms:CreateSecret",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KmsInstanceId": "kst-**"
}
}
}Key policy
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:CreateSecret",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KmsInstanceId": "kst-**"
}
}
}KMS product condition keys (other)
kms:TlsVersion
Condition key | Description | Condition operator type | API operations | Value range | Policy type |
kms:TlsVersion | Filters access to API operations based on the TLS version in the request. | String | All OpenAPI operations that require authentication. Note Operations that do not require authentication, such as DescribeRegions. | 1.2 |
|
The following example denies any operation on the specified key if the TLS version in the request is earlier than 1.2.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "kms:*",
"Resource": "acs:kms:*:*:key/key-hzz653f1f8fybn5qa****",
"Condition": {
"NumericLessThan": {
"kms:TlsVersion": [
"1.2"
]
}
}
}
]
}Appendix 1: Condition operator types
Conditional operators can be classified into the following categories: string, number, date and time, Boolean, and IP address. For more information, see Conditional operators.
Conditional operation type | Supported types |
String |
|
Numeric type |
|
Date and time |
|
Boolean | Bool |
IP address type |
|