Conditions define the requirements for a policy to take effect. You can configure condition keys in key policies, secret policies, and system policies of Resource Access Management (RAM) to manage access to Key Management Service (KMS). This topic describes the condition keys supported by KMS.
In the following examples, the Principal field is required for key and secret policies. If you use custom policies of RAM, you can leave the field empty.
Key-related condition keys
kms:tag
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:tag | Allows you to manage permissions on API operations based on key tags. | String |
| Custom key tag |
|
kms:EncryptionAlgorithm
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:EncryptionAlgorithm | Allows you to manage permissions on cryptographic operations based on encryption algorithms in requests. | String |
| Encryption algorithm, such as SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_256, and ECIES_DH_SHA_1_XOR_HMAC. For more information about the encryption algorithms supported by KMS, see Key types and specifications. |
|
In the following example, only a RAM user named key_ramuser1 can perform encryption, decryption, or re-encryption operations by using the RSAES_OAEP_SHA_256 algorithm. Only specified encryption algorithms can be used. This helps prevent the use of non-compliant or insecure encryption algorithms and ensure the secure and compliant use of encryption keys.
{
"Sid": "Allow only one encryption algorithm with this asymmetric KMS key",
"Effect": "Deny",
"Principal": {
"RAM": [
"acs:ram::119285303511****:user/key_ramuser1"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"kms:EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}
}
}kms:EncryptionContext:${EncryptionContextKey}
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:EncryptionContext:${EncryptionContextKey} | Allows you to manage permissions on symmetric keys in KMS based on encryption context in encryption operations. You can configure permissions based on key-value pairs in encryption context. | String |
| Custom encryption context |
|
In the following example, all RAM users of the 119285303511**** Alibaba Cloud account can generate a data key (kms:GenerateDataKey) when the value of the Project key in encryption context (kms:EncryptionContext) is ProjectA.
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:Project": "ProjectA"
}
}
}kms:EncryptionContextKeys
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:EncryptionContextKeys | Allows you to manage permissions on symmetric keys in KMS based on encryption context in encryption operations. You can configure permissions based on keys in encryption context. | String array |
| Keys in key-value pairs that are included in EncryptionContext | Key policies |
In the following example, all RAM users of the 119285303511**** Alibaba Cloud account can generate a data key (kms:GenerateDataKey) when the Project key is included in encryption context (EncryptionContext).
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContextKeys": "Project"
}
}
}kms:ExpirationModel
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:ExpirationModel | Allows you to manage permissions on the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in requests. | String | ImportKeyMaterial |
|
|
In the following example, all RAM users of the 119285303511**** Alibaba Cloud account can import key material (kms:ImportKeyMaterial) only when the value of kms:ExpirationModel is KEY_MATERIAL_DOES_NOT_EXPIRE.
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
}
}
}kms:ValidTo
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:ValidTo | Allows you to manage permissions on the ImportKeyMaterial operation based on the value of the ValidTo parameter in requests. You can use the condition key to allow users to import key material only before a specific date. | Date | ImportKeyMaterial | UNIX timestamp |
|
In the following example, all RAM users of the 119285303511**** Alibaba Cloud account can import key material only before June 20, 2024.
{
"Effect": "Allow",
"Principal": {
"RAM":[
"acs:ram::119285303511****:*"
]
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ValidTo": "1718841600"
}
}
}kms:KeyOrigin
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:KeyOrigin | Allows you to manage permissions on API operations based on the Origin attribute of keys. You can use the condition key to manage permissions on the CreateKey operation or on key-related operations. | String | All key-related operations For more information, see List of operations by function. |
|
|
kms:KeySpec
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:KeySpec | Allows you to manage permissions on API operations based on the KeySpec attribute of keys. | String | All key-related operations. For more information, see List of operations by function. | Key specifications. Example: Aliyun_AES_256 and RSA_2048. For more information about the encryption algorithms supported by KMS, see Key types and specifications. |
|
In the following example, all RAM users and RAM roles of the 119285303511**** Alibaba Cloud account can create only RSA keys (kms:CreateKey).
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Resource": "*",
"Condition": {
"StringLike": {
"kms:KeySpec": "RSA_*"
}
}
}kms:KeyUsage
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:KeyUsage | Allows you to manage permissions on API operations based on the KeyUsage attribute of keys. | String | All key-related operations. For more information, see List of operations by function. |
|
|
In the following example, only keys whose purpose is ENCRYPT_DECRYPT can be created (kms:CreateKey).
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KeyUsage": "ENCRYPT_DECRYPT"
}
}
}kms:ScheduleKeyDeletionPendingWindowInDays
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:ScheduleKeyDeletionPendingWindowInDays | Allows you to manage permissions on the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in requests. | Numeric value | ScheduleKeyDeletion | Scheduled deletion period of a key. Unit: days. |
|
In the following example, if the scheduled deletion period for a key is less than or equal to 21 days, all users and roles cannot schedule a deletion task of the key (kms:ScheduleKeyDeletion).
{
"Effect": "Deny",
"Action": "kms:ScheduleKeyDeletion",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ScheduleKeyDeletionPendingWindowInDays": "21"
}
}
}kms:SigningAlgorithm
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:SigningAlgorithm | Allows you to manage permissions on the Sign and Verify operations based on signing algorithms in requests. | String |
| Signing algorithm. Examples: RSA_PSS_SHA_256 and ECDSA_SHA_256. For more information about the supported signing algorithms, see Key types and specifications. |
|
kms:WrappingAlgorithm
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:WrappingAlgorithm | Allows you to manage permissions on the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in requests. | String | GetParametersForImport | Wrapping algorithm. For more information about the wrapping algorithms supported by KMS, see Import key material into a symmetric key and Import key material into an asymmetric key. |
|
kms:WrappingKeySpec
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:WrappingKeySpec | Allows you to manage permissions on the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in requests. | String | GetParametersForImport | Type of a wrapping public key. For more information about the types of wrapping public keys supported by KMS, see Import key material into a symmetric key and Import key material into an asymmetric key. |
|
Secret-related condition keys
kms:tag
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:tag | Allows you to manage permissions on API operations based on secret tags. | String |
| Custom secret tag |
|
kms:SecretName
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:SecretName | Allows you to manage permissions on API operations based on the value of the Secretname parameter. | String | All secret-related operations. For more information, see List of operations by function. | Custom secret name |
|
kms:EncryptionKeyId
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:EncryptionKeyId | Allows you to manage permissions on API operations based on the IDs of encryption keys in secret access requests. | String |
| Key ID |
|
kms:SecretVersionId
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:SecretVersionId | Allows you to manage permissions on API operations based on the unique secret version IDs in requests. | String |
| Secret version ID |
|
kms:SecretVersionStage
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:SecretVersionStage | Allows you to manage permissions on API operations based on the secret version status in requests. | String |
|
|
|
kms:SecretType
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:SecretType | Allows you to manage permissions on API operations based on the secret types in requests. | String | All secret-related operations. For more information, see List of operations by function. |
|
|
kms:ForceDeleteWithoutRecovery
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:ForceDeleteWithoutRecovery | Specifies whether to forcefully delete the secret. A forcefully deleted secret cannot be recovered. | Boolean | DeleteSecret |
|
|
kms:RecoveryWindowInDays
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:RecoveryWindowInDays | Specifies the recovery period of a secret if you do not forcibly delete the secret. Unit: days. | Numeric value | DeleteSecret | Number of days |
|
In the following example, if the recovery period of a secret is less than or equal to 10 days, all users and roles cannot delete the secret (kms:DeleteSecret).
{
"Statement": [
{
"Effect": "Deny",
"Action": "kms:DeleteSecret",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:RecoveryWindowInDays": "10"
}
}
}
]
}
Others
kms:TlsVersion
Condition key | Description | Condition type | API operation | Valid value | Policy type |
kms:TlsVersion | Allows you to manage permissions on API operations based on TLS versions in requests. | String | All authentication-related operations. Note Operations that do not involve authentication include DescribeRegions. | 1.2 |
|
In the following example, if the TLS version in a request is earlier than 1.2, all operations cannot be performed on the specified keys.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "kms:*",
"Resource": "acs:kms:*:*:key/key-hzz653f1f8fybn5qa****",
"Condition": {
"NumericLessThan": {
"kms:TlsVersion": [
"1.2"
]
}
}
}
]
}