All Products
Search
Document Center

Key Management Service:Configure a key policy

Last Updated:Apr 28, 2024

You can add or remove Resource Access Management (RAM) users and RAM roles to or from a key policy to set the administrators and users of a key. This topic describes how to configure a key policy.

Precautions

  • You can configure key policies only for keys in Key Management Service (KMS) instances. You can configure a key policy when you create a key or after a key is created. For information about how to configure a key policy when you create a key, see Create a key. This topic describes how to configure a key policy after a key is created.

  • The content of a key policy cannot exceed 32,768 bytes in length and must be in the JSON format.

  • When you configure a key policy in the KMS console, you can use the default policy or configure a custom policy. If you configure a custom policy, you can set RAM users or roles as administrators and users of the key, and set cross-account users. If you want to configure a more refined kye policy, for example, to allow only users to perform encryption or decryption operations based on the key, you can call an API operation.

    The following list describes the operations that can be configured in a key policy. If you configure an operation that is not in the list, the setting does not take effect.

     "Action": [
                    "kms:List*",
                    "kms:Describe*",
                    "kms:Create*",
                    "kms:Enable*",
                    "kms:Disable*",
                    "kms:Get*",
                    "kms:Set*",
                    "kms:Update*",
                    "kms:Delete*",
                    "kms:Cancel*",
                    "kms:TagResource",
                    "kms:UntagResource",
                    "kms:ImportKeyMaterial",
                    "kms:ScheduleKeyDeletion"
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:GenerateDataKey",
                    "kms:GenerateAndExportDataKey",
                    "kms:AsymmetricEncrypt",
                    "kms:AsymmetricDecrypt",
                    "kms:DescribeKey",
                    "kms:DescribeKeyVersion",
                    "kms:ListKeyVersions",
                    "kms:ListAliasesByKeyId",
                    "kms:TagResource"
                ]
  • If you want to allow a RAM user or RAM role in another Alibaba Cloud account to use the key, you must configure a key policy in the KMS console and configure a permission policy in the RAM console. For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role.

Prerequisites

A software-protected key or hardware-protected key is created in the KMS instance. For more information, see Create a key.

Configure a key policy in the KMS console

  1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.

  2. On the Keys tab, find the key for which you want to configure a policy. Click the key ID or click Details in the Actions column that corresponds to the key.

  3. On the Key Policy tab of the details page, click Configure Key Policy. In the Key Policy panel, configure the policy. Then, click OK.

    In the Key Policy panel, you can set Administrator, User, and Cross-account User for the key.

    • An administrator can manage the key and cannot use the key to perform cryptographic operations. You can select RAM users and RAM roles in the current Alibaba Cloud account as the administrators of the key.

      Set administrators of the key

      In the following example, the key_ramuser1 RAM user and key_ramrole1 RAM role are allowed to manage the key as administrators.

              {
                  "Action": [
                      "kms:List*",
                      "kms:Describe*",
                      "kms:Create*",
                      "kms:Enable*",
                      "kms:Disable*",
                      "kms:Get*",
                      "kms:Set*",
                      "kms:Update*",
                      "kms:Delete*",
                      "kms:Cancel*",
                      "kms:TagResource",
                      "kms:UntagResource",
                      "kms:ImportKeyMaterial",
                      "kms:ScheduleKeyDeletion"
                  ],
                  "Effect": "Allow",
                  "Principal": {
                      "RAM": [
                          "acs:ram::119285303511****:user/key_ramuser1",
                          "acs:ram::119285303511****:role/key_ramrole1"
                      ]
                  },
                  "Resource": [
                      "*"
                  ]
              }
    • A user can only use the key to perform cryptographic operations. You can select RAM users and RAM roles in the current Alibaba Cloud account as the users of the key.

      Set users of the key

      In the following example, the key_ramuser2 RAM user and key_ramrole2 RAM role are allowed to use the key to perform cryptographic operations.

              {
                  "Action": [
                      "kms:Encrypt",
                      "kms:Decrypt",
                      "kms:GenerateDataKey",
                      "kms:GenerateAndExportDataKey",
                      "kms:AsymmetricEncrypt",
                      "kms:AsymmetricDecrypt",
                      "kms:DescribeKey",
                      "kms:DescribeKeyVersion",
                      "kms:ListKeyVersions",
                      "kms:ListAliasesByKeyId",
                      "kms:TagResource"
                  ],
                  "Effect": "Allow",
                  "Principal": {
                      "RAM": [
                          "acs:ram::119285303511****:user/key_ramuser2",
                          "acs:ram::119285303511****:role/key_ramrole2"
                      ]
                  },
                  "Resource": [
                      "*"
                  ]
              }
    • A cross-account user can use the key to perform cryptographic operations. A cross-account user can be a RAM user or RAM role of other Alibaba Cloud accounts.

      Important

      If you grant permissions to RAM users or RAM roles of other Alibaba Cloud accounts to use the key, the Access Management Quota of the KMS instance is consumed based on the number of the Alibaba Cloud accounts. If you cancel the authorization, wait for about 5 minutes and then check the quota. The consumed quota is returned.

      • RAM user: The name of the RAM user is in the acs:ram::<userId>:user/<ramuser> format. Example: acs:ram::119285303511****:user/testpolicyuser.

      • RAM role: The name of the RAM role is in the acs:ram::<userId>:role/<ramrole> format. Example: acs:ram::119285303511****:role/testpolicyrole.

      Set cross-account users

      In the following example, the key_ramuser3 RAM user of another Alibaba Cloud account (190325303126****) is allowed to use the key to perform cryptographic operations.

              {
                  "Action": [
                      "kms:Encrypt",
                      "kms:Decrypt",
                      "kms:GenerateDataKey",
                      "kms:GenerateAndExportDataKey",
                      "kms:AsymmetricEncrypt",
                      "kms:AsymmetricDecrypt",
                      "kms:DescribeKey",
                      "kms:DescribeKeyVersion",
                      "kms:ListKeyVersions",
                      "kms:ListAliasesByKeyId",
                      "kms:TagResource"
                  ],
                  "Effect": "Allow",
                  "Principal": {
                      "RAM": [
                          "acs:ram::190325303126****:user/key_ramuser3"
                      ]
                  },
                  "Resource": [
                      "*"
                  ]
              }