All Products
Search

This Product

    Key Management Service:Configure a secret policy

    Document Center

    Key Management Service:Configure a secret policy

    Last Updated:May 06, 2024

    You can add or remove Resource Access Management (RAM) users and RAM roles to or from a secret policy to set the administrators and users of a secret. This topic describes how to configure a secret policy.

    Precautions

    • You can configure secret policies only for secrets in Key Management Service (KMS) instances. You can configure a secret policy when you create a secret or after a secret is created. For information about how to configure a secret policy when you create a secret, see Manage and use generic secrets. This topic describes how to configure a secret policy after a secret is created.

    • The content of a secret policy cannot exceed 32,768 bytes in length and must be in the JSON format.

    • When you configure a secret policy in the KMS console, you can use the default policy or configure a custom policy. If you configure a custom policy, you can set RAM users or roles as administrators and users of the secret, and set cross-account users. If you want to configure a more refined secret policy, you can call an API operation.

      The following list describes the operations that can be configured in a secret policy. If you configure an operation that is not in the list, the setting does not take effect. 

      "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:PutSecretValue",
                "kms:Update*",
                "kms:DeleteSecret",
                "kms:RestoreSecret",
                "kms:RotateSecret",
                "kms:TagResource",
                "kms:UntagResource"
                "kms:GetSecretValue"
            ]

    • If you want to allow a RAM user or RAM role in another Alibaba Cloud account to use the secret, you must configure a secret policy in the KMS console and configure a permission policy in the RAM console. For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role.

    Configure a secret policy in the KMS console

    1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.

    2. On the Secrets page, find the secret for which you want to configure a policy, Click the secret name or click Details in the Actions column that corresponds to the secret.

    3. On the Secret Policy tab of the details page, click Configure Secret Policy. In the Secret Policy panel, configure the policy. Then, click OK.

      In the Secret Policy panel, you can set Administrator, User, and Cross-account User for the secret.

      • An administrator can manage the secret but cannot retrieve the secret value. You can select RAM users and RAM roles in the current Alibaba Cloud account as the administrators of the secret.

        Set administrators of the secret

        In the following example, the key_ramuser1 RAM user and key_ramrole1 RAM role are allowed to manage the secret as administrators. 

                {
            "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:PutSecretValue",
                "kms:Update*",
                "kms:DeleteSecret",
                "kms:RestoreSecret",
                "kms:RotateSecret",
                "kms:TagResource",
                "kms:UntagResource"
            ],
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::119285303511****:user/key_ramuser1",
                    "acs:ram::119285303511****:role/key_ramrole1"
                ]
            },
            "Resource": [
                "*"
            ]
        }

      • A user can only retrieve the secret value. You can select RAM users and RAM roles in the current Alibaba Cloud account as the administrators of the secret.

        Set users of the secret

        In the following example, the key_ramuser2 RAM user and key_ramrole2 RAM role are allowed to retrieve the secret value. 

                {
            "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:GetSecretValue"
            ],
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::119285303511****:user/key_ramuser2",
                    "acs:ram::119285303511****:role/key_ramrole2"
                ]
            },
            "Resource": [
                "*"
            ]
        }

      • A cross-account user can retrieve the secret value. A cross-account user can be a RAM user or RAM role of other Alibaba Cloud accounts.

        • RAM user: The name of the RAM user is in the acs:ram::<userId>:user/<ramuser> format. Example: acs:ram::119285303511****:user/testpolicyuser.

        • RAM role: The name of the RAM role is in the acs:ram::<userId>:role/<ramrole> format. Example: acs:ram::119285303511****:role/testpolicyrole.

        Set cross-account users

        In the following example, the key_ramuser3 RAM user of another Alibaba Cloud account (190325303126****) is allowed to retrieve the secret value. 

                {
            "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:GetSecretValue"
            ],
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::190325303126****:user/key_ramuser3"
                ]
            },
            "Resource": [
                "*"
            ]
        }