Key Management Service (KMS) allows you to use Resource Access Management (RAM) to control access to KMS resources. This topic describes the KMS resource types, actions, and conditions that can be defined in RAM policies.

Alibaba Cloud accounts have full permissions on their own resources. RAM users and roles must be explicitly granted permissions on resources.

Before you can use RAM to perform authorization and access customer master keys (CMKs), read the following topics:

Resource types in KMS

The following table describes all resource types and their Alibaba Cloud Resource Names (ARNs) in KMS. The ARNs can be used in the Resource parameter of a RAM policy.

Resource type ARN
Key container acs:kms:${region}:${account}:key
Secret container acs:kms:${region}:${account}:secret
Alias container acs:kms:${region}:${account}:alias
Certificate container acs:kms:${region}:${account}:certificate
Key acs:kms:${region}:${account}:key/${key-id}
Secret acs:kms:${region}:${account}:secret/${secret-name}
Alias acs:kms:${region}:${account}:alias/${alias-name}
Certificate acs:kms:${region}:${account}:certificate/${id}

Actions in KMS

KMS defines actions in RAM policies for each API operation that requires access control. In most cases, actions are in the kms:<api-name> format.
Note The DescribeRegions operation does not require access control. The operation can be called by Alibaba Cloud accounts, RAM users, or RAM roles after they pass RAM authentication.

The following tables list the RAM actions and resource types that correspond to each KMS API operation.

  • Key API operations
    Operation Action Resource type
    ListKeys kms:ListKeys Key container
    CreateKey kms:CreateKey Key container
    DescribeKey kms:DescribeKey Key
    UpdateKeyDescription kms:UpdateKeyDescription Key
    EnableKey kms:EnableKey Key
    DisableKey kms:DisableKey Key
    ScheduleKeyDeletion kms:ScheduleKeyDeletion Key
    CancelKeyDeletion kms:CancelKeyDeletion Key
    GetParametersForImport kms:GetParametersForImport Key
    ImportKeyMaterial kms:ImportKeyMaterial Key
    DeleteKeyMaterial kms:DeleteKeyMaterial Key
    ListAliases kms:ListAliases Alias container
    CreateAlias kms:CreateAlias Alias and key
    UpdateAlias kms:UpdateAlias Alias and key
    DeleteAlias kms:DeleteAlias Alias and key
    ListAliasesByKeyId kms:ListAliasesByKeyId Key
    CreateKeyVersion kms:CreateKeyVersion Key
    DescribeKeyVersion kms:DescribeKeyVersion Key
    ListKeyVersions kms:ListKeyVersions Key
    UpdateRotationPolicy kms:UpdateRotationPolicy Key
    Encrypt kms:Encrypt Key
    Decrypt kms:Decrypt Key
    ReEncrypt
    • kms:ReEncryptFrom
    • kms:ReEncryptTo
    • kms:ReEncrypt*
    Key
    GenerateDataKey kms:GenerateDataKey Key
    GenerateDataKeyWithoutPlaintext kms:GenerateDataKeyWithoutPlaintext Key
    ExportDataKey kms:ExportDataKey Key
    GenerateAndExportDataKey kms:GenerateAndExportDataKey Key
    AsymmetricSign kms:AsymmetricSign Key
    AsymmetricVerify kms:AsymmetricVerify Key
    AsymmetricEncrypt kms:AsymmetricEncrypt Key
    AsymmetricDecrypt kms:AsymmetricDecrypt Key
    GetPublicKey kms:GetPublicKey Key
  • Secrets Manager API operations
    Operation Action Resource type
    CreateSecret kms:CreateSecret Secret container
    ListSecrets kms:ListSecrets Secret container
    DescribeSecret kms:DescribeSecret Secret
    DeleteSecret kms:DeleteSecret Secret
    UpdateSecret kms:UpdateSecret Secret
    RestoreSecret kms:RestoreSecret Secret
    GetSecretValue
    • kms:GetSecretValue
    • kms:Decrypt
    Note The permissions on kms:Decrypt are required only when a self-managed CMK is specified as the encryption key for a generic secret.
    Secret
    PutSecretValue
    • kms:PutSecretValue
    • kms:GenerateDataKey
    Note The permissions on kms:GenerateDataKey are required only when a self-managed CMK is specified as the encryption key for a generic secret.
    Secret
    ListSecretVersionIds kms:ListSecretVersionIds Secret
    UpdateSecretVersionStage kms:UpdateSecretVersionStage Secret
    GetRandomPassword kms:GetRandomPassword None
  • Certificates Manager API operations
    Operation Action Resource type
    CreateCertificate kms:CreateCertificate Certificate
    UploadCertificate kms:UploadCertificate Certificate
    GetCertificate kms:GetCertificate Certificate
    DescribeCertificate kms:DescribeCertificate Certificate
    UpdateCertificateStatue kms:UpdateCertificateStatue Certificate
    DeleteCertificate kms:DeleteCertificate Certificate
    CertificatePrivateKeySign kms:CertificatePrivateKeySign Certificate
    CertificatePublicKeyVerify kms:CertificatePublicKeyVerify Certificate
    CertificatePublicKeyEncrypt kms:CertificatePublicKeyEncrypt Certificate
    CertificatePrivateKeyDecrypt kms:CertificatePrivateKeyDecrypt Certificate
  • Tag management API operations
    Operation Action Resource type
    ListResourceTags kms:ListResourceTags Key or secret
    UntagResource kms:UntagResource Key or secret
    TagResource kms:TagResource Key or secret

Policy conditions in KMS

You can add conditions in RAM policies to control access to KMS. RAM authentication succeeds only when the added conditions are met. For example, you can add an acs:CurrentTime condition to control the period during which a RAM policy is valid.

In addition to global conditions, you can use tags as filters to limit the use of cryptographic API operations, such as Encrypt, Decrypt, and GenerateDataKey. Filters must be in the kms:tag/<tag-key> format.

For more information, see Policy elements.

Examples of RAM policies

  • RAM policy that allows users to access all KMS resources
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:*"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }               
  • RAM policy that allows users only to list and query keys, view aliases, and use keys
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:List*", "kms:Describe*",
            "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }             
  • RAM policy that allows users to use keys that contain the following tag to perform cryptographic operations:
    • Tag key: Project
    • Tag value: Apollo
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {
                    "StringEqualsIgnoreCase": {
                        "kms:tag/Project": [
                            "Apollo"
                        ]
                    }
                }
            }
        ]
    }               
  • RAM policy that allows users to access keys from the following IP addresses:
    • CIDR block: 192.168.0.0/16
    • IP address: 172.16.215.218
    {
      "Version": "1",
      "Statement": [{
        "Effect": "Allow",
        "Action": [
          "kms:*"
        ],
        "Resource": [
          "*"
        ],
        "Condition": {
          "IpAddress": {
            "acs:SourceIp": [
              "192.168.0.0/16",
              "172.16.215.218"
            ]
          }
        }
      }]
    }
  • RAM policy that allows users only to query secrets, query versions and content of secrets, and generate random passwords
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:List*", "kms:Describe*",
            "kms:GetSecretValue", "kms:Decrypt", "kms:GetRandomPassword"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }         
  • RAM policy that allows users only to query the details about certificates
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
              "kms:List*",
            "kms:Describe*",
            "kms:Get*"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }
  • RAM policy that allows users to generate and verify digital signatures by using specified certificates
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:CertificatePrivateKeySign",
            "kms:CertificatePublicKeyVerify"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }