Key Management Service (KMS) allows you to use Resource Access Management (RAM) to control access to KMS resources. This topic describes the KMS resource types, actions, and conditions that can be defined in RAM policies.
Alibaba Cloud accounts have full permissions on their own resources. RAM users and roles must be explicitly granted permissions on resources.
Before you can use RAM to perform authorization and access customer master keys (CMKs), read the following topics:
Resource types in KMS
The following table describes all resource types and their Alibaba Cloud Resource Names (ARNs) in KMS. The ARNs can be used in the Resource parameter of a RAM policy.
Resource type | ARN |
---|---|
Key container | acs:kms:${region}:${account}:key |
Secret container | acs:kms:${region}:${account}:secret |
Alias container | acs:kms:${region}:${account}:alias |
Certificate container | acs:kms:${region}:${account}:certificate |
Key | acs:kms:${region}:${account}:key/${key-id} |
Secret | acs:kms:${region}:${account}:secret/${secret-name} |
Alias | acs:kms:${region}:${account}:alias/${alias-name} |
Certificate | acs:kms:${region}:${account}:certificate/${id} |
Actions in KMS
kms:<api-name>
format.
The following tables list the RAM actions and resource types that correspond to each KMS API operation.
- Key API operations
Operation Action Resource type ListKeys kms:ListKeys Key container CreateKey kms:CreateKey Key container DescribeKey kms:DescribeKey Key UpdateKeyDescription kms:UpdateKeyDescription Key EnableKey kms:EnableKey Key DisableKey kms:DisableKey Key ScheduleKeyDeletion kms:ScheduleKeyDeletion Key CancelKeyDeletion kms:CancelKeyDeletion Key GetParametersForImport kms:GetParametersForImport Key ImportKeyMaterial kms:ImportKeyMaterial Key DeleteKeyMaterial kms:DeleteKeyMaterial Key ListAliases kms:ListAliases Alias container CreateAlias kms:CreateAlias Alias and key UpdateAlias kms:UpdateAlias Alias and key DeleteAlias kms:DeleteAlias Alias and key ListAliasesByKeyId kms:ListAliasesByKeyId Key CreateKeyVersion kms:CreateKeyVersion Key DescribeKeyVersion kms:DescribeKeyVersion Key ListKeyVersions kms:ListKeyVersions Key UpdateRotationPolicy kms:UpdateRotationPolicy Key Encrypt kms:Encrypt Key Decrypt kms:Decrypt Key ReEncrypt - kms:ReEncryptFrom
- kms:ReEncryptTo
- kms:ReEncrypt*
Key GenerateDataKey kms:GenerateDataKey Key GenerateDataKeyWithoutPlaintext kms:GenerateDataKeyWithoutPlaintext Key ExportDataKey kms:ExportDataKey Key GenerateAndExportDataKey kms:GenerateAndExportDataKey Key AsymmetricSign kms:AsymmetricSign Key AsymmetricVerify kms:AsymmetricVerify Key AsymmetricEncrypt kms:AsymmetricEncrypt Key AsymmetricDecrypt kms:AsymmetricDecrypt Key GetPublicKey kms:GetPublicKey Key - Secrets Manager API operations
Operation Action Resource type CreateSecret kms:CreateSecret Secret container ListSecrets kms:ListSecrets Secret container DescribeSecret kms:DescribeSecret Secret DeleteSecret kms:DeleteSecret Secret UpdateSecret kms:UpdateSecret Secret RestoreSecret kms:RestoreSecret Secret GetSecretValue - kms:GetSecretValue
- kms:Decrypt
Note The permissions on kms:Decrypt are required only when a self-managed CMK is specified as the encryption key for a generic secret.Secret PutSecretValue - kms:PutSecretValue
- kms:GenerateDataKey
Note The permissions on kms:GenerateDataKey are required only when a self-managed CMK is specified as the encryption key for a generic secret.Secret ListSecretVersionIds kms:ListSecretVersionIds Secret UpdateSecretVersionStage kms:UpdateSecretVersionStage Secret GetRandomPassword kms:GetRandomPassword None - Certificates Manager API operations
Operation Action Resource type CreateCertificate kms:CreateCertificate Certificate UploadCertificate kms:UploadCertificate Certificate GetCertificate kms:GetCertificate Certificate DescribeCertificate kms:DescribeCertificate Certificate UpdateCertificateStatue kms:UpdateCertificateStatue Certificate DeleteCertificate kms:DeleteCertificate Certificate CertificatePrivateKeySign kms:CertificatePrivateKeySign Certificate CertificatePublicKeyVerify kms:CertificatePublicKeyVerify Certificate CertificatePublicKeyEncrypt kms:CertificatePublicKeyEncrypt Certificate CertificatePrivateKeyDecrypt kms:CertificatePrivateKeyDecrypt Certificate - Tag management API operations
Operation Action Resource type ListResourceTags kms:ListResourceTags Key or secret UntagResource kms:UntagResource Key or secret TagResource kms:TagResource Key or secret
Policy conditions in KMS
You can add conditions in RAM policies to control access to KMS. RAM authentication succeeds only when the added conditions are met. For example, you can add an acs:CurrentTime
condition to control the period during which a RAM policy is valid.
In addition to global conditions, you can use tags as filters to limit the use of cryptographic API operations, such as Encrypt, Decrypt, and GenerateDataKey. Filters must be in the kms:tag/<tag-key>
format.
For more information, see Policy elements.
Examples of RAM policies
- RAM policy that allows users to access all KMS resources
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:*" ], "Resource": [ "*" ] } ] }
- RAM policy that allows users only to list and query keys, view aliases, and use keys
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List*", "kms:Describe*", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "*" ] } ] }
- RAM policy that allows users to use keys that contain the following tag to perform cryptographic operations:
- Tag key:
Project
- Tag value:
Apollo
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "*" ], "Condition": { "StringEqualsIgnoreCase": { "kms:tag/Project": [ "Apollo" ] } } } ] }
- Tag key:
- RAM policy that allows users to access keys from the following IP addresses:
- CIDR block: 192.168.0.0/16
- IP address: 172.16.215.218
{ "Version": "1", "Statement": [{ "Effect": "Allow", "Action": [ "kms:*" ], "Resource": [ "*" ], "Condition": { "IpAddress": { "acs:SourceIp": [ "192.168.0.0/16", "172.16.215.218" ] } } }] }
- RAM policy that allows users only to query secrets, query versions and content of secrets, and generate random passwords
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List*", "kms:Describe*", "kms:GetSecretValue", "kms:Decrypt", "kms:GetRandomPassword" ], "Resource": [ "*" ] } ] }
- RAM policy that allows users only to query the details about certificates
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List*", "kms:Describe*", "kms:Get*" ], "Resource": [ "*" ] } ] }
- RAM policy that allows users to generate and verify digital signatures by using specified certificates
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CertificatePrivateKeySign", "kms:CertificatePublicKeyVerify" ], "Resource": [ "*" ] } ] }