A condition key specifies the circumstances under which authorization is valid. You can define condition keys in key policies, secret policies, and custom RAM policies to manage access to KMS. This topic outlines the common condition keys for Alibaba Cloud and those specific to KMS.
For key and secret policies, the Principal field is mandatory. However, for custom RAM policies, this field may be omitted.
Alibaba Cloud common condition keys
acs:SourceIp
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
acs:SourceIp | The client IP address of the user request, which only includes public IP addresses. | String | All OpenAPI operations of KMS. For a specific list, see API overview. | IP address. For example:
|
|
RAM policy example
Permits the generation of data keys only if the request originates from the IP address range 116.62.XX.XX/24
.
{
"Statement": [
{
"Action": "kms:GenerateDataKey",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:SourceIp": "116.62.XX.XX/24"
}
}
}
],
"Version": "1"
}
Key/secret policy example
Grants access solely to RAM user ramuser1 and from IP address 203.0.XX.XX.
{
"Version":"1",
"Statement":[
{
"Sid":"kms policy",
"Effect":"Allow",
"Action":"kms:*",
"Principal":{
"RAM":[
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource":"*",
"Condition":{
"IpAddress":{
"acs:SourceIp":[
"203.0.XX.XX"
]
}
}
}
]
}
acs:SourceVpc
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
acs:SourceVpc | The VPC to which the client of the user request belongs. This condition key is valid only when the request comes from the Alibaba Cloud VPC network. | String | All OpenAPI operations of KMS. For a specific list, see API overview. | VPC ID. For example, vpc-bp1717bgs34gj****. |
|
Limits:
-
All actions in the
Statement
field of the policy must begin withkms:
, for example,"Action":"kms:*"
or"Action":"kms:GenerateDataKey"
. Using"Action":"*"
or"Action":"k*"
is not permitted. -
This condition key is only available in certain regions.
Key/secret policy example: Grants access only to RAM user ramuser1 and from vpc-bp1l8j1t3l3j5****.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:SourceVpc": [
"vpc-bp1l8j1t3l3j5****"
]
}
}
}
]
}
acs:VpcSourceIp
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
acs:VpcSourceIp | The client IP address of the user request. This condition key is valid only when the request comes from the Alibaba Cloud VPC network. | String | All OpenAPI operations of KMS. For a specific list, see API overview. | IP address in the VPC. For example:
|
|
Limits: This condition key is only available in certain regions.
RAM policy example
Authorizes requests exclusively from the vpc-bp1717bghfnkqg5wn****
within the 172.168.XX.XX/24
CIDR block.
{
"Statement": [
{
"Action": "kms:GenerateDataKey",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:SourceVpc": "vpc-bp1717bghfnkqg5wn****"
},
"IpAddress": {
"acs:VpcSourceIp": "172.168.**.**/24"
}
}
}
],
"Version": "1"
}
Key/secret policy example
Grants access exclusively to RAM user ramuser1 and from the VPC IP address 192.168.XX.XX.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"IpAddress": {
"acs:VpcSourceIp": [
"192.168.XX.XX"
]
}
}
}
]
}
acs:SecureTransport
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
acs:SecureTransport | Specifies whether a secure channel (HTTPS) is used to send the request. | Boolean | All OpenAPI operations of KMS. For a specific list, see API overview. |
|
|
RAM policy example
Allows users to execute any action on all KMS resources, provided the operation is conducted via a secure transport protocol (HTTPS).
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
]
}
Key/secret policy example
Grants access solely to RAM user ramuser1 via a secure channel (HTTPS).
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"Bool": {
"acs:SecureTransport": "true"
}
}
}
]
}
acs:CurrentTime
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
acs:CurrentTime | The time when the server receives the request. | Date and time | All OpenAPI operations of KMS. For a specific list, see API overview. | Specify the time in the ISO 8601 standard. The time must be in UTC. For example, 20:00:00 on January 10, 2024, Beijing time is represented as |
|
Key/secret policy example: Grants access only to RAM user ramuser1 until 2099-12-31T12:00:00Z.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"DateLessThan": {
"acs:CurrentTime": "2099-12-31T12:00:00Z"
}
}
}
]
}
acs:MFAPresent
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
acs:MFAPresent | Specifies whether multi-factor authentication (MFA) is used during user logon. | Boolean | All OpenAPI operations of KMS. For a specific list, see API overview. |
|
|
Key/secret policy example: Grants access only to RAM user ramuser1 when multi-factor authentication (MFA) is active.
{
"Version": "1",
"Statement": [
{
"Sid": "kms policy",
"Effect": "Allow",
"Action": "kms:*",
"Principal": {
"RAM": [
"acs:ram::1192853035****:user/ramuser1"
]
},
"Resource": "*",
"Condition": {
"Bool": {
"acs:MFAPresent": [
"true"
]
}
}
}
]
}
KMS product condition keys (key-related)
kms:tag
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:tag | Allows you to manage permissions on API operations based on key tags. | String |
| Custom key tag. |
|
kms:EncryptionAlgorithm
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:EncryptionAlgorithm | Allows you to manage permissions on cryptographic operations based on encryption algorithms in requests. | String |
| Encryption algorithm, such as SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_256, and ECIES_DH_SHA_1_XOR_HMAC. For more information about encryption algorithms supported by KMS, see Key management types and key specifications. |
|
For instance, the following policy allows only RAM user key_ramuser1
to perform encryption, decryption, or re-encryption operations using the RSAES_OAEP_SHA_256 algorithm, ensuring secure and compliant use of encryption keys.
{
"Sid": "Allow only one encryption algorithm with this asymmetric KMS key",
"Effect": "Deny",
"Principal": {
"RAM": [
"acs:ram::119285303511****:user/key_ramuser1"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"kms:EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}
}
}
kms:EncryptionContext:${EncryptionContextKey}
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:EncryptionContext:${EncryptionContextKey} | Allows you to manage permissions on symmetric keys in KMS based on encryption context in encryption operations. You can configure permissions based on key-value pairs in encryption context. | String |
| Custom encryption context. |
|
For instance, the following policy allows all RAM users associated with Alibaba Cloud account 119285303511****
to generate data keys (kms:GenerateDataKey
) when the value of Project
in kms:EncryptionContext
is ProjectA
.
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:Project": "ProjectA"
}
}
}
kms:EncryptionContextKeys
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:EncryptionContextKeys | Allows you to manage permissions on symmetric keys in KMS based on encryption context in encryption operations. You can configure permissions based on keys in encryption context. | Array of strings |
| Keys in key-value pairs that are included in EncryptionContext. | Key policy |
For instance, the following policy allows all RAM users associated with Alibaba Cloud account 119285303511****
to generate data keys (kms:GenerateDataKey
) when the key name Project
is present in the encryption context.
{
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::119285303511****:*"
]
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContextKeys": "Project"
}
}
}
kms:ExpirationModel
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:ExpirationModel | Allows you to manage permissions on the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in requests. | String | ImportKeyMaterial |
|
|
For instance, the following policy allows all RAM users associated with Alibaba Cloud account 119285303511****
to import key material (kms:ImportKeyMaterial
) only if the key material's expiration model is KEY_MATERIAL_DOES_NOT_EXPIRE
.
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE"
}
}
}
kms:ValidTo
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:ValidTo | Allows you to manage permissions on the ImportKeyMaterial operation based on the value of the ValidTo parameter in requests. You can use the condition key to allow users to import key material only before a specific date. | Date | ImportKeyMaterial | UNIX timestamp |
|
For instance, the following policy allows all RAM users associated with Alibaba Cloud account 119285303511****
to import key material only before June 20, 2024.
{
"Effect": "Allow",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Action": "kms:ImportKeyMaterial",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ValidTo": "1718841600"
}
}
}
kms:KeyOrigin
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:KeyOrigin | Allows you to manage permissions on API operations based on the Origin attribute of keys created by or used in operations. You can use the condition key to manage permissions on the CreateKey operation or on key-related operations. | String | All key-related operations. For a specific list, see API overview. |
|
|
kms:KeySpec
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:KeySpec | Allows you to manage permissions on API operations based on the KeySpec attribute of keys created by or used in operations. | String | All key-related operations. For a specific list, see API overview. | Key specifications. Example: Aliyun_AES_256 and RSA_2048. For more information about key specifications supported by KMS, see Key management types and key specifications. |
|
For instance, the following policy permits all RAM users and roles associated with Alibaba Cloud account 119285303511****
to create keys (kms:CreateKey
), but restricts creation to RSA keys only.
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Principal": {
"RAM": "acs:ram::119285303511****:*"
},
"Resource": "*",
"Condition": {
"StringLike": {
"kms:KeySpec": "RSA_*"
}
}
}
kms:KeyUsage
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:KeyUsage | Allows you to manage permissions on API operations based on the KeyUsage attribute of keys created by or used in operations. | String | All key-related operations. For a specific list, see API overview. |
|
|
For instance, the following policy allows the creation of keys (kms:CreateKey
), but only for the purpose of ENCRYPT_DECRYPT
.
{
"Effect": "Allow",
"Action": "kms:CreateKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:KeyUsage": "ENCRYPT_DECRYPT"
}
}
}
kms:ScheduleKeyDeletionPendingWindowInDays
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:ScheduleKeyDeletionPendingWindowInDays | Allows you to manage permissions on the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in requests. | Numeric value | ScheduleKeyDeletion | Scheduled deletion period of a key. Unit: days. |
|
For instance, the following policy denies all users and roles the ability to schedule key deletion (kms:ScheduleKeyDeletion
) if the pending deletion window is 21 days or less.
{
"Effect": "Deny",
"Action": "kms:ScheduleKeyDeletion",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:ScheduleKeyDeletionPendingWindowInDays": "21"
}
}
}
kms:SigningAlgorithm
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:SigningAlgorithm | Allows you to manage permissions on the Sign and Verify operations based on signing algorithms in requests. | String |
| Signing algorithm. Examples: RSA_PSS_SHA_256 and ECDSA_SHA_256. For more information about supported signing algorithms, see Key management types and key specifications. |
|
kms:WrappingAlgorithm
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:WrappingAlgorithm | Allows you to manage permissions on the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in requests. | String | GetParametersForImport | Wrapping algorithm. For more information about wrapping algorithms supported by KMS, see Import symmetric key material and Import asymmetric key material. |
|
kms:WrappingKeySpec
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:WrappingKeySpec | Allows you to manage permissions on the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in requests. | String | GetParametersForImport | Type of a wrapping public key. For more information about wrapping public key types supported by KMS, see Import symmetric key material and Import asymmetric key material. |
|
KMS product condition keys (secret-related)
kms:tag
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:tag | Allows you to manage permissions on API operations based on secret tags. | String |
| Custom secret tag. |
|
kms:SecretName
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:SecretName | Allows you to manage permissions on API operations based on the value of the Secretname parameter in requests. | String | All secret-related operations. For a specific list, see API overview. | Custom secret name. |
|
kms:EncryptionKeyId
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:EncryptionKeyId | Allows you to manage permissions on API operations based on the IDs of encryption keys in secret access requests. | String |
| Key ID. |
|
kms:SecretVersionId
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:SecretVersionId | Allows you to manage permissions on API operations based on the unique secret version IDs in requests. | String |
| The version number of the secret. |
|
kms:SecretVersionStage
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:SecretVersionStage | Allows you to manage permissions on API operations based on the secret version status in requests. | String |
|
|
|
kms:SecretType
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:SecretType | Allows you to manage permissions on API operations based on the secret types in requests. | String | All secret-related operations. For a specific list, see API overview. |
|
|
kms:ForceDeleteWithoutRecovery
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:ForceDeleteWithoutRecovery | Specifies whether to forcefully delete the secret. If this parameter is set to true, the secret cannot be recovered. | Boolean value | DeleteSecret |
|
|
kms:RecoveryWindowInDays
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:RecoveryWindowInDays | Specifies the recovery period of the secret if you do not forcibly delete it. Unit: days. | Numeric value | DeleteSecret | Number of days. |
|
For instance, the following policy denies all users and roles the kms:DeleteSecret
operation if the recovery window is set to 10 days or less.
{
"Statement": [
{
"Effect": "Deny",
"Action": "kms:DeleteSecret",
"Principal": "*",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"kms:RecoveryWindowInDays": "10"
}
}
}
]
}
KMS product condition keys (others)
kms:TlsVersion
Condition key | Description | Condition operation type | API operation | Value range | Policy type |
kms:TlsVersion | Allows you to manage permissions on API operations based on TLS versions in requests. | String | All authentication-related operations. Note APIs that do not involve authentication: For example, DescribeRegions. | 1.2 |
|
For instance, the following policy denies any operation on the specified key if the TLS version in the request is below 1.2.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": "kms:*",
"Resource": "acs:kms:*:*:key/key-hzz653f1f8fybn5qa****",
"Condition": {
"NumericLessThan": {
"kms:TlsVersion": [
"1.2"
]
}
}
}
]
}
Appendix 1: Description of condition operation types
Conditional operators can be classified into the following categories: string, number, date and time, Boolean, and IP address.
Category | Conditional operator |
String |
|
Number |
|
Date and time |
|
Boolean | Bool |
IP address |
|