You can add or remove Resource Access Management (RAM) users and RAM roles to or from a key policy to set the administrators and users of a key. This topic describes how to configure a key policy.
Precautions
You can configure key policies only for keys in Key Management Service (KMS) instances. You can configure a key policy when you create a key or after a key is created. For information about how to configure a key policy when you create a key, see Create a key. This topic describes how to configure a key policy after a key is created.
The content of a key policy cannot exceed 32,768 bytes in length and must be in the JSON format.
When you configure a key policy in the KMS console, you can use the default policy or configure a custom policy. If you configure a custom policy, you can set RAM users or roles as administrators and users of the key, and set cross-account users. If you want to configure a more refined kye policy, for example, to allow only users to perform encryption or decryption operations based on the key, you can call an API operation.
The following list describes the operations that can be configured in a key policy. If you configure an operation that is not in the list, the setting does not take effect.
"Action": [ "kms:List*", "kms:Describe*", "kms:Create*", "kms:Enable*", "kms:Disable*", "kms:Get*", "kms:Set*", "kms:Update*", "kms:Delete*", "kms:Cancel*", "kms:TagResource", "kms:UntagResource", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion" "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateAndExportDataKey", "kms:AsymmetricEncrypt", "kms:AsymmetricDecrypt", "kms:DescribeKey", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "kms:ListAliasesByKeyId", "kms:TagResource" ]If you want to allow a RAM user or RAM role in another Alibaba Cloud account to use the key, you must configure a key policy in the KMS console and configure a permission policy in the RAM console. For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role.
Prerequisites
A software-protected key or hardware-protected key is created in the KMS instance. For more information, see Create a key.
Configure a key policy in the KMS console
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Keys tab, find the key for which you want to configure a policy. Click the key ID or click Details in the Actions column that corresponds to the key.
On the Key Policy tab of the details page, click Configure Key Policy. In the Key Policy panel, configure the policy. Then, click OK.
In the Key Policy panel, you can set Administrator, User, and Cross-account User for the key.
An administrator can manage the key and cannot use the key to perform cryptographic operations. You can select RAM users and RAM roles in the current Alibaba Cloud account as the administrators of the key.
A user can only use the key to perform cryptographic operations. You can select RAM users and RAM roles in the current Alibaba Cloud account as the users of the key.
A cross-account user can use the key to perform cryptographic operations. A cross-account user can be a RAM user or RAM role of other Alibaba Cloud accounts.
ImportantIf you grant permissions to RAM users or RAM roles of other Alibaba Cloud accounts to use the key, the Access Management Quota of the KMS instance is consumed based on the number of the Alibaba Cloud accounts. If you cancel the authorization, wait for about 5 minutes and then check the quota. The consumed quota is returned.
RAM user: The name of the RAM user is in the
acs:ram::<userId>:user/<ramuser>format. Example:acs:ram::119285303511****:user/testpolicyuser.RAM role: The name of the RAM role is in the
acs:ram::<userId>:role/<ramrole>format. Example:acs:ram::119285303511****:role/testpolicyrole.