Creates a permission policy to configure the keys and secrets that are allowed to access.
Usage notes
To perform cryptographic operations and retrieve secret values, self-managed applications must use a client key to access a Key Management Service (KMS) instance. The following process shows how to create a client key-based application access point (AAP):
1. Create an access control rule: You can configure the private IP addresses or private CIDR blocks that are allowed to access a KMS instance. For more information, see CreateNetworkRule.
2. Create a permission policy: You can configure the keys and secrets that are allowed to access and bind access control rules to the keys and secrets.
3. Create an AAP: You can configure an authentication method and bind a permission policy to an AAP. For more information, see CreateApplicationAccessPoint.
4. Create a client key: You can configure the encryption password and validity period of a client key and bind the client key to an AAP. For more information, see CreateClientKey.
Debugging
Request parameters
Parameter |
Type |
Required |
Example |
Description |
Action | String | Yes | CreatePolicy | The operation that you want to perform. Set the value to CreatePolicy. |
Name | String | Yes | policy_test | The name of the permission policy. |
Description | String | No | policy description | The description. |
KmsInstance | String | No | kst-hzz634e67d126u9p9**** | The scope of the permission policy. You need to specify the KMS instance that you want to access. |
Permissions | String | Yes | ["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"] | The operations that can be performed. Valid values:
You can select both. |
Resources | String | Yes | ["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"] | The key and secret that are allowed to access.
|
AccessControlRules | Map | No | {"NetworkRules":["kst-hzz62ee817bvyyr5x****.efkd","kst-hzz62ee817bvyyr5x****.eyyp"]} | The name of the access control rule. Note For more information about how to query created access control rules, see ListNetworkRules. |
Response parameters
Parameter |
Type |
Example |
Description |
RequestId | String | 3bf02f7a-015b-4f34-be0f-c4543fda2d33 | The ID of the request, which is used to locate and troubleshoot issues. |
Arn | String | acs:kms:cn-hangzhou:119285303511****:policy/policy_test | The ARN of the permission policy. |
Name | String | policy_test | The name of the permission policy. |
Description | String | policy description | The description. |
KmsInstance | String | kst-hzz634e67d126u9p9**** | The scope of the permission policy. |
Permissions | String | ["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"] | The operations that can be performed. |
Resources | String | ["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"] | The key and secret that are allowed to access.
|
AccessControlRules | String | {"NetworkRules":["kst-hzz62ee817bvyyr5x****.efkd","kst-hzz62ee817bvyyr5x****.eyyp"]} | The name of the access control rule. |
Examples
Sample requests
http(s)://[Endpoint]/?Action=CreatePolicy
&Name=policy_test
&Description=policy description
&KmsInstance=kst-hzz634e67d126u9p9****
&Permissions=["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"]
&Resources=["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"]
&Common request parameters
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<CreatePolicyResponse>
<RequestId>3bf02f7a-015b-4f34-be0f-c4543fda2d33</RequestId>
<Arn>acs:kms:cn-hangzhou:119285303511****:policy/policy_test</Arn>
<Name>policy_test</Name>
<Description>policy description</Description>
<KmsInstance>kst-hzz634e67d126u9p9****</KmsInstance>
<Permissions>["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"]</Permissions>
<Resources>["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"]</Resources>
<AccessControlRules>{"NetworkRules":["kst-hzz62ee817bvyyr5x****.efkd","kst-hzz62ee817bvyyr5x****.eyyp"]}</AccessControlRules>
</CreatePolicyResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "3bf02f7a-015b-4f34-be0f-c4543fda2d33",
"Arn" : "acs:kms:cn-hangzhou:119285303511****:policy/policy_test",
"Name" : "policy_test",
"Description" : "policy description",
"KmsInstance" : "kst-hzz634e67d126u9p9****",
"Permissions" : "[\"RbacPermission/Template/CryptoServiceKeyUser\", \"RbacPermission/Template/CryptoServiceSecretUser\"]",
"Resources" : "[\"secret/acs/ram/user/ram-secret\", \"secret/acs/ram/user/acr-master\", \"key/key-hzz63d9c8d3dfv8cv****\"]",
"AccessControlRules" : "{\"NetworkRules\":[\"kst-hzz62ee817bvyyr5x****.efkd\",\"kst-hzz62ee817bvyyr5x****.eyyp\"]}"
}
Error codes
HTTP status code |
Error code |
Error message |
Description |
400 | InvalidParameter | The specified parameter is not valid. | The specified parameter is invalid. |
404 | InvalidAccessKeyId.NotFound | The Access Key ID provided does not exist in our records. | The specified AccessKey ID does not exist. |
For a list of error codes, see Service error codes.