All Products
Search
Document Center

Control access to different encryption parameters from a RAM user

Last Updated: Jun 25, 2021

The parameter store feature is used to dynamically maintain encrypted data through encryption parameters. You can use this feature to access encrypted data at a specific time. When you specify the parameters, the parameters are stored and displayed in the encrypted format. In some scenarios, an Alibaba Cloud account includes several Resource Access Management (RAM) users. However, some encrypted data cannot be accessed by all RAM users. To address this issue, a solution is provided. This topic describes how to grant encryption parameter-specific permissions to a RAM user.

Procedure

  1. Create encryption parameters

    1. Log on to the Operation Orchestration Service (OOS) console.

    2. For more information, see Create encryption parameters.1

    3. Create the group1/para and group2/para encryption parameters, as shown in the following figure. 2

  2. Configure a policy

    1. Log on to the RAM console.

    2. Create a policy.

      In the RAM console, choose Policies > Create Policy. On the Create Custom Policy page, enter a name for the policy and select Script in the Configuration Mode field. Then, copy the following sample code to the Policy Document field. The following sample code is used to allow a RAM user to access the details about the encryption parameters that only start with group1 and query the list of all encryption parameters. You can also grant the permission to query the values of all encryption parameters to a RAM user. For more information, see Appendix 1: Policy.

      Notice

      You must specify Key Management Service (KMS) permissions for encryption parameters.

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "oos:GetSecretParameter",
                      "oos:ListSecretParameters",
                      "kms:GetSecretValue"
                  ],
                  "Resource": [
                      "acs:oos:*:1234************:secretparameter/group1/*",
                      "acs:kms:*:1234************:secret/oos/group1/*"
                  ],
                  "Condition": {}
              }
          ]
      }
      4
    3. Attach the preceding custom policy to a RAM user. For more information about how to attach a custom policy to a RAM user or a RAM role, see Authorize a RAM user or Authorize a RAM role.

  3. After you configure the policy, check whether you can query the details about encryption parameters.

    1. In the preceding sample code, replace the original AccessKey pair with the AccessKey pair of the RAM user. When you use Alibaba Cloud CLI to query the details about the group1/parameter encryption parameter, the request succeeds. For more information, see Use Alibaba Cloud CLI to call the OOS API. 11

    2. However, when you use Alibaba Cloud CLI to query the details of the group2/parameter encryption parameter, the request fails. In addition, an error, which indicates that the RAM user has no permissions, is returned, as shown in the following figure. 222

  4. Summarize the results after you configure and apply the policy.

    You first configure a policy that is used to allow access to encryption parameters that only start with group1 and attach the policy to a RAM user. Then, you obtain the preceding results: 1. Only an encryption parameter that starts with group1 can be accessed by the specified RAM user. 2. However, when the RAM user accesses the group2/parameter encryption parameter, the request fails. In addition, an error, which indicates that the RAM user has no permissions, is returned.

Appendix 1: Policy

  1. The following policy can be used to allow a RAM user to access all encryption parameters.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "oos:GetSecretParameter",
                    "oos:ListSecretParameters",
                    "kms:GetSecretValue"
                ],
                "Resource": [
                    "acs:oos:*:1234************:secretparameter/*",
                    "acs:kms:*:1234************:secret/oos/*"
                ],
                "Condition": {}
            }
        ]
    }