Use RAM for KMS resource authorization

Last Updated: Mar 14, 2017

The CMK you create is your own resource. By default, you have full operation permissions on your resources, and can use all APIs described in this document to perform operations on your resources.

However, in scenarios where a primary account has a sub-account, you cannot use an unauthorized sub-account to perform operations on the resources of the primary account. You need to grant the permission to the sub-account to perform operations on the resources for the primary account through RAM authorization.

Before learning how to use RAM to authorize a sub-account and access the CMK, ensure that you have carefully read RAM Product documentation and API documentation.

Type of KMS resources that can be authorized in RAM

Currently, there are two types of key resources in KMS, whose arn formats are as follows:

  1. acs:kms:${region-id}:${resource-owner-id}:key/${key-uuid}
  2. acs:kms:${region-id}:${resource-owner-id}:key

The following lists the main operations in KMS:

  • Create a key.
    • CreateKey
  • Generate a data key.
    • GenerateDataKey
  • Encrypt.
    • Encrypt
  • Decrypt data.
    • Decrypt
  • View the key details.
    • DescribeKey
  • List the key.
    • ListKeys

The following are respectively Action and Resource corresponding to RAM in the authorization:

Api Action Resource
CreateKey kms:CreateKey acs:kms:$regionid:${resource-owner-id}:key
ListKeys kms:ListKeys acs:kms:$regionid:${resource-owner-id}:key
GenerateDataKey kms:GenerateDataKey acs:kms:$regionid:${resource-owner-id}:key/${keyid}
Encrypt kms:Encrypt acs:kms:$regionid:${resource-owner-id}:key/${keyid}
Decrypt kms:Decrypt acs:kms:$regionid:${resource-owner-id}:key/${keyid}
DescribeKey kms:DescribeKey acs:kms:$regionid:${resource-owner-id}:key/${keyid}
EnableKey kms:EnableKey acs:kms:$regionid:${resource-owner-id}:key/${keyid}
DisableKey kms:DisableKey acs:kms:$regionid:${resource-owner-id}:key/${keyid}
ScheduleKeyDeletion kms:ScheduleKeyDeletion acs:kms:$regionid:${resource-owner-id}:key/${keyid}
CancelKeyDeletion kms:CancelKeyDeletion acs:kms:$regionid:${resource-owner-id}:key/${keyid}
Thank you! We've received your feedback.