KMS uses RAM to control access to resources. This topic describes the resource types, actions, and policy conditions in KMS.

An Alibaba Cloud account has full operation permissions on its own resources. RAM users and roles are granted varying operation permissions on resources through RAM authorization. Before you use RAM to authorize and access CMKs, make sure that you have read What is RAM and API overview.

Resource types in KMS

The following table lists all resource types and corresponding Alibaba Cloud Resource Names (ARNs) in KMS. They can be used in the Resource parameter of a RAM policy.

Resource type ARN
Key container acs:kms:${region}:${account}:key
Alias container acs:kms:${region}:${account}:alias
Key acs:kms:${region}:${account}:key/${key-id}
Alias acs:kms:${region}:${account}:alias/${alias-name}

Actions in KMS

KMS defines actions used in RAM policies and these actions correspond to different API operations that require access control. Actions must be in the kms:${api-name} format.
Note The DescribeRegions API operation requires no access control. The DescribeRegions API operation can be called by Alibaba Cloud accounts, RAM users, or RAM roles when they pass RAM authentication.

The following table lists the relationship between KMS API operations, RAM actions, and resource types.

Operation Action Resource type
ListKeys kms:ListKeys Key container
CreateKey kms:CreateKey Key container
DescribeKey kms:DescribeKey Key
UpdateKeyDescription kms:UpdateKeyDescription Key
EnableKey kms:EnableKey Key
DisableKey kms:DisableKey Key
ScheduleKeyDeletion kms:ScheduleKeyDeletion Key
CancelKeyDeletion kms:CancelKeyDeletion Key
GetParametersForImport kms:GetParametersForImport Key
ImportKeyMaterial kms:ImportKeyMaterial Key
DeleteKeyMaterial kms:DeleteKeyMaterial Key
Encrypt kms:Encrypt Key
GenerateDataKey kms:GenerateDataKey Key
GenerateDataKeyWithoutPlaintext kms:GenerateDataKeyWithoutPlaintext Key
Decrypt kms:Decrypt Key
ListAliases kms:ListAliases Alias container
CreateAlias kms:CreateAlias Alias and key
UpdateAlias kms:UpdateAlias Alias and key
DeleteAlias kms:DeleteAlias Alias and key
ListAliasesByKeyId kms:ListAliasesByKeyId Key
TagResource kms:TagResource Key
UntagResource kms:UntagResource Key
ListResourceTags kms:ListResourceTags Key
DescribeKeyVersion kms:DescribeKeyVersion Key
ListKeyVersions kms:ListKeyVersions Key
UpdateRotationPolicy kms:UpdateRotationPolicy Key

Policy conditions in KMS

You can add conditions to RAM policies to control access to KMS. RAM authentication will only be successful when the specified conditions are met. For example, you can use acs:CurrentTime to control the time period when a RAM policy is valid.

In addition to global conditions, you can use tags as filters to restrict the use of key-related API operations such as Encrypt, Decrypt, and GenerateDataKey. Filters must be in the kms:tag/${tag-key} format.

For more information, see Policy elements.

RAM policy examples

  • A RAM policy allowing users to access all KMS resources
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:*"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }               
  • A RAM policy allowing users to view keys, aliases, and key usage permissions
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:List*", "kms:Describe*",
            "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }             
  • A RAM policy allowing users to perform operations on keys that contain the following tag:
    • Tag key: Project
    • Tag value: Apollo
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {
                    "StringEqualsIgnoreCase": {
                        "kms:tag/Project": [
                            "Apollo"
                        ]
                    }
                }
            }
        ]
    }