edit-icon download-icon

Use RAM for KMS resource authorization

Last Updated: Mar 30, 2018

The are two main types of KMS resources: keys and aliases. Both of these can be subdivided into a set type and specific resource.The different resource types correspond to different operations.Users’ primary accounts have full operational permissions for their own resources. However, if you have a sub-account, it is necessary to grant the sub-account permission to perform operations on the corresponding resources using RAM authorization.

Before learning how to use RAM to authorize a sub-account and access the CMK, make sure that you have carefully read RAM Product documentation and API documentation.

KMS resource types that can be authorized in RAM

The ARN formats of the KMS resources are as follows:

Resource type ARN
Key set acs:kms:${region-id}:${resource-owner-id}:key
Key acs:kms:${region-id}:${resource-owner-id}:key/${key-uuid}
Alias set acs:kms:${region-id}:${resource-owner-id}:alias
Alias acs:kms:${region-id}:${resource-owner-id}:${fullaliasname}

Actions and ARNs in the RAM authorization.

Resources for Action set type

API Action ARN
CreateKey kms:CreateKey acs:kms:${region-id}:${resource-owner-id}:key
ListKeys kms:ListKeys acs:kms:${region-id}:${resource-owner-id}:key
ListAliases kms:ListAliases acs:kms:${region-id}:${resource-owner-id}:alias

Actions for specific resources

  • For the authorization of specific resources, the Action is usually written “kms:${apiname}”, with its ARN corresponding to the ARN of the resource. However, some alias APIs involve multiple resources and require the authorization of multiple ARNs.
  • ARNs support wildcard characters for specific resources.
    • All key ARNs: acs:kms:${region-id}:${resource-owner-id}:key/*
    • All alias ARNs: acs:kms:${region-id}:${resource-owner-id}:alias/*

APIs unrelated to RAM authorization

  • DescribeRegions is unrelated to RAM authorization. Sub-accounts can access this API without authorization and are not affected if authorization is denied in RAM.

Examples of common RAM authorization policies in KMS

  • Allows access to all KMS resources
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": [
  7. "kms:*"
  8. ],
  9. "Resource": [
  10. "acs:kms:*:${your user id}:*"
  11. ]
  12. }
  13. ]
  14. }
  • Allows access to resources in only some regions
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": [
  7. "kms:*"
  8. ],
  9. "Resource": [
  10. "acs:kms:cn-hangzhou:${your user id}:*",
  11. "acs:kms:ap-southeast-1:${your user id}:*"
  12. ]
  13. }
  14. ]
  15. }
  • Allow access to view keys, aliases, and key usage permissions
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": [
  7. "kms:List*",
  8. "kms:DescribeKey",
  9. "kms:Encrypt","kms:Decrypt","kms:GenerateDataKey"
  10. ],
  11. "Resource": [
  12. "acs:kms:*:${your user id}:*"
  13. ]
  14. }
  15. ]
  16. }
  • Allow key deletion
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Effect": "Allow",
  6. "Action": [
  7. "kms:ScheduleKeyDeletion"
  8. ],
  9. "Resource": [
  10. "acs:kms:*:${your user id}:key/*"
  11. ]
  12. }
  13. ]
  14. }
Thank you! We've received your feedback.