KMS uses RAM to control access to resources. This topic describes the resource types, actions, and policy conditions in KMS.

An Alibaba Cloud account has full operation permissions on its own resources. RAM users and roles are granted varying operation permissions on resources through RAM authorization.

Before you use RAM to authorize and access CMKs, make sure that you have read the following topics:

Resource types in KMS

The following table lists all resource types and corresponding Alibaba Cloud Resource Names (ARNs) in KMS. They can be used in the Resource parameter of a RAM policy.

Resource type ARN
Key container acs:kms:${region}:${account}:key
Secret container acs:kms:${region}:${account}:secret
Alias container acs:kms:${region}:${account}:alias
Key acs:kms:${region}:${account}:key/${key-id}
Secret acs:kms:${region}:${account}:secret/${secret-name}
Alias acs:kms:${region}:${account}:alias/${alias-name}

Actions defined in KMS

KMS defines actions used in RAM policies and these actions correspond to different API operations that require access control. Actions must be in the kms:${api-name} format.
Note The DescribeRegions API operation requires no access control. The DescribeRegions API operation can be called by Alibaba Cloud accounts, RAM users, or RAM roles when they pass RAM authentication.

The following table lists the relationship between KMS API operations, RAM actions, and resource types.

  • Key API operations
    Operation Action Resource type
    ListKeys kms:ListKeys Key container
    CreateKey kms:CreateKey Key container
    DescribeKey kms:DescribeKey Key
    UpdateKeyDescription kms:UpdateKeyDescription Key
    EnableKey kms:EnableKey Key
    DisableKey kms:DisableKey Key
    ScheduleKeyDeletion kms:ScheduleKeyDeletion Key
    CancelKeyDeletion kms:CancelKeyDeletion Key
    GetParametersForImport kms:GetParametersForImport Key
    ImportKeyMaterial kms:ImportKeyMaterial Key
    DeleteKeyMaterial kms:DeleteKeyMaterial Key
    ListAliases kms:ListAliases Alias container
    CreateAlias kms:CreateAlias Alias or key
    UpdateAlias kms:UpdateAlias Alias or key
    DeleteAlias kms:DeleteAlias Alias or key
    ListAliasesByKeyId kms:ListAliasesByKeyId Key
    CreateKeyVersion kms:CreateKeyVersion Key
    DescribeKeyVersion kms:DescribeKeyVersion Key
    ListKeyVersions kms:ListKeyVersions Key
    UpdateRotationPolicy kms:UpdateRotationPolicy Key
    Encrypt kms:Encrypt Key
    Decrypt kms:Decrypt Key
    GenerateDataKey kms:GenerateDataKey Key
    GenerateDataKeyWithoutPlaintext kms:GenerateDataKeyWithoutPlaintext Key
    AsymmetricSign kms:AsymmetricSign Key
    AsymmetricVerify kms:AsymmetricVerify Key
    AsymmetricEncrypt kms:AsymmetricEncrypt Key
    AsymmetricDecrypt kms:AsymmetricDecrypt Key
    GetPublicKey kms:GetPublicKey Key
  • Secrets Manager API operations
    Operation Action Resource type
    CreateSecret kms:CreateSecret Secret container
    ListSecrets kms:ListSecrets Secret container
    DescribeSecret kms:DescribeSecret Secret
    DeleteSecret kms:DeleteSecret Secret
    UpdateSecret kms:UpdateSecret Secret
    RestoreSecret kms:RestoreSecret Secret
    GetSecretValue kms:GetSecretValue Secret
    PutSecretValue kms:PutSecretValue Secret
    ListSecretVersionIds kms:ListSecretVersionIds Secret
    UpdateSecretVersionStage kms:UpdateSecretVersionStage Secret
    GetRandomPassword kms:GetRandomPassword None
  • Tag API operations
    Operation Action Resource type
    ListResourceTags kms:ListResourceTags Key or secret
    UntagResource kms:UntagResource Key or secret
    TagResource kms:TagResource Key or secret

Policy conditions in KMS

You can add conditions to RAM policies to control access to KMS. RAM authentication will only be successful when the specified conditions are met. For example, you can use acs:CurrentTime to control the time period when a RAM policy is valid.

In addition to global conditions, you can use tags as filters to restrict the use of key-related API operations such as Encrypt, Decrypt, and GenerateDataKey. Filters must be in the kms:tag/${tag-key} format.

For more information, see Policy elements.

RAM policy examples

  • A RAM policy allowing users to access all KMS resources
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:*"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }               
  • A RAM policy allowing users to view keys, aliases, and key usage permissions
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:List*", "kms:Describe*",
            "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }             
  • A RAM policy allowing users to perform operations on keys that contain the following tag:
    • Tag key: Project
    • Tag value: Apollo
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {
                    "StringEqualsIgnoreCase": {
                        "kms:tag/Project": [
                            "Apollo"
                        ]
                    }
                }
            }
        ]
    }