All Products
Search
Document Center

Resource Access Management:Key Management Service (KMS)

Last Updated:Sep 30, 2021

Resource Access Management (RAM) users or RAM roles must be granted permissions before they can access cloud resources. RAM uses policies to define permissions. A cloud service defines elements that can be used in a policy statement, such as Action, Resource, and Condition. This topic describes the permissions on KMS.

The code (RamCode) in RAM that is used to indicate KMS is kms. You can grant permissions on KMS at the resource level.

Action

The following table describes the values that you can use in the Action element of a policy statement. The values are defined by KMS. The following list describes the columns in the table:
  • Action: the value that you can use in the Action element to specify the operation on a resource.

  • API: the API operation that you can call to perform the action. In most cases, only one API operation of a cloud service is required to perform an action. In some cases, multiple API operations must be called to perform an action, or an API operation can be called to perform multiple actions.

  • Access level: the access level of each action. The levels are read, write, and list.

  • Resource type: the type of the resource on which you can authorize a RAM user or a RAM role to perform the operation. Take note of the following items:

    • The required resource types are displayed in bold characters.

    • If the permissions cannot be granted at the resource level, All resources is used in the Resource type column of the action.

  • Condition key: the condition keys that are defined by a cloud service. The Condition key column does not list the common condition keys that are defined by Alibaba Cloud. For more information about the common condition keys, see Policy elements.

  • Dependent action: other actions that a RAM user or a RAM role must have permissions to perform the action. To successfully call the action, a RAM user or a RAM role must have the permissions to perform the dependent action.

Actions

APIs

Access level

Resource types

Condition keys

Dependent actions

kms:AsymmetricDecrypt

AsymmetricDecrypt

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:AsymmetricEncrypt

AsymmetricEncrypt

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:AsymmetricSign

AsymmetricSign

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:AsymmetricVerify

AsymmetricVerify

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:CancelKeyDeletion

CancelKeyDeletion

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:CertificatePrivateKeyDecrypt

CertificatePrivateKeyDecrypt

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:CertificatePrivateKeySign

CertificatePrivateKeySign

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:CertificatePublicKeyEncrypt

CertificatePublicKeyEncrypt

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:CertificatePublicKeyVerify

CertificatePublicKeyVerify

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:CreateAlias

CreateAlias

Read


Alias


acs:kms:{#regionId}:{#accountId}:alias/{#AliasName}


Key


acs:kms:{#regionId}:{#accountId}:key/*


N/A

N/A

kms:CreateCertificate

CreateCertificate

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/*


N/A

N/A

kms:CreateCertificateAuthority

N/A

Write


CertificateAuthority


acs:kms:{#regionId}:{#accountId}:certificate-authority/*


N/A

N/A

kms:CreateKey

CreateKey

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/*



kms:tag


N/A

kms:CreateKeyVersion

CreateKeyVersion

Read


Key


acs:kms:{#regionId}:{#accountId}:key/{#keyId}



kms:tag


N/A

kms:CreateSecret

CreateSecret

Write


Secret


acs:kms:{#regionId}:{#accountId}:secret/*


N/A

N/A

kms:Decrypt

Decrypt

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:DeleteAlias

DeleteAlias

WRITE


Alias


acs:kms:{#regionId}:{#accountId}:alias/{#AliasName}


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}


N/A

N/A

kms:DeleteCertificate

DeleteCertificate

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:DeleteCertificateAuthority

N/A

Write


CertificateAuthority


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:DeleteKeyMaterial

DeleteKeyMaterial

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:DeleteSecret

DeleteSecret

WRITE


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:DescribeAccountKmsStatus

DescribeAccountKmsStatus

READ


All resources


acs:kms::{#accountId}:*


N/A

N/A

kms:DescribeCertificate

DescribeCertificate

READ


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:DescribeCertificateAuthority

N/A

Read


CertificateAuthority


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:DescribeKey

DescribeKey

READ


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:DescribeKeyVersion

DescribeKeyVersion

READ


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:DescribeSecret

DescribeSecret

READ


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:DisableKey

DisableKey

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:EnableKey

EnableKey

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:Encrypt

Encrypt

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:ExportCertificate

ExportCertificate

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:ExportDataKey

ExportDataKey

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:GenerateAndExportDataKey

GenerateAndExportDataKey

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:GenerateDataKey

GenerateDataKey

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:GenerateDataKeyWithoutPlaintext

GenerateDataKeyWithoutPlaintext

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:GetCertificate

GetCertificate

READ


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:GetCertificateAuthorityCertificate

N/A

Read


CertificateAuthority


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:GetCertificateAuthorityCsr

N/A

Read


CertificateAuthority


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:GetCrl

N/A

Read


All resources


acs:kms:*:{#accountId}:*


N/A

N/A

kms:GetIssuedCertificate

N/A

Read


Certificate


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:GetParametersForImport

GetParametersForImport

READ


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:GetPublicKey

GetPublicKey

READ


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:GetRandomPassword

GetRandomPassword

READ


All resources


acs:kms:{#regionId}:{#accountId}:*


N/A

N/A

kms:GetSecretValue

GetSecretValue

READ


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:ImportCertificate

ImportCertificate

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/*


N/A

N/A

kms:ImportCertificateAuthorityCertificate

N/A

Write


CertificateAuthority


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:ImportEncryptionCertificate

ImportEncryptionCertificate

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:ImportKeyMaterial

ImportKeyMaterial

Write


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:IssueCertificate

N/A

Read


Certificate


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:IssueCrl

N/A

Read


All resources


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:ListAliases

ListAliases

LIST


Alias


acs:kms:{#regionId}:{#accountId}:alias/*


N/A

N/A

kms:ListAliasesByKeyId

ListAliasesByKeyId

List


Alias


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:ListCertificateAuthorities

N/A

List


CertificateAuthority


acs:kms:{#regionId}:{#accountId}:certificate-authority/*


N/A

N/A

kms:ListCertificates

ListCertificates

LIST


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/*


N/A

N/A

kms:ListKeyVersions

ListKeyVersions

READ


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:ListKeys

ListKeys

LIST


Key


acs:kms:{#regionId}:{#accountId}:key/*



kms:tag


N/A

kms:ListResourceTags

ListResourceTags

List


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:ListSecretVersionIds

ListSecretVersionIds

List


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:ListSecrets

ListSecrets

LIST


Secret


acs:kms:{#regionId}:{#accountId}:secret/*


N/A

N/A

kms:OpenKmsService

OpenKmsService

WRITE


All resources


acs:kms::{#accountId}:*


N/A

N/A

kms:PutSecretValue

PutSecretValue

WRITE


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:ReEncryptFrom

ReEncrypt

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag



kms:ReEncryptTo


kms:RestoreSecret

RestoreSecret

WRITE


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:RevokeIssuedCertificate

N/A

Write


Certificate


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:RotateSecret

RotateSecret

WRITE


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:ScheduleKeyDeletion

ScheduleKeyDeletion

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:SetDeletionProtection

SetDeletionProtection

Read


Key


acs:kms:{#regionId}:{#accountId}:key/{#keyId}



kms:tag


N/A

kms:TagResource

TagResource

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}



kms:tag


N/A

kms:UntagResource

UntagResource

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}



kms:tag


N/A

kms:UpdateAlias

UpdateAlias

Write


Alias


acs:kms:{#regionId}:{#accountId}:alias/{#AliasName}


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}


N/A

N/A

kms:UpdateCertificateAuthority

N/A

Write


CertificateAuthority


acs:kms:{#regionId}:{#accountId}:certificate-authority/{#CertificateAuthorityId}


N/A

N/A

kms:UpdateCertificateStatus

UpdateCertificateStatus

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

kms:UpdateKeyDescription

UpdateKeyDescription

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:UpdateRotationPolicy

UpdateRotationPolicy

WRITE


Key


acs:kms:{#regionId}:{#accountId}:key/{#KeyId}



kms:tag


N/A

kms:UpdateSecret

UpdateSecret

WRITE


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:UpdateSecretRotationPolicy

UpdateSecretRotationPolicy

WRITE


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:UpdateSecretVersionStage

UpdateSecretVersionStage

Write


Secret


acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}


N/A

N/A

kms:UploadCertificate

UploadCertificate

WRITE


Certificate


acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}


N/A

N/A

Resource

The following table describes the values that you can use in the Resource element of a policy statement. The values are defined by KMS.

The Alibaba Cloud Resource Name (ARN) is the unique identifier of the resource on Alibaba Cloud. Take note of the following items:

  • {#} indicates a variable. {#} must be replaced with an actual value. For example, {#regionId} must be replaced with the actual ID of the region where your resource resides.

  • An asterisk (*) is used as a wildcard. Examples:

    • If you specify {#resourceType}/*, all resources are specified.

    • If {#regionId} is set to *, all regions are specified.

    • If {#accountId} is set to *, all Alibaba Cloud accounts are specified.

Resource type

ARN

Key

acs:kms:{#regionId}:{#accountId}:key/{#KeyId}

Certificate

acs:kms:{#regionId}:{#accountId}:certificate/{#CertificateId}

Alias

acs:kms:{#regionId}:{#accountId}:alias/{#AliasName}

Secret

acs:kms:{#regionId}:{#accountId}:secret/{#SecretName}

CertificateAuthority

acs:kms:{#regionId}:{#accountId}:certificateauthority/{#CertificateAuthorityId}

Condition

The following table describes the values that you can use in the Condition element of a policy statement. The values are defined by KMS. The following table describes the service-specific condition keys. The common condition keys that are defined by Alibaba Cloud also apply to KMS. For more information about the common condition keys, see Policy elements.

The data type determines which condition operators you can use to compare the value in a request with the value in a policy statement. You must use condition operators that are supported by the data type. Otherwise, you cannot compare the value in the request with the value in the policy statement. In this case, the authorization is invalid. For more information about the condition operators that are supported by each data type, see Policy elements.

Condition keys

Description

Type

kms:tag

A tag key and value pair that are attached to a KMS resource.

String