Key Management Service (KMS) allows you to use Resource Access Management (RAM) to control access to KMS resources. This topic describes the KMS resource types, actions, and conditions that you can define in RAM policies.

Alibaba Cloud accounts have full permissions on their resources. RAM users and RAM roles must be explicitly granted permissions on resources.

Before you use RAM to perform authorization and access customer master keys (CMKs), read the following topics:

Resource types in KMS

The following table describes all resource types and their Alibaba Cloud Resource Names (ARNs) in KMS. The ARNs can be used in the Resource parameter of a RAM policy.

Resource type ARN
Key container acs:kms:${region}:${account}:key
Secret container acs:kms:${region}:${account}:secret
Alias container acs:kms:${region}:${account}:alias
Certificate container acs:kms:${region}:${account}:certificate
Key acs:kms:${region}:${account}:key/${key-id}
Secret acs:kms:${region}:${account}:secret/${secret-name}
Alias acs:kms:${region}:${account}:alias/${alias-name}
Certificate acs:kms:${region}:${account}:certificate/${id}

Actions in KMS

KMS defines actions that are used in RAM policies to control access to each API operation. Actions are in the kms:<api-name> format.
Note The DescribeRegions operation does not require authorization. It can be called by Alibaba Cloud accounts, RAM users, or RAM roles after they pass RAM authentication.

The following tables describe the RAM action and resource type that correspond to each KMS API operation.

  • Key API operations
    Operation Action Resource type
    ListKeys kms:ListKeys Key container
    CreateKey kms:CreateKey Key container
    DescribeKey kms:DescribeKey Key
    UpdateKeyDescription kms:UpdateKeyDescription Key
    EnableKey kms:EnableKey Key
    DisableKey kms:DisableKey Key
    ScheduleKeyDeletion kms:ScheduleKeyDeletion Key
    CancelKeyDeletion kms:CancelKeyDeletion Key
    GetParametersForImport kms:GetParametersForImport Key
    ImportKeyMaterial kms:ImportKeyMaterial Key
    DeleteKeyMaterial kms:DeleteKeyMaterial Key
    ListAliases kms:ListAliases Alias container
    CreateAlias kms:CreateAlias Alias and key
    UpdateAlias kms:UpdateAlias Alias and key
    DeleteAlias kms:DeleteAlias Alias and key
    ListAliasesByKeyId kms:ListAliasesByKeyId Key
    CreateKeyVersion kms:CreateKeyVersion Key
    DescribeKeyVersion kms:DescribeKeyVersion Key
    ListKeyVersions kms:ListKeyVersions Key
    UpdateRotationPolicy kms:UpdateRotationPolicy Key
    Encrypt kms:Encrypt Key
    Decrypt kms:Decrypt Key
    ReEncrypt
    • kms:ReEncryptFrom
    • kms:ReEncryptTo
    • kms:ReEncrypt*
    Key
    GenerateDataKey kms:GenerateDataKey Key
    GenerateDataKeyWithoutPlaintext kms:GenerateDataKeyWithoutPlaintext Key
    ExportDataKey kms:ExportDataKey Key
    GenerateAndExportDataKey kms:GenerateAndExportDataKey Key
    AsymmetricSign kms:AsymmetricSign Key
    AsymmetricVerify kms:AsymmetricVerify Key
    AsymmetricEncrypt kms:AsymmetricEncrypt Key
    AsymmetricDecrypt kms:AsymmetricDecrypt Key
    GetPublicKey kms:GetPublicKey Key
  • Secrets Manager API operations
    Operation Action Resource type
    CreateSecret kms:CreateSecret Secret container
    ListSecrets kms:ListSecrets Secret container
    DescribeSecret kms:DescribeSecret Secret
    DeleteSecret kms:DeleteSecret Secret
    UpdateSecret kms:UpdateSecret Secret
    RestoreSecret kms:RestoreSecret Secret
    GetSecretValue
    • kms:GetSecretValue
    • kms:Decrypt
    Note The permission to perform the kms:Decrypt action is required only when you specify a user-managed CMK as the encryption key for a generic secret.
    Secret
    PutSecretValue
    • kms:PutSecretValue
    • kms:GenerateDataKey
    Note The permission to perform the kms:GenerateDataKey action is required only when you specify a user-managed CMK as the encryption key for a generic secret.
    Secret
    ListSecretVersionIds kms:ListSecretVersionIds Secret
    UpdateSecretVersionStage kms:UpdateSecretVersionStage Secret
    GetRandomPassword kms:GetRandomPassword N/A
  • Certificates Manager API operations
    Operation Action Resource type
    CreateCertificate kms:CreateCertificate Certificate
    UploadCertificate kms:UploadCertificate Certificate
    GetCertificate kms:GetCertificate Certificate
    DescribeCertificate kms:DescribeCertificate Certificate
    UpdateCertificateStatue kms:UpdateCertificateStatue Certificate
    DeleteCertificate kms:DeleteCertificate Certificate
    CertificatePrivateKeySign kms:CertificatePrivateKeySign Certificate
    CertificatePublicKeyVerify kms:CertificatePublicKeyVerify Certificate
    CertificatePublicKeyEncrypt kms:CertificatePublicKeyEncrypt Certificate
    CertificatePrivateKeyDecrypt kms:CertificatePrivateKeyDecrypt Certificate
  • Tag management API operations
    Operation Action Resource type
    ListResourceTags kms:ListResourceTags Key or secret
    UntagResource kms:UntagResource Key or secret
    TagResource kms:TagResource Key or secret

Policy conditions in KMS

You can specify conditions in RAM policies to control access to KMS. RAM authentication succeeds only when the conditions are met. For example, you can specify an acs:CurrentTime condition to control the period during which a RAM policy is valid.

In addition to global conditions, you can use tags as filters to limit the use of cryptographic API operations such as Encrypt, Decrypt, and GenerateDataKey. Filters must be in the kms:tag/<tag-key> format.

For more information, see Policy elements.

Sample RAM policies

  • RAM policy that allows users to access all KMS resources
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:*"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }               
  • RAM policy that allows users to query keys and aliases and use keys
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:List*", "kms:Describe*",
            "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }             
  • RAM policy that allows users to use keys that contain the following tag to perform cryptographic operations:
    • Tag key: Project
    • Tag value: Apollo
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {
                    "StringEqualsIgnoreCase": {
                        "kms:tag/Project": [
                            "Apollo"
                        ]
                    }
                }
            }
        ]
    }               
  • RAM policy that allows users to query secrets and the versions and content of secrets, and generate random passwords
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:List*", "kms:Describe*",
            "kms:GetSecretValue", "kms:Decrypt", "kms:GetRandomPassword"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }         
  • RAM policy that allows users to query certificates
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
              "kms:List*",
            "kms:Describe*",
            "kms:Get*"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }
  • RAM policy that allows users to generate and verify digital signatures by using specified certificates
    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:CertificatePrivateKeySign",
            "kms:CertificatePublicKeyVerify"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }