Use RAM to control access to KMS resources - Key Management Service

Key Management Service (KMS) allows you to use Resource Access Management (RAM) to control access to KMS resources. This topic describes the KMS resource types, actions, and conditions that can be defined in RAM policies.

Alibaba Cloud accounts have full permissions on their own resources. RAM users and roles must be explicitly granted permissions on resources.

Before you can use RAM to perform authorization and access customer master keys (CMKs), read the following topics:

Resource types in KMS

The following table describes all resource types and their Alibaba Cloud Resource Names (ARNs) in KMS. The ARNs can be used in the Resource parameter of a RAM policy.


Resource type	ARN
Key container	acs:kms:${region}:${account}:key
Secret container	acs:kms:${region}:${account}:secret
Alias container	acs:kms:${region}:${account}:alias
Certificate container	acs:kms:${region}:${account}:certificate
Key	acs:kms:${region}:${account}:key/${key-id}
Secret	acs:kms:${region}:${account}:secret/${secret-name}
Alias	acs:kms:${region}:${account}:alias/${alias-name}
Certificate	acs:kms:${region}:${account}:certificate/${id}

Actions in KMS

KMS defines actions in RAM policies for each API operation that requires access control. In most cases, actions are in the kms:<api-name> format.

Note The DescribeRegions operation does not require access control. The operation can be called by Alibaba Cloud accounts, RAM users, or RAM roles after they pass RAM authentication.

The following tables list the RAM actions and resource types that correspond to each KMS API operation.

Key API operations


Operation	Action	Resource type
ListKeys	kms:ListKeys	Key container
CreateKey	kms:CreateKey	Key container
DescribeKey	kms:DescribeKey	Key
UpdateKeyDescription	kms:UpdateKeyDescription	Key
EnableKey	kms:EnableKey	Key
DisableKey	kms:DisableKey	Key
ScheduleKeyDeletion	kms:ScheduleKeyDeletion	Key
CancelKeyDeletion	kms:CancelKeyDeletion	Key
GetParametersForImport	kms:GetParametersForImport	Key
ImportKeyMaterial	kms:ImportKeyMaterial	Key
DeleteKeyMaterial	kms:DeleteKeyMaterial	Key
ListAliases	kms:ListAliases	Alias container
CreateAlias	kms:CreateAlias	Alias and key
UpdateAlias	kms:UpdateAlias	Alias and key
DeleteAlias	kms:DeleteAlias	Alias and key
ListAliasesByKeyId	kms:ListAliasesByKeyId	Key
CreateKeyVersion	kms:CreateKeyVersion	Key
DescribeKeyVersion	kms:DescribeKeyVersion	Key
ListKeyVersions	kms:ListKeyVersions	Key
UpdateRotationPolicy	kms:UpdateRotationPolicy	Key
Encrypt	kms:Encrypt	Key
Decrypt	kms:Decrypt	Key
ReEncrypt	kms:ReEncryptFrom kms:ReEncryptTo kms:ReEncrypt*	Key
GenerateDataKey	kms:GenerateDataKey	Key
GenerateDataKeyWithoutPlaintext	kms:GenerateDataKeyWithoutPlaintext	Key
ExportDataKey	kms:ExportDataKey	Key
GenerateAndExportDataKey	kms:GenerateAndExportDataKey	Key
AsymmetricSign	kms:AsymmetricSign	Key
AsymmetricVerify	kms:AsymmetricVerify	Key
AsymmetricEncrypt	kms:AsymmetricEncrypt	Key
AsymmetricDecrypt	kms:AsymmetricDecrypt	Key
GetPublicKey	kms:GetPublicKey	Key

Secrets Manager API operations


Operation	Action	Resource type
CreateSecret	kms:CreateSecret	Secret container
ListSecrets	kms:ListSecrets	Secret container
DescribeSecret	kms:DescribeSecret	Secret
DeleteSecret	kms:DeleteSecret	Secret
UpdateSecret	kms:UpdateSecret	Secret
RestoreSecret	kms:RestoreSecret	Secret
GetSecretValue	kms:GetSecretValue kms:Decrypt Note The permissions on kms:Decrypt are required only when a self-managed CMK is specified as the encryption key for a generic secret.	Secret
PutSecretValue	kms:PutSecretValue kms:GenerateDataKey Note The permissions on kms:GenerateDataKey are required only when a self-managed CMK is specified as the encryption key for a generic secret.	Secret
ListSecretVersionIds	kms:ListSecretVersionIds	Secret
UpdateSecretVersionStage	kms:UpdateSecretVersionStage	Secret
GetRandomPassword	kms:GetRandomPassword	None

Certificates Manager API operations


Operation	Action	Resource type
CreateCertificate	kms:CreateCertificate	Certificate
UploadCertificate	kms:UploadCertificate	Certificate
GetCertificate	kms:GetCertificate	Certificate
DescribeCertificate	kms:DescribeCertificate	Certificate
UpdateCertificateStatue	kms:UpdateCertificateStatue	Certificate
DeleteCertificate	kms:DeleteCertificate	Certificate
CertificatePrivateKeySign	kms:CertificatePrivateKeySign	Certificate
CertificatePublicKeyVerify	kms:CertificatePublicKeyVerify	Certificate
CertificatePublicKeyEncrypt	kms:CertificatePublicKeyEncrypt	Certificate
CertificatePrivateKeyDecrypt	kms:CertificatePrivateKeyDecrypt	Certificate

Tag management API operations


Operation	Action	Resource type
ListResourceTags	kms:ListResourceTags	Key or secret
UntagResource	kms:UntagResource	Key or secret
TagResource	kms:TagResource	Key or secret

Policy conditions in KMS

You can add conditions in RAM policies to control access to KMS. RAM authentication succeeds only when the added conditions are met. For example, you can add an acs:CurrentTime condition to control the period during which a RAM policy is valid.

In addition to global conditions, you can use tags as filters to limit the use of cryptographic API operations, such as Encrypt, Decrypt, and GenerateDataKey. Filters must be in the kms:tag/<tag-key> format.

For more information, see Policy elements.

Examples of RAM policies

RAM policy that allows users to access all KMS resources

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

RAM policy that allows users only to list and query keys, view aliases, and use keys

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*", "kms:Describe*",
        "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

RAM policy that allows users to use keys that contain the following tag to perform cryptographic operations:

Tag key: Project
Tag value: Apollo

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/Project": [
                        "Apollo"
                    ]
                }
            }
        }
    ]
}

RAM policy that allows users to access keys from the following IP addresses:

CIDR block: 192.168.0.0/16
IP address: 172.16.215.218

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "kms:*"
    ],
    "Resource": [
      "*"
    ],
    "Condition": {
      "IpAddress": {
        "acs:SourceIp": [
          "192.168.0.0/16",
          "172.16.215.218"
        ]
      }
    }
  }]
}

RAM policy that allows users only to query secrets, query versions and content of secrets, and generate random passwords

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*", "kms:Describe*",
        "kms:GetSecretValue", "kms:Decrypt", "kms:GetRandomPassword"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

RAM policy that allows users only to query the details about certificates

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "kms:List*",
        "kms:Describe*",
        "kms:Get*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

RAM policy that allows users to generate and verify digital signatures by using specified certificates

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:CertificatePrivateKeySign",
        "kms:CertificatePublicKeyVerify"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}