CreatePolicy - Key Management Service - Alibaba Cloud Documentation Center

Creates a permission policy to configure the keys and secrets that are allowed to access.

Operation description

To perform cryptographic operations and retrieve secret values, self-managed applications must use a client key to access a Key Management Service (KMS) instance. The following process shows how to create a client key-based application access point (AAP):

1.Create an access control rule: You can configure the private IP addresses or private CIDR blocks that are allowed to access a KMS instance. For more information, see CreateNetworkRule .

2.Create a permission policy: You can configure the keys and secrets that are allowed to access and bind access control rules to the keys and secrets.

3.Create an AAP: You can configure an authentication method and bind a permission policy to an AAP. For more information, see CreateApplicationAccessPoint .

4.Create a client key: You can configure the encryption password and validity period of a client key and bind the client key to an AAP. For more information, see CreateClientKey .

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

Parameter	Type	Required	Description	Example
Name	string	Yes	The name of the permission policy.	policy_test
Description	string	No	The description.	policy description
KmsInstance	string	No	The scope of the permission policy. You need to specify the KMS instance that you want to access.	kst-hzz634e67d126u9p9****
Permissions	string	Yes	The operations that can be performed. Valid values: RbacPermission/Template/CryptoServiceKeyUser: allows you to perform cryptographic operations. RbacPermission/Template/CryptoServiceSecretUser: allows you to perform secret-related operations. You can select both.	["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"]
Resources	string	Yes	The key and secret that are allowed to access. Key: Enter a key in the `key/${KeyId}` format. To allow access to all keys of a KMS instance, enter key/. Secret: Enter a secret in the `secret/${SecretName}` format. To allow access to all secrets of a KMS instance, enter secret/.	["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"]
AccessControlRules	string	No	The name of the access control rule. Note For more information about how to query created access control rules, see ListNetworkRules .	{"NetworkRules":["kst-hzz62ee817bvyyr5x**.efkd","kst-hzz62ee817bvyyr5x**.eyyp"]}

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request, which is used to locate and troubleshoot issues.	3bf02f7a-015b-4f34-be0f-c4543fda2d33
Arn	string	The ARN of the permission policy.	acs:kms:cn-hangzhou:119285303511****:policy/policy_test
Name	string	The name of the permission policy.	policy_test
Description	string	The description.	policy description
KmsInstance	string	The scope of the permission policy.	kst-hzz634e67d126u9p9****
Permissions	string	The operations that can be performed.	["RbacPermission/Template/CryptoServiceKeyUser", "RbacPermission/Template/CryptoServiceSecretUser"]
Resources	string	The key and secret that are allowed to access. `key/` indicates that all keys of the KMS instance can be accessed. `secret/` indicates all secrets of the KMS instance can be accessed.	["secret/acs/ram/user/ram-secret", "secret/acs/ram/user/acr-master", "key/key-hzz63d9c8d3dfv8cv****"]
AccessControlRules	string	The name of the access control rule.	{"NetworkRules":["kst-hzz62ee817bvyyr5x**.efkd","kst-hzz62ee817bvyyr5x**.eyyp"]}

Examples

Sample success responses

JSONformat

{
  "RequestId": "3bf02f7a-015b-4f34-be0f-c4543fda2d33",
  "Arn": "acs:kms:cn-hangzhou:119285303511****:policy/policy_test",
  "Name": "policy_test",
  "Description": "policy  description",
  "KmsInstance": "kst-hzz634e67d126u9p9****",
  "Permissions": [
    "RbacPermission/Template/CryptoServiceKeyUser",
    "RbacPermission/Template/CryptoServiceSecretUser"
  ],
  "Resources": [
    "secret/acs/ram/user/ram-secret",
    "secret/acs/ram/user/acr-master",
    "key/key-hzz63d9c8d3dfv8cv****"
  ],
  "AccessControlRules": {
    "NetworkRules": [
      "kst-hzz62ee817bvyyr5x****.efkd",
      "kst-hzz62ee817bvyyr5x****.eyyp"
    ]
  }
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidParameter	The specified parameter is not valid.	An invalid value is specified for the parameter.
404	InvalidAccessKeyId.NotFound	The Access Key ID provided does not exist in our records.	-

For a list of error codes, visit the Service error codes.