All Products
Search

This Product

    Key Management Service:SetKeyPolicy

    Document Center

    Key Management Service:SetKeyPolicy

    Last Updated:Jul 29, 2025

    Sets a key policy for a key in a KMS instance.

    Operation description

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    No authorization for this operation. If you encounter issues with this operation, contact technical support.

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    KeyId

    string

    Yes

    The ID or Alibaba Cloud Resource Name (ARN) of the key.

    Note

    To access a key of another Alibaba Cloud account, you must specify the ARN of the key. The key ARN is in the format of acs:kms:${region}:${account}:key/${keyid}.

    key-hzz630494463ejqjx****
    PolicyName

    string

    No

    The name of the key policy. The name can only be `default`.

    default
    Policy

    string

    Yes

    The key policy. The policy is in the JSON format. The policy can be up to 32,768 bytes in length.

    A key policy contains the following elements:

    • Version: The version of the key policy. The value can only be 1.

    • Statement: The statement of the key policy. Each key policy can contain one or more statements.

    The following code provides an example of a key policy:

    {
    "Version": "1",
    "Statement": [
        {
            "Sid": "Enable RAM User Permissions",
            "Effect": "Allow",
            "Principal": {
              "RAM": ["acs:ram::112890462****:*"]
            },
            "Action": [
                "kms:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

    The following section describes the elements in a Statement:

    • Sid: Optional. The custom statement identifier. The value can be up to 128 characters in length and can contain uppercase letters, lowercase letters, digits, and the following special characters: _ / + = . @ -.

    • Effect: Required. The effect of the policy statement. Valid values: Allow and Deny.

    • Principal: Required. The principal that is authorized to access the key. You can set this parameter to the current Alibaba Cloud account, a RAM user or RAM role of the current Alibaba Cloud account, or a RAM user or RAM role of another Alibaba Cloud account.

    • Action: Required. The API operations that are allowed or denied. The value must start with kms:. For more information about the operations, see Key policy overview. If you specify an operation that is not included in the list, the operation will not take effect.

    • Resource: Required. The key. The value can only be *.

    • Condition: Optional. The conditions for the policy to take effect. You can use conditions to evaluate the context of an API request to determine whether the policy statement is applicable. The format is "Condition": {"condition operator": {"condition key": "condition value"}}. For more information, see Key policy overview.

    Note

    After you grant permissions to a RAM user or RAM role of another Alibaba Cloud account, you must use the Alibaba Cloud account to which the RAM user or RAM role belongs to grant the RAM user or RAM role the permissions to use the key in the RAM console. For more information, see Custom policies for KMS, Grant permissions to a RAM user, and Grant permissions to a RAM role.

    {"Statement":[{"Action":["kms:*"],"Effect":"Allow","Principal":{"RAM":["acs:ram::119285303511****:*"]},"Resource":["*"],"Sid":"kms default key policy"},{"Action":["kms:List*","kms:Describe*","kms:Create*","kms:Enable*","kms:Disable*","kms:Get*","kms:Set*","kms:Update*","kms:Delete*","kms:Cancel*","kms:TagResource","kms:UntagResource","kms:ImportKeyMaterial","kms:ScheduleKeyDeletion"],"Effect":"Allow","Principal":{"RAM":["acs:ram::119285303511****:user/for_test_policy"]},"Resource":["*"]}],"Version":"1"}

    Response parameters

    Parameter

    Type

    Description

    Example

    object

    RequestId

    string

    The ID of the request, which is a unique identifier generated by Alibaba Cloud. You can use the ID to troubleshoot issues.

    381D5D33-BB8F-395F-8EE4-AE3BB4B523C8

    Examples

    Success response

    JSON format

    {
  "RequestId": "381D5D33-BB8F-395F-8EE4-AE3BB4B523C8"
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description
    400 MissingParameter The parameter needed but no provided. The required parameters are not specified.
    400 InvalidParameter The specified parameter is not valid. An invalid value is specified for the parameter.
    400 Forbidden.NoPermission This operation is forbidden by permission system. You are not authorized to perform this operation.
    400 Forbidden.KeyPolicyUnSupported The specified key does not support key policy. The specified key does not support key policies.
    400 Rejected.ShareQuotaExceedLimit Instance Share Quota Exceed Limit. The instance share quota exceeds the limit.
    500 InternalFailure Internal Failure An internal error occurred.
    403 Forbidden.DKMSInstanceStateInvalid The DKMS instance state is invalid. Your dedicated KMS instance is invalid.
    404 Forbidden.KeyNotFound The specified Key is not found. The error message returned because the specified CMK does not exist.
    404 Forbidden.ResourceNotFound Policy not found.

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.