All Products
Search

This Product

    Key Management Service:SetSecretPolicy

    Document Center

    Key Management Service:SetSecretPolicy

    Last Updated:Jul 29, 2025

    Sets a secret policy for a secret in a KMS instance.

    Operation description

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    No authorization for this operation. If you encounter issues with this operation, contact technical support.

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    SecretName

    string

    Yes

    The name or Alibaba Cloud Resource Name (ARN) of the secret.

    Note

    When you access a secret in another Alibaba Cloud account, you must specify the ARN of the secret. The ARN of a secret is in the format of acs:kms:${region}:${account}:secret/${secret-name}.

    secret_test
    PolicyName

    string

    No

    The name of the secret policy. The value can only be `default`.

    default
    Policy

    string

    Yes

    The content of the secret policy. The value must be in the JSON format. The value can be up to 32,768 bytes in length.

    A secret policy contains the following elements:

    • Version: The version of the secret policy. The value can only be 1.

    • Statement: The statement of the secret policy. Each secret policy can contain one or more statements.

    The following code shows the format of a secret policy:

    {
    "Version": "1",
    "Statement": [
        {
            "Sid": "Enable RAM User Permissions",
            "Effect": "Allow",
            "Principal": {
              "RAM": ["acs:ram::12345678****:*"]
            },
            "Action": [
                "kms:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

    The following section describes the elements in a statement:

    • Sid: Optional. The custom identifier of the statement. The value can be up to 128 characters in length and can contain uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters, including underscores (_), forward slashes (/), equal signs (=), plus signs (+), periods (.), at signs (@), and hyphens (-).

    • Effect: Required. Specifies whether to allow or deny the permissions in the statement. Valid values: Allow and Deny.

    • Principal: Required. The principal that is authorized to access the secret. You can set this parameter to the current Alibaba Cloud account (the account to which the secret belongs), a RAM user or RAM role of the current Alibaba Cloud account, or a RAM user or RAM role of another Alibaba Cloud account.

    • Action: Required. The API operations that are allowed or denied. The value must start with `kms:`. For a list of supported operations, see Secret policy overview. If you specify an operation that is not in the list, the operation does not take effect.

    • Resource: Required. The value can only be `*`, which indicates the current KMS secret.

    • Condition: Optional. The conditions for the authorization to take effect. You can use conditions to evaluate the context of an API request to determine whether a policy statement is applicable. The format is "Condition": {"condition operator": {"condition key": "condition value"}}. For more information, see Secret policy overview.

    Note

    After you grant permissions to a RAM user or RAM role of another Alibaba Cloud account, you must go to the RAM console and use the Alibaba Cloud account to which the RAM user or RAM role belongs to grant the RAM user or RAM role the permissions to use the secret. For more information, see Custom policies for KMS, Grant permissions to a RAM user, and Grant permissions to a RAM role.

    {"Version":"1","Statement": [{"Sid":"kms default secret policy","Effect":"Allow","Principal":{"RAM": ["acs:ram::119285303511****:*"]},"Action":["kms:*"],"Resource": ["*"] }] }

    Response parameters

    Parameter

    Type

    Description

    Example

    object

    RequestId

    string

    The ID of the request, which is a unique identifier generated by Alibaba Cloud. You can use this ID to troubleshoot issues.

    381D5D33-BB8F-395F-8EE4-AE3BB4B523C8

    Examples

    Success response

    JSON format

    {
  "RequestId": "381D5D33-BB8F-395F-8EE4-AE3BB4B523C8"
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description
    400 MissingParameter The parameter needed but no provided. The required parameters are not specified.
    400 InvalidParameter The specified parameter is not valid. An invalid value is specified for the parameter.
    400 Forbidden.NoPermission This operation is forbidden by permission system. You are not authorized to perform this operation.
    400 Forbidden.KeyPolicyUnSupported The specified key does not support key policy. The specified key does not support key policies.
    400 Rejected.ShareQuotaExceedLimit Instance Share Quota Exceed Limit. The instance share quota exceeds the limit.
    403 Forbidden.DKMSInstanceStateInvalid The DKMS instance state is invalid. Your dedicated KMS instance is invalid.
    404 Forbidden.ResourceNotFound Resource not found. The resource is not found.
    404 Forbidden.KeyNotFound The specified Key is not found. The error message returned because the specified CMK does not exist.
    503 SerivceUnvailableTemporary Service Unvailable Temporary The service is temporarily unavailable.

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.