Key Management Service:Regular service roles

Overview

Regular service roles are RAM roles that are assumed by trusted Alibaba Cloud services. Regular service roles are used for access between Alibaba Cloud services. For more information, see RAM role overview.

When you use KMS to create and manage RAM secrets, you must create the following regular service role and custom policy:

• Regular service role: AliyunKMSManagedRAMCrendentialsRole

• Custom policy: AliyunKMSManagedRAMCrendentialsRolePolicy

Scenarios

Before you can manage RAM secrets, you must grant KMS the permissions to manage the AccessKey pairs of RAM users. For more information, see Manage and use RAM secrets.

Required permissions for a RAM user to assume a regular service role

{
    "Action": [
        "ram:CreateRole",
        "ram:DeleteRole"
    ],
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "keystore.kms.aliyuncs.com"
        }
     }
}

Create a regular service role

When you create RAM secrets, the system checks if the AliyunKMSManagedRAMCrendentialsRole of the current account exists. If this role does not exist, you will see a message prompting you to authorize KMS to access AccessKey pairs. If you use a RAM administrator user, click Agree to Authorization on the Cloud Resource Access Authorization page. Otherwise, send the Cloud Resource Access Authorization link to the RAM administrator or the Alibaba Cloud account to do the authorization. When the authorization is complete, the system will automatically create the service-linked role AliyunKMSManagedRAMCrendentialsRole and its associated permission policy AliyunKMSManagedRAMCrendentialsRolePolicy.

The following sample code shows the AliyunKMSManagedRAMCrendentialsRolePolicy policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ram:ListAccessKeys",
                "ram:CreateAccessKey",
                "ram:DeleteAccessKey",
                "ram:UpdateAccessKey"
            ],
            "Resource": "*"
        }
    ]
}

View a regular service role

After you create a regular service role, you can search for AliyunKMSManagedRAMCrendentialsRole on the Roles page of the RAM console to view the role details.

• Basic Information

  In the Basic Information section, you can view the basic information about the role, including the name, creation time, Alibaba Cloud Resource Name (ARN), and description.

• Permissions

  On the Permissions tab, you can click the name of a policy to view the policy document and the cloud resources that the role can access.

• Trust Policy

  On the Trust Policy tab, you can view the document of the trust policy that is attached to the role. A trust policy describes the trusted entities of a RAM role. A trusted entity is an entity that can assume the RAM role. The trusted entity of a regular service role is a cloud service. You can view the value of the Service field in the trust policy of the regular service role to obtain the trusted entity.

For more information about how to view a regular service role, see View the information about a RAM role.

Delete a regular service role

If you do not use KMS for a long period of time, you can manually delete the regular service role in the RAM console. For more information, see Delete a RAM role.

Before you delete the AliyunKMSManagedRAMCrendentialsRole regular service role, make sure that you no longer need to manage RAM secrets by using the role.