You can add or remove Resource Access Management (RAM) users and RAM roles to or from a key policy to set the administrators and users of a key. This topic describes how to configure a key policy.
Configure a key policy in the KMS console
Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Customer Master Keys tab, find the key for which you want to configure a policy. Click the key ID or click Details in the Actions column that corresponds to the key.
In the Key Policy section at the bottom of the details page, click Configure Key Policy. After you complete the configuration, click OK.
Visual Editor: In this mode, you assign a Principal (a RAM User or RAM Role) to a predefined role that has default permissions (Actions).
Administrator: Principals with this role can perform management operations on the key. This role does not include permissions for Cryptographic Operations. You can assign this role to RAM Users and RAM Roles within your Alibaba Cloud account.
User: Principals with this role can only use the key for Cryptographic Operations. You can assign this role to RAM Users and RAM Roles within your Alibaba Cloud account.
Cross-account User:
ImportantGranting permissions to a RAM User or RAM Role from another Alibaba Cloud account consumes the Access Management Quota of your KMS instance. The quota is consumed based on the number of unique Alibaba Cloud accounts you grant access to. If you revoke the authorization, the quota is released after about five minutes.
To allow the cross-account Principal to use the key, you must also grant the necessary permissions to the corresponding user or role in the RAM console of the target account. For more information, see Custom Permission Policies for Key Management Service, Manage permissions for a RAM User, and Manage permissions for a RAM Role.
This can be a RAM User or RAM Role from another Alibaba Cloud account. Cross-account users can only use the key for cryptographic operations.
Click Add ARN of Cross-account User and enter the ARN of the Principal. You can find the ARN on the user or role details page in the RAM console.
RAM User: The format is
acs:ram::<Other Alibaba Cloud Account ID>:user/<ramuser>. Example:acs:ram::119285303511****:user/testpolicyuser.RAM Role: The format is
acs:ram::<Other Alibaba Cloud Account ID>:role/<ramrole>. Example:acs:ram::119285303511****:role/testpolicyrole.
Syntax Editor: You can directly modify or add permission statements in the policy editor. The following example shows a sample configuration.
Scenario: This example shows a key policy for a key that belongs to Alibaba Cloud account 119285303511****.
The key owner (Alibaba Cloud account 119285303511****) has full access to manage and use the key. We recommend that you do not change this default statement.
NoteBy default, the key owner has all permissions. This rule cannot be modified.
This statement allows RAM User key_ramuser1 in the same account (119285303511****) to manage the key.
This statement allows RAM User key_ramuser2 in the same account (119285303511****) and RAM User key_ramuser3 from another account (190325303126****) to use the key.
Policy example:
{ "Statement": [ { "Action": [ "kms:*" ], "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::119285303511****:*" ] }, "Resource": [ "*" ], "Sid": "kms default key policy" }, { "Action": [ "kms:List*", "kms:Describe*", "kms:Create*", "kms:Enable*", "kms:Disable*", "kms:Get*", "kms:Set*", "kms:Update*", "kms:Delete*", "kms:Cancel*", "kms:TagResource", "kms:UntagResource", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion" ], "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::119285303511****:user/key_ramuser1" ] }, "Resource": [ "*" ] }, { "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateAndExportDataKey", "kms:AsymmetricEncrypt", "kms:AsymmetricDecrypt", "kms:DescribeKey", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "kms:ListAliasesByKeyId", "kms:TagResource" ], "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::119285303511****:user/key_ramuser2", "acs:ram::190325303126****:user/key_ramuser3" ] }, "Resource": [ "*" ] } ], "Version": "1" }
Limitations
A Key Policy can be applied only to a Customer Master Keys.
A key policy must be in JSON format and cannot exceed 32,768 bytes.
You can set the following actions in a Key Policy:
WarningIf you specify an action that is not in this list, the permission will not take effect.
"Action": [ "kms:List*", "kms:Describe*", "kms:Create*", "kms:Enable*", "kms:Disable*", "kms:Get*", "kms:Set*", "kms:Update*", "kms:Delete*", "kms:Cancel*", "kms:TagResource", "kms:UntagResource", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion" "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateAndExportDataKey", "kms:AsymmetricEncrypt", "kms:AsymmetricDecrypt", "kms:DescribeKey", "kms:DescribeKeyVersion", "kms:ListKeyVersions", "kms:ListAliasesByKeyId", "kms:TagResource" ]Cross-account key authorization: To authorize a cross-account RAM User or RAM Role to use a key, you must configure permissions in both accounts:
In the KMS console, configure the key policy to grant usage permissions to the target account. This involves adding a policy statement for a Cross-account User.
In the target account, configure a Permission Policy in the RAM console to grant the corresponding user or role permission to use the key.
Default permissions (Actions)
Administrator
A Principal with this role can perform management operations on the key. This role does not include permissions for Cryptographic Operations.
"Action": [
"kms:List*",
"kms:Describe*",
"kms:Create*",
"kms:Enable*",
"kms:Disable*",
"kms:Get*",
"kms:Set*",
"kms:Update*",
"kms:Delete*",
"kms:Cancel*",
"kms:TagResource",
"kms:UntagResource",
"kms:ImportKeyMaterial",
"kms:ScheduleKeyDeletion"
]User/cross-account user
A Principal with this role can use the key only for Cryptographic Operations.
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateAndExportDataKey",
"kms:AsymmetricEncrypt",
"kms:AsymmetricDecrypt",
"kms:DescribeKey",
"kms:DescribeKeyVersion",
"kms:ListKeyVersions",
"kms:ListAliasesByKeyId",
"kms:TagResource"
]