You can add or remove RAM users and RAM roles in a secret policy to configure administrators and users of the secret. This topic describes how to configure a secret policy.
Configure in the console
Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
-
On the Secrets tab, locate your target secret, and click the secret ID or Details in the Actions column.
-
In the Secret Policy area at the bottom of the details page, click Configure Secret Policy, complete the configuration, and then click OK.
-
Visual Editor: In this mode, select Principal (RAM user or RAM role), using the Default policy permissions (Action).
-
Administrator: Can perform management operations on the secret but cannot retrieve the secret value. Only RAM users and RAM roles in the current account can be selected.
-
User: Can only retrieve the secret value. Only RAM users and RAM roles in the current account can be selected.
-
Cross-account User:
Important-
Authorizing RAM users or roles from other Alibaba Cloud accounts consumes the Access Management Quota of the KMS instance. The quota is calculated by the number of Alibaba Cloud accounts. After you revoke authorization, the quota is returned in approximately 5 minutes.
-
You must also configure the corresponding secret usage permissions for the user or role in the RAM console. For more information, see Custom policies, Manage RAM user permissions, and Manage permissions for a RAM role.
-
Can be RAM users or RAM roles from other Alibaba Cloud accounts. Only supports retrieving the secret value.
-
Click Add ARN of Cross-account User and enter the ARN of the principal. You can find the ARN by logging on to the RAM console and viewing the user or role details page.
-
RAM user: Format is
acs:ram::<other Alibaba Cloud account userId>:user/<ramuser>, for example,acs:ram::119285303511****:user/testpolicyuser. -
RAM role: Format is
acs:ram::<other Alibaba Cloud account userId>:role/<ramrole>, for example,acs:ram::119285303511****:role/testpolicyrole.
-
-
-
-
Syntax Editor: You can directly modify or add permission policies in the syntax editor. The following is a configuration example.
-
Scenario: Configure a secret policy for a secret under Alibaba Cloud account (119285303511****).
-
Grant the current Alibaba Cloud account (119285303511****) full access to the secret, including management and usage. Do not modify this statement.
NoteBy default, the secret owner has all permissions. This rule cannot be modified.
-
Grant RAM user (secret_ramuser1) under the current Alibaba Cloud account (119285303511****) permission to manage the secret.
-
Grant RAM user (secret_ramuser2) under the current Alibaba Cloud account (119285303511****) and RAM user (secret_ramuser3) under another Alibaba Cloud account (190325303126****) permission to use the secret.
-
-
Syntax example:
{ "Statement": [ { "Action": [ "kms:*" ], "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::119285303511****:*" ] }, "Resource": [ "*" ], "Sid": "kms default secret policy" }, { "Action": [ "kms:List*", "kms:Describe*", "kms:PutSecretValue", "kms:Update*", "kms:DeleteSecret", "kms:RestoreSecret", "kms:RotateSecret", "kms:TagResource", "kms:UntagResource" ], "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::119285303511****:user/secret_ramuser1" ] }, "Resource": [ "*" ] }, { "Action": [ "kms:List*", "kms:Describe*", "kms:GetSecretValue" ], "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::119285303511****:user/secret_ramuser2", "acs:ram::190325303126****:user/secret_ramuser3" ] }, "Resource": [ "*" ] } ], "Version": "1" }NoteNote: The
Resourcefield in the example above is set to["*"], which targets the current secret. You can also setResourceto a specific secret ARN to restrict the policy scope. For the secret ARN format, see Overview of secret policies.
-
-
Limitations
-
Secret policies can only be configured for secrets in a KMS instance.
A secret policy must be in JSON format and cannot exceed 32,768 bytes in size.
-
The following operations can be specified in a secret policy:
WarningIf you specify an operation not on this list, it will have no effect.
"Action": [ "kms:List*", "kms:Describe*", "kms:PutSecretValue", "kms:Update*", "kms:DeleteSecret", "kms:RestoreSecret", "kms:RotateSecret", "kms:TagResource", "kms:UntagResource" "kms:GetSecretValue" ] -
Cross-account secret authorization: To authorize RAM users or RAM roles from other Alibaba Cloud accounts to use a secret in your account, you must configure dual authorization:
-
Configure a secret policy in the KMS console to grant the target account access. Add a Cross-account User principal in the secret policy.
-
The target account must configure the corresponding secret usage permissions for its user or role in the RAM console.
-
Default policy permissions (Action)
Administrator
Can perform management operations on the secret but cannot retrieve the secret value.
"Action": [
"kms:List*",
"kms:Describe*",
"kms:PutSecretValue",
"kms:Update*",
"kms:DeleteSecret",
"kms:RestoreSecret",
"kms:RotateSecret",
"kms:TagResource",
"kms:UntagResource"
]
User / Cross-account user
Can only retrieve the secret value.
"Action": [
"kms:List*",
"kms:Describe*",
"kms:GetSecretValue"
]