All Products
Search
Document Center

Key Management Service:Configure a secret policy

Last Updated:May 26, 2026

You can add or remove RAM users and RAM roles in a secret policy to configure administrators and users of the secret. This topic describes how to configure a secret policy.

Configure in the console

  1. Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

  2. On the Secrets tab, locate your target secret, and click the secret ID or Details in the Actions column.

  3. In the Secret Policy area at the bottom of the details page, click Configure Secret Policy, complete the configuration, and then click OK.

    1. Visual Editor: In this mode, select Principal (RAM user or RAM role), using the Default policy permissions (Action).

      • Administrator: Can perform management operations on the secret but cannot retrieve the secret value. Only RAM users and RAM roles in the current account can be selected.

      • User: Can only retrieve the secret value. Only RAM users and RAM roles in the current account can be selected.

      • Cross-account User:

        Important
        • Authorizing RAM users or roles from other Alibaba Cloud accounts consumes the Access Management Quota of the KMS instance. The quota is calculated by the number of Alibaba Cloud accounts. After you revoke authorization, the quota is returned in approximately 5 minutes.

        • You must also configure the corresponding secret usage permissions for the user or role in the RAM console. For more information, see Custom policies, Manage RAM user permissions, and Manage permissions for a RAM role.

        • Can be RAM users or RAM roles from other Alibaba Cloud accounts. Only supports retrieving the secret value.

        • Click Add ARN of Cross-account User and enter the ARN of the principal. You can find the ARN by logging on to the RAM console and viewing the user or role details page.

          • RAM user: Format is acs:ram::<other Alibaba Cloud account userId>:user/<ramuser>, for example, acs:ram::119285303511****:user/testpolicyuser.

          • RAM role: Format is acs:ram::<other Alibaba Cloud account userId>:role/<ramrole>, for example, acs:ram::119285303511****:role/testpolicyrole.

    2. Syntax Editor: You can directly modify or add permission policies in the syntax editor. The following is a configuration example.

      • Scenario: Configure a secret policy for a secret under Alibaba Cloud account (119285303511****).

        • Grant the current Alibaba Cloud account (119285303511****) full access to the secret, including management and usage. Do not modify this statement.

          Note

          By default, the secret owner has all permissions. This rule cannot be modified.

        • Grant RAM user (secret_ramuser1) under the current Alibaba Cloud account (119285303511****) permission to manage the secret.

        • Grant RAM user (secret_ramuser2) under the current Alibaba Cloud account (119285303511****) and RAM user (secret_ramuser3) under another Alibaba Cloud account (190325303126****) permission to use the secret.

      • Syntax example:

        {
            "Statement": [
                {
                    "Action": [
                        "kms:*"
                    ],
                    "Effect": "Allow",
                    "Principal": {
                        "RAM": [
                            "acs:ram::119285303511****:*"
                        ]
                    },
                    "Resource": [
                        "*"
                    ],
                    "Sid": "kms default secret policy"
                },
                {
                    "Action": [
                        "kms:List*",
                        "kms:Describe*",
                        "kms:PutSecretValue",
                        "kms:Update*",
                        "kms:DeleteSecret",
                        "kms:RestoreSecret",
                        "kms:RotateSecret",
                        "kms:TagResource",
                        "kms:UntagResource"
                    ],
                    "Effect": "Allow",
                    "Principal": {
                        "RAM": [
                            "acs:ram::119285303511****:user/secret_ramuser1"
                        ]
                    },
                    "Resource": [
                        "*"
                    ]
                },
                {
                    "Action": [
                        "kms:List*",
                        "kms:Describe*",
                        "kms:GetSecretValue"
                    ],
                    "Effect": "Allow",
                    "Principal": {
                        "RAM": [
                            "acs:ram::119285303511****:user/secret_ramuser2",
                            "acs:ram::190325303126****:user/secret_ramuser3"
                        ]
                    },
                    "Resource": [
                        "*"
                    ]
                }
            ],
            "Version": "1"
        }
        Note

        Note: The Resource field in the example above is set to ["*"], which targets the current secret. You can also set Resource to a specific secret ARN to restrict the policy scope. For the secret ARN format, see Overview of secret policies.

Limitations

  • Secret policies can only be configured for secrets in a KMS instance.

  • A secret policy must be in JSON format and cannot exceed 32,768 bytes in size.

  • The following operations can be specified in a secret policy:

    Warning

    If you specify an operation not on this list, it will have no effect.

    "Action": [
                    "kms:List*",
                    "kms:Describe*",
                    "kms:PutSecretValue",
                    "kms:Update*",
                    "kms:DeleteSecret",
                    "kms:RestoreSecret",
                    "kms:RotateSecret",
                    "kms:TagResource",
                    "kms:UntagResource"
                    "kms:GetSecretValue"
                ]
  • Cross-account secret authorization: To authorize RAM users or RAM roles from other Alibaba Cloud accounts to use a secret in your account, you must configure dual authorization:

    1. Configure a secret policy in the KMS console to grant the target account access. Add a Cross-account User principal in the secret policy.

    2. The target account must configure the corresponding secret usage permissions for its user or role in the RAM console.

Default policy permissions (Action)

Administrator

Can perform management operations on the secret but cannot retrieve the secret value.

  "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:PutSecretValue",
                "kms:Update*",
                "kms:DeleteSecret",
                "kms:RestoreSecret",
                "kms:RotateSecret",
                "kms:TagResource",
                "kms:UntagResource"
            ]

User / Cross-account user

Can only retrieve the secret value.

 "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:GetSecretValue"
            ]