All Products
Search
Document Center

Key Management Service:Overview of secret policies

Last Updated:May 26, 2026

A secret policy is a resource-based policy that controls which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use a KMS secret. Each secret in a KMS instance must have exactly one secret policy. This topic describes secret policies in detail.

Relationship between secret policies and RAM policies

A secret policy lets you designate RAM users and RAM roles within the current Alibaba Cloud account (the account that owns the secret) as administrators or users. You can also designate RAM users and RAM roles from other Alibaba Cloud accounts as users.

In addition to configuring a secret policy in KMS, you can configure identity-based policies in RAM to specify which Alibaba Cloud accounts, RAM users, or RAM roles can manage or use specific secrets. For more information, see Manage RAM user permissions, Manage permissions for a RAM role, and Custom policies.

When an Alibaba Cloud account or a RAM identity (RAM user or RAM role) requests access to KMS resources through the Alibaba Cloud console, OpenAPI, or CLI, the system evaluates applicable policies to determine whether to allow or deny the request. The following flowchart shows the evaluation process.

image

The evaluation result follows these principles:

  • For a RAM user or RAM role under the current Alibaba Cloud account: access is granted if either evaluation result A or evaluation result B contains an Allow and no Explicit Deny.

    Note

    The current Alibaba Cloud account is the account that created the secret. You can view the secret creator by using one of the following methods:

    • Console: Log on to the KMS console. On the Secrets page, open the secret details page and view the Created By field.

    • API: Call the DescribeSecret operation. The Creator field in the response indicates the secret creator.

  • For a RAM user or RAM role under a different Alibaba Cloud account: access is granted only when both evaluation result A and evaluation result B are Allow.

Based on the evaluation process, you can determine the required configuration for different scenarios:

  • To allow a RAM user or RAM role under the current Alibaba Cloud account to manage or use a secret, configure either the secret policy in KMS or a RAM policy to grant the required permissions.

  • To allow a RAM user or RAM role under a different Alibaba Cloud account to use a secret, you must configure both the secret policy in KMS and a RAM policy to grant permissions.

Usage notes

  • Secret policies apply only to secrets within a KMS instance. You can configure a secret policy during secret creation or modify it afterward. For more information, see Manage and use secrets and Configure a secret policy.

  • Authorizing RAM users or roles from other Alibaba Cloud accounts consumes the Access Management Quota of the KMS instance. The quota is calculated based on the number of Alibaba Cloud accounts. If you revoke cross-account authorization and the instance no longer shares resources with that account, wait approximately 5 minutes for the consumed quota to decrease accordingly.

  • A secret policy only applies to access control when you access a secret through the KMS service endpoint. If you access a secret through a KMS instance endpoint, access depends on the permission policy configured in the Application Access Point (AAP).

  • A secret policy must be in JSON format and cannot exceed 32,768 bytes in size.

Secret policy structure

A complete secret policy contains the following elements:

  • Version: The version of the secret policy. Only version 1 is supported.

  • Statement: A secret policy contains one or more statements. Each statement includes the following parameters:

    • Sid

      Optional. A custom statement identifier. The identifier can be up to 128 characters in length and can contain uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and the following special characters: _ / + = . @ -

    • Effect

      Required. Specifies whether to allow or deny the actions in the statement. Valid values: Allow and Deny.

    • Principal

      Required. The identity to which the policy applies. You can specify one of the following:

      • The current Alibaba Cloud account (the account that owns the secret).

      • RAM users or RAM roles under the current Alibaba Cloud account.

      • RAM users or RAM roles under a different Alibaba Cloud account.

        Important

        After you authorize RAM users or roles from another Alibaba Cloud account, you must also use that Alibaba Cloud account to grant the RAM users or roles permission to use the secret in RAM. Otherwise, the RAM identities cannot use the secret.

        For more information, see Custom policy reference for KMS, Manage RAM user permissions, and Manage permissions for a RAM role.

    • Action

      Required. The API operations to allow or deny. The value must start with "kms:". Only the following operations are valid. Operations outside this list will not take effect.

      Permission list

      "Action": [
                      "kms:List*",
                      "kms:Describe*",
                      "kms:PutSecretValue",
                      "kms:Update*",
                      "kms:DeleteSecret",
                      "kms:RestoreSecret",
                      "kms:RotateSecret",
                      "kms:TagResource",
                      "kms:UntagResource"
                      "kms:GetSecretValue"
                  ]
    • Resource

      Required. The target resource to which the policy applies. Set the value to * or the ARN of the secret. A value of * indicates the current KMS secret. You can also specify a specific secret ARN to narrow the policy scope.

    • Condition

      Optional. The conditions under which the policy takes effect. A condition element, also called a condition block, consists of one or more condition clauses. Each clause contains a condition operator, a condition key, and a condition value. For more information, see Permission policy elements.

      The format is "Condition": {"condition operator": {"condition key": "condition value"}}.