Sample RAM permission policies for Key Management Service (KMS). Copy the policy that matches your use case, replace the placeholders, and attach it to the target RAM user, user group, or role.
Replace ${region} and ${account} with your actual region ID and Alibaba Cloud account ID. Narrow the resource scope based on your business requirements.
Choose a policy
| Use case | Policy |
|---|---|
| Full key lifecycle management (create, rotate, delete, tag) | Manage keys |
| Read-only key inventory and metadata | Query keys |
| Encrypt, decrypt, and generate data keys | Symmetric cryptographic operations |
| Encrypt and decrypt with asymmetric keys | Asymmetric encryption and decryption |
| Sign and verify with asymmetric keys | Asymmetric signing and verification |
| Grant access to keys that share a specific tag | Tag-based cryptographic access |
| Full secret lifecycle management (create, rotate, delete, tag) | Manage secrets |
| Read-only secret inventory and metadata | Query secrets |
| Retrieve a specific secret value | Retrieve a secret value |
| Restrict KMS instance creation to specific regions | Restrict instance creation by region |
| Allow access from specific IP addresses only | IP-based access control |
Policy that allows you to access all KMS resources
To ensure data security, we recommend that you do not configure policies that allow access to all Key Management Service (KMS) resources. Granting kms:* on * violates the principle of least privilege and increases the blast radius of a compromised credential. Use one of the scoped policies below instead.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"*"
]
}
]
}Policy that allows specific CIDR blocks or IP addresses to access all KMS resources
The acs:SourceIp condition key restricts KMS API calls to requests from specific IP ranges. In this example, the CIDR block 192.168.0.0/16 and the IP address 172.16.215.218 are allowed to call any KMS action.
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": [
"*"
],
"Condition": {
"IpAddress": {
"acs:SourceIp": [
"192.168.0.0/16",
"172.16.215.218"
]
}
}
}]
}Any principal that can change the source IP of their requests (for example, by using a proxy or VPN) can bypass this restriction. Combine IP-based conditions with resource scoping for stronger controls.
Policy that allows you to manage keys in KMS
This policy grants full key management permissions: listing, describing, creating, enabling, disabling, updating, deleting, tagging, importing key material, and scheduling key deletion. The resource scope covers both keys and aliases in your account.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*",
"kms:Create*",
"kms:Enable*",
"kms:Disable*",
"kms:Get*",
"kms:Set*",
"kms:Update*",
"kms:Delete*",
"kms:Cancel*",
"kms:TagResource",
"kms:UntagResource",
"kms:TagResources",
"kms:UntagResources",
"kms:ImportKeyMaterial",
"kms:ScheduleKeyDeletion"
],
"Resource": [
"acs:kms:${region}:${account}:key",
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}Policy that allows you to query a list of keys and the metadata of keys
Use this policy for read-only access to key inventory. The principal can list keys and view their metadata but cannot perform cryptographic operations or make changes.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*"
],
"Resource": [
"acs:kms:${region}:${account}:key",
"acs:kms:${region}:${account}:key/*"
]
}
]
}Policy that allows you to use keys to encrypt data, decrypt data, and generate data keys
This policy suits application service accounts that perform envelope encryption: kms:Encrypt and kms:Decrypt for direct encryption, and kms:GenerateDataKey to obtain a data key for client-side encryption.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}If you identify a key by its alias in cryptographic operations, include the alias resource (acs:kms:${region}:${account}:alias/*) in the policy. Without it, alias-based calls are denied even if the underlying key is permitted.
Policy that allows you to use keys with specific tags to implement envelope encryption, decryption, and data key generation
The StringEqualsIgnoreCase condition on kms:tag/Project limits cryptographic operations to keys tagged with Project=Apollo. This lets you control access by tagging keys rather than listing individual key ARNs.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"acs:kms:${region}:${account}:key/*"
],
"Condition": {
"StringEqualsIgnoreCase": {
"kms:tag/Project": [
"Apollo"
]
}
}
}
]
}Any principal with permission to add, modify, or remove tags on a key can effectively expand or restrict who gains access under this policy. Grant tag management permissions (kms:TagResource, kms:TagResources, kms:UntagResource, kms:UntagResources) only to trusted administrators.
Policy that allows you to use asymmetric keys for encryption and decryption
This policy grants kms:AsymmetricEncrypt and kms:AsymmetricDecrypt on keys and aliases. Use it for service accounts that perform asymmetric encryption and decryption operations.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:AsymmetricEncrypt",
"kms:AsymmetricDecrypt"
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}If you identify a key by its alias in cryptographic operations, include the alias resource (acs:kms:${region}:${account}:alias/*) in the policy. Without it, alias-based calls are denied even if the underlying key is permitted.
Policy that allows you to use asymmetric keys for signing and verification
This policy grants kms:AsymmetricSign and kms:AsymmetricVerify on keys and aliases. Use it for service accounts that sign or verify data with asymmetric keys.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:AsymmetricSign",
"kms:AsymmetricVerify"
],
"Resource": [
"acs:kms:${region}:${account}:key/*",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}If you identify a key by its alias in cryptographic operations, include the alias resource (acs:kms:${region}:${account}:alias/*) in the policy. Without it, alias-based calls are denied even if the underlying key is permitted.
Policy that allows you to manage secrets in KMS
This policy grants full secret management permissions: listing, describing, creating, updating, rotating, restoring, deleting, and tagging secrets. The resource scope covers secrets and their associated aliases.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*",
"kms:PutSecretValue",
"kms:Update*",
"kms:DeleteSecret",
"kms:RestoreSecret",
"kms:RotateSecret",
"kms:TagResource",
"kms:UntagResource",
"kms:TagResources",
"kms:UntagResources"
],
"Resource": [
"acs:kms:${region}:${account}:secret",
"acs:kms:${region}:${account}:secret/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}Policy that allows you to query a list of secrets and the metadata of secrets
Use this policy for read-only access to secret inventory. The principal can list secrets and view their metadata but cannot read secret values or make changes.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:List*",
"kms:Describe*"
],
"Resource": [
"acs:kms:${region}:${account}:secret",
"acs:kms:${region}:${account}:secret/*",
"acs:kms:${region}:${account}:alias",
"acs:kms:${region}:${account}:alias/*"
]
}
]
}Policy that allows you to retrieve the secret value
This policy grants access to a single named secret (example-secret) and the specific key (keyId-example) used to encrypt it. Both statements are required: kms:GetSecretValue retrieves the secret value, and kms:Decrypt decrypts the associated encryption key.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:GetSecretValue",
"Resource": "acs:kms:${region}:${account}:secret/example-secret"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "acs:kms:${region}:${account}:key/keyId-example"
}
]
}Policy that restricts KMS instance creation to specified regions
This policy prevents KMS instances from being created anywhere except Singapore (ap-southeast-1) and Kuala Lumpur, Malaysia (ap-southeast-3). It applies only to RAM users, RAM user groups, and RAM roles that already hold the AliyunKMSFullAccess permission. For instructions on attaching this policy, see Grant permissions to a RAM user, Grant permissions to a RAM user group, and Grant permissions to a RAM role.
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"bss:CreateInstance",
"bss:ModifyInstance"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"bssapi:ProductCode": [
"kms"
]
},
"StringNotLike": {
"Resource": [
"acs:kms:ap-southeast-1:*:*",
"acs:kms:ap-southeast-3:*:*"
]
}
}
},
{
"Effect": "Deny",
"Action": "kms:CreateInstance",
"Resource": "*"
}
]
}