Use RAM to manage access to KMS resources - - Alibaba Cloud Documentation Center

An Alibaba Cloud account has full operation permissions on all resources within the account. To ensure data security and implement fine-grained access control, you can create different Resource Access Management (RAM) users and attach system policies and custom policies to the RAM users. This topic describes how to authorize a RAM user to access Key Management Service (KMS) resources.

Prerequisites

RAM users are created. For information about how to create a RAM user, see Create a RAM user.

Attach system policies to a RAM user

Alibaba Cloud provides the following system policies for KMS resources. You can attach the policies to RAM users based on your business requirements. If the system policies cannot meet your business requirements, you can configure custom policies. For more information, see Attach custom policies to a RAM user.

System policies:

AliyunKMSFullAccess: full permissions on KMS resources
AliyunKMSReadOnlyAccess: the read-only permission on KMS resources
AliyunKMSCryptoAdminAccess: the permission to manage keys in KMS
AliyunKMSCryptoUserAccess: the permission to use KMS keys for cryptographic operations
AliyunKMSSecretUserAccess: the permission to retrieve secrets in KMS
AliyunKMSSecretAdminAccess: the permission to manage secrets in KMS

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user and click Add Permissions in the Actions column.

In the Add Permissions panel, configure Authorized Scope and Principal.

Parameter	Description
Grant Permission On	The scope in which you want the permissions to take effect. KMS does not support the resource group feature. You must select Alibaba Cloud Account.
Principal	The RAM user to which you want to grant permissions. The Principal parameter is automatically set to a specific RAM user. You can specify a different RAM user.

Click System Policy, select system policies based on your business requirements, and then click OK.
Confirm the scope and policies for authorization and click Complete.

Attach custom policies to a RAM user

If the system policies cannot meet your business requirements, you can configure custom policies to implement fine-grained access control.

Log on to the RAM console with your Alibaba Cloud account.
Create a custom policy.
1. In the left-side navigation pane, choose Permissions > Policies.
2. On the Policies page, click Create Policy.
3. On the Create Policy page, click the JSON tab.
  Note
  RAM provides visual editing and document editing modes to create policies. When you create a custom policy for KMS resources, you must use the document editing mode. If you use the visual editing mode, you can select only all KMS resources and all operations.
4. Edit the policy document and click Next to edit policy information.
  When you edit a KMS policy document, you must specify a custom authorization statement. A statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information, see RAM policies defined for KMS resources and Examples of RAM policies.
  Note
  For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
5. Specify the policy name and description. Then, check and optimize the policy document as prompted.
6. Click OK.

Attach custom policies to a RAM user.

In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user and click Add Permissions in the Actions column.

In the Add Permissions panel, configure Authorized Scope and Principal.

Parameter	Description
Grant Permission On	The scope in which you want the permissions to take effect. KMS does not support the resource group feature. You must select Alibaba Cloud Account.
Principal	The RAM user to which you want to grant permissions. The Principal parameter is automatically set to a specific RAM user. You can specify a different RAM user.

Click Custom Policy, select custom policies based on your business requirements, and then click OK.

Confirm the scope and policies for authorization and click Complete.

RAM policies defined for KMS resources

Resource

KMS defines the following resource types: key container, secret container, alias container, certificate container, key, secret, alias, and certificate. You can configure the Resource element in a RAM policy based on the Alibaba Cloud Resource Name (ARN) of your resource. To obtain the ARN of a resource, perform the following steps:

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.

On the Keys tab, find the key whose ARN you want to obtain and click Details in the Actions column. On the details page, you can view the ARN of the key. 密钥详情 The following table describes the ARN formats for different resource types.

Resource type	ARN
Key container	acs:kms:${region}:${account}:key
Secret container	acs:kms:${region}:${account}:secret
Alias container	acs:kms:${region}:${account}:alias
Key	acs:kms:${region}:${account}:key/${key-id} Note The ARN of a key resource supports the wildcard character (). Example: `acs:kms:${region}:${account}:key/`: specifies all keys in a region within an account. `acs:kms::${account}:key/`: specifies all keys in all regions within an account.
Secret	acs:kms:${region}:${account}:secret/${secret-name} Note The ARN of a secret resource supports the wildcard character (). `acs:kms:${region}:${account}:secret/`: specifies all secrets in a region within an account. `acs:kms:${region}:${account}:secret/prefix*`: specifies all secrets that start with `prefix` in a region within an account.
Alias	acs:kms:${region}:${account}:alias/${alias-name}
Certificate	acs:kms:${region}:${account}:certificate/${id}

Action

KMS defines actions for each API operation that requires access control. In RAM policies, actions are in the kms:<api-name> format.

Note

The DescribeRegions operation does not require access control. The operation can be called by Alibaba Cloud accounts, RAM users, or RAM roles after they pass RAM authentication.

The following tables describe the RAM actions and resource types that correspond to each API operation.

Key API operations

Operation	Action	Resource type	ARN
ListKeys	kms:ListKeys	Key container	acs:kms:${region}:${account}:key
CreateKey	kms:CreateKey	Key container	acs:kms:${region}:${account}:key
DescribeKey	kms:DescribeKey	Key	acs:kms:${region}:${account}:key/${key-id}
UpdateKeyDescription	kms:UpdateKeyDescription
EnableKey	kms:EnableKey
DisableKey	kms:DisableKey
ScheduleKeyDeletion	kms:ScheduleKeyDeletion
CancelKeyDeletion	kms:CancelKeyDeletion
GetParametersForImport	kms:GetParametersForImport
ImportKeyMaterial	kms:ImportKeyMaterial
DeleteKeyMaterial	kms:DeleteKeyMaterial
ListAliasesByKeyId	kms:ListAliasesByKeyId
CreateKeyVersion	kms:CreateKeyVersion
DescribeKeyVersion	kms:DescribeKeyVersion
ListKeyVersions	kms:ListKeyVersions
UpdateRotationPolicy	kms:UpdateRotationPolicy
Encrypt	kms:Encrypt
Decrypt	kms:Decrypt
ReEncrypt	kms:ReEncryptFrom kms:ReEncryptTo kms:ReEncrypt*
GenerateDataKey	kms:GenerateDataKey
GenerateDataKeyWithoutPlaintext	kms:GenerateDataKeyWithoutPlaintext
ExportDataKey	kms:ExportDataKey
GenerateAndExportDataKey	kms:GenerateAndExportDataKey
AsymmetricSign	kms:AsymmetricSign
AsymmetricVerify	kms:AsymmetricVerify
AsymmetricEncrypt	kms:AsymmetricEncrypt
AsymmetricDecrypt	kms:AsymmetricDecrypt
GetPublicKey	kms:GetPublicKey
ListAliases	kms:ListAliases	Alias container	acs:kms:${region}:${account}:alias
CreateAlias	kms:CreateAlias	Alias and key	Alias: acs:kms:${region}:${account}:alias/${alias-name} Key: acs:kms:${region}:${account}:key/${key-id}
UpdateAlias	kms:UpdateAlias
DeleteAlias	kms:DeleteAlias

Secrets Manager API operations

Operation	Action	Resource type	ARN
CreateSecret	kms:CreateSecret	Secret container	acs:kms:${region}:${account}:secret
ListSecrets	kms:ListSecrets	Secret container	acs:kms:${region}:${account}:secret
DescribeSecret	kms:DescribeSecret	Secret	acs:kms:${region}:${account}:secret/${secret-name}
DeleteSecret	kms:DeleteSecret
UpdateSecret	kms:UpdateSecret
RestoreSecret	kms:RestoreSecret
GetSecretValue	kms:GetSecretValue kms:Decrypt Note The permissions on kms:Decrypt are required only when a self-managed key is specified as the encryption key for a generic secret.
PutSecretValue	kms:PutSecretValue kms:GenerateDataKey Note The permissions on kms:GenerateDataKey are required only if a self-managed key is specified as the encryption key for a generic secret.
ListSecretVersionIds	kms:ListSecretVersionIds
UpdateSecretVersionStage	kms:UpdateSecretVersionStage
GetRandomPassword	kms:GetRandomPassword	None	None

Certificates Manager API operations

Operation	Action	Resource type	ARN
CreateCertificate	kms:CreateCertificate	Certificate	acs:kms:${region}:${account}:certificate/${id}
UploadCertificate	kms:UploadCertificate
GetCertificate	kms:GetCertificate
DescribeCertificate	kms:DescribeCertificate
UpdateCertificateStatue	kms:UpdateCertificateStatue
DeleteCertificate	kms:DeleteCertificate
CertificatePrivateKeySign	kms:CertificatePrivateKeySign
CertificatePublicKeyVerify	kms:CertificatePublicKeyVerify
CertificatePublicKeyEncrypt	kms:CertificatePublicKeyEncrypt
CertificatePrivateKeyDecrypt	kms:CertificatePrivateKeyDecrypt

Tag management API operations

Operation	Action	Resource type	ARN
ListResourceTags	kms:ListResourceTags	Key	Key: acs:kms:${region}:${account}:key/${key-id} Secret: acs:kms:${region}:${account}:secret/${secret-name}
UntagResource	kms:UntagResource	Key or secret
TagResource	kms:TagResource	Key or secret

Condition

The Condition element specifies the conditions that are required for a policy to take effect. This element is optional. You can add a condition key in RAM policies to control access to KMS. RAM authentication is successful only if the added conditions are met.

Use common condition keys: The condition key is in the acs:<condition-key> format. For example, you can use acs:CurrentTime to control the time period when a RAM policy is valid.
For more information, see Policy elements.
Use tags as condition keys: The condition key is in the kms:tag/<tag-key> format. You can use tags as condition keys to limit the use of cryptographic API operations, such as Encrypt, Decrypt, and GenerateDataKey.
To query the tags of a key, you can use one of the following methods:
- Use the KMS console
  1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
  2. On the Keys page, click the Software Key Management tab or Hardware Key Management tab based on the type of your KMS instance.
  3. Click the name of the required instance. On the page that appears, find the key whose tags you want to view.
  4. Click the name of the key. In the Tag section, view the tag keys and tag values of the key.
- Call the ListResourceTags operation

Examples of RAM policies

Scenario	Policy document
Access all KMS resources	Important To ensure data security, we recommend that you do not configure RAM policies that allow access to all KMS resources. `{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:" ], "Resource": [ "" ] } ] }`
Access all KMS resources from specified CIDR blocks or IP addresses	In the sample code, the CIDR block 192.168.0.0/16 and the IP address 172.16.215.218 are used. `{ "Version": "1", "Statement": [{ "Effect": "Allow", "Action": [ "kms:" ], "Resource": [ "" ], "Condition": { "IpAddress": { "acs:SourceIp": [ "192.168.0.0/16", "172.16.215.218" ] } } }] }`
Query keys and use keys to encrypt data, decrypt data, and generate data keys	Note Replace `${region}` and `${account}` with your actual region and Alibaba Cloud account. You can narrow the resource scope based on your business requirements. `{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List", "kms:Describe" ], "Resource": [ "acs:kms:${region}:${account}:key", "acs:kms:${region}:${account}:key/" ] }, { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "acs:kms:${region}:${account}:key/" } ] }`
Perform envelope encryption and envelope decryption, and generate data keys by using keys that have specified tags.	In the sample code, a tag whose tag key is `Project` and tag value is `Apollo` is used. Note Replace `${region}` and `${account}` with your actual region and Alibaba Cloud account. You can narrow the resource scope based on your business requirements. `{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": [ "acs:kms:${region}:${account}:key/*" ], "Condition": { "StringEqualsIgnoreCase": { "kms:tag/Project": [ "Apollo" ] } } } ] }`
Query secrets and read the attributes of the secrets	Note Replace `${region}` and `${account}` with your actual region and Alibaba Cloud account. You can narrow the resource scope based on your business requirements. `{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List", "kms:Describe" ], "Resource": [ "acs:kms:${region}:${account}:secret", "acs:kms:${region}:${account}:secret/*" ] } ] }`
Query values of a secret by secret name	In the sample code, the example-secret secret encrypted by using a key whose ID is keyId-example is used. Note Replace `${region}` and `${account}` with your actual region and Alibaba Cloud account. You can narrow the resource scope based on your business requirements. `{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "kms:GetSecretValue", "Resource": "acs:kms:${region}:${account}:secret/example-secret" }, { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "acs:kms:${region}:${account}:key/keyId-example" } ] }`
Sign data and verify digital signatures by using specified certificates	`{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CertificatePrivateKeySign", "kms:CertificatePublicKeyVerify" ], "Resource": [ "*" ] } ] }`