You need to enable JavaScript to run this app.
导航
访问控制
最近更新时间:2023.06.21 16:55:01首次发布时间:2021.11.24 19:45:10

密钥管理服务通过身份与访问控制(Identity and Access Management,缩写:IAM)实现对资源的访问控制。下面介绍 KMS 定义的资源类型和操作权限。

火山引擎账号对自己的资源拥有完整的操作权限,IAM 用户和 IAM 角色则需要通过显式授权获取对应资源的操作权限。

资源类型

资源类型trn
抽象密钥环容器trn:kms:${region}:${account}:keyrings/*
抽象密钥容器trn:kms:${region}:${account}:keyrings/${keyringName}/keys/*
密钥环trn:kms:${region}:${account}:keyrings/${keyringName}
密钥trn:kms:${region}:${account}:keyrings/${keyringName}/keys/${keyName}

操作权限

针对每一个需要进行访问控制的接口,KMS 都定义了用于IAM权限策略的操作(Action),通常为kms:<api-name>

下面展示KMS各个操作接口所需的资源类型:

APIActionResource
CreateKeyringkms:CreateKeyring抽象密钥环容器
DescribeKeyringskms:DescribeKeyrings抽象密钥环容器
UpdateKeyringkms:UpdateKeyring密钥环
QueryKeyringkms:QueryKeyring密钥环
CreateKeykms:CreateKey抽象密钥容器
DescribeKeyskms:DescribeKeys抽象密钥容器
UpdateKeykms:UpdateKey密钥
GenerateDataKeykms:GenerateDataKey密钥
Encryptkms:Encrypt密钥
Decryptkms:Decrypt密钥
AsymmetricEncryptkms:AsymmetricEncrypt密钥
AsymmetricDecryptkms: AsymmetricDecrypt密钥
AsymmetrcSignKms: AsymmetrcSign密钥
AsymmetrcVerifykms: AsymmetrcVerify密钥
EnableKeykms:EnableKey密钥
DisableKeykms:DisableKey密钥
ScheduleKeyDeletionkms:ScheduleKeyDeletion密钥
CancelKeyDeletionkms: CancelKeyDeletion密钥

系统默认权限

KMSFullAccess

{
    "Version": "1",
    "Statement": [ 
        {
            "Effect": "Allow",
            "Action": "kms:*",
            "Resource": [
                "*"
            ]
        }
    ]
}

KMSReadOnlyAccess

{
    "Version": "1",
    "Statement": [ 
        {
            "Effect": "Allow",
            "Action": "kms:Describe*",
            "Resource": [
                "*"
            ]
        }
    ]
}

KMSCryptoUserAccess

{
    "Version": "1",
    "Statement": [ 
        {
            "Effect": "Allow",
            "Action": ["kms:GenerateDataKey", "kms:Encrypt", "kms:Decrypt"],
            "Resource": [
                "*"
            ]
        }
    ]
}