文档

自定义权限策略示例

更新时间:

本文介绍自定义权限策略示例。

说明

如果示例中有${region}${account},请替换为您实际的地域和阿里云账号,您也可以根据需求缩小资源范围。

允许访问所有的KMS资源

重要

为保障数据安全,不推荐您配置允许访问KMS所有资源的权限策略。

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}               

允许指定的IP地址段或IP地址访问KMS所有资源

以下代码以192.168.0.0/16、172.16.215.218为例。

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "kms:*"
    ],
    "Resource": [
      "*"
    ],
    "Condition": {
      "IpAddress": {
        "acs:SourceIp": [
          "192.168.0.0/16",
          "172.16.215.218"
        ]
      }
    }
  }]
}

管理KMS中的密钥

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:Create*",
                "kms:Enable*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Set*",
                "kms:Update*",
                "kms:Delete*",
                "kms:Cancel*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:TagResources",
                "kms:UntagResources",
                "kms:ImportKeyMaterial",
                "kms:ScheduleKeyDeletion"
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key",
        "acs:kms:${region}:${account}:key/*",
        "acs:kms:${region}:${account}:alias",
        "acs:kms:${region}:${account}:alias/*"
      ]
    }
  ]
}

列举密钥、查看密钥属性(元数据)

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:List*",
        "kms:Describe*"
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key",
        "acs:kms:${region}:${account}:key/*"
      ]
    }
  ]
}

使用密钥进行加密、解密和生成数据密钥

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": [
         "acs:kms:${region}:${account}:key/*",
         "acs:kms:${region}:${account}:alias/*"
     ]
    }
  ]
}
说明

如果您在密码运算等操作中使用密钥别名来标识一个密钥,需要在资源元素中配置相应的别名资源。

允许使用含有指定标签的密钥进行信封加密、解密和生成数据密钥

以下代码以标签键为Project、标签值为Apollo为例。

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt", 
                "kms:Decrypt", 
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "acs:kms:${region}:${account}:key/*"
            ],
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:tag/Project": [
                        "Apollo"
                    ]
                }
            }
        }
    ]
}               

使用非对称密钥进行加密和解密

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
            "kms:AsymmetricEncrypt",  
            "kms:AsymmetricDecrypt", 
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key/*",
        "acs:kms:${region}:${account}:alias/*"
      ]
    }
  ]
}
说明

如果您在密码运算等操作中使用密钥别名来标识一个密钥,需要在资源元素中配置相应的别名资源。

使用非对称密钥进行数字签名和验签

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
                "kms:AsymmetricSign", 
                "kms:AsymmetricVerify"
      ],
      "Resource": [
        "acs:kms:${region}:${account}:key/*",
        "acs:kms:${region}:${account}:alias/*"
      ]
    }
  ]
}
说明

如果您在密码运算等操作中使用密钥别名来标识一个密钥,需要在资源元素中配置相应的别名资源。

管理KMS中的凭据

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:List*",
                "kms:Describe*",
                "kms:PutSecretValue",
                "kms:Update*",
                "kms:DeleteSecret",
                "kms:RestoreSecret",
                "kms:RotateSecret",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:TagResources",
                "kms:UntagResources"
            ],
            "Resource": [
                "acs:kms:${region}:${account}:secret",
                "acs:kms:${region}:${account}:secret/*",
                "acs:kms:${region}:${account}:alias",
                "acs:kms:${region}:${account}:alias/*"
            ]
        }
    ]
}      

列举凭据、读取凭据属性(元数据)

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:List*",
                "kms:Describe*"
            ],
            "Resource": [
                "acs:kms:${region}:${account}:secret",
                "acs:kms:${region}:${account}:secret/*",
                "acs:kms:${region}:${account}:alias",
                "acs:kms:${region}:${account}:alias/*"
            ]
        }
    ]
}      

获取指定凭据名称的凭据值

以下代码以凭据名称是example-secret为例,并且该凭据通过密钥ID为keyId-example的密钥加密。

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "kms:GetSecretValue",
            "Resource": "acs:kms:${region}:${account}:secret/example-secret"
        },
        {
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "acs:kms:${region}:${account}:key/keyId-example"
        }
    ]
}