密钥管理服务通过身份与访问控制(Identity and Access Management,缩写:IAM)实现对资源的访问控制。下面介绍 KMS 定义的资源类型和操作权限。
火山引擎账号对自己的资源拥有完整的操作权限,IAM 用户和 IAM 角色则需要通过显式授权获取对应资源的操作权限。
| 资源类型 | trn |
|---|---|
| 抽象密钥环容器 | trn:kms:${region}:${account}:keyrings/* |
| 抽象密钥容器 | trn:kms:${region}:${account}:keyrings/${keyringName}/keys/* |
| 密钥环 | trn:kms:${region}:${account}:keyrings/${keyringName} |
| 密钥 | trn:kms:${region}:${account}:keyrings/${keyringName}/keys/${keyName} |
针对每一个需要进行访问控制的接口,KMS 都定义了用于IAM权限策略的操作(Action),通常为kms:<api-name>。
下面展示KMS各个操作接口所需的资源类型:
| API | Action | Resource |
|---|---|---|
| CreateKeyring | kms:CreateKeyring | 抽象密钥环容器 |
| DescribeKeyrings | kms:DescribeKeyrings | 抽象密钥环容器 |
| UpdateKeyring | kms:UpdateKeyring | 密钥环 |
| QueryKeyring | kms:QueryKeyring | 密钥环 |
| CreateKey | kms:CreateKey | 抽象密钥容器 |
| DescribeKeys | kms:DescribeKeys | 抽象密钥容器 |
| UpdateKey | kms:UpdateKey | 密钥 |
| GenerateDataKey | kms:GenerateDataKey | 密钥 |
| Encrypt | kms:Encrypt | 密钥 |
| Decrypt | kms:Decrypt | 密钥 |
| AsymmetricEncrypt | kms:AsymmetricEncrypt | 密钥 |
| AsymmetricDecrypt | kms: AsymmetricDecrypt | 密钥 |
| AsymmetrcSign | Kms: AsymmetrcSign | 密钥 |
| AsymmetrcVerify | kms: AsymmetrcVerify | 密钥 |
| EnableKey | kms:EnableKey | 密钥 |
| DisableKey | kms:DisableKey | 密钥 |
| ScheduleKeyDeletion | kms:ScheduleKeyDeletion | 密钥 |
| CancelKeyDeletion | kms: CancelKeyDeletion | 密钥 |
KMSFullAccess
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "kms:*", "Resource": [ "*" ] } ] }
KMSReadOnlyAccess
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "kms:Describe*", "Resource": [ "*" ] } ] }
KMSCryptoUserAccess
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": ["kms:GenerateDataKey", "kms:Encrypt", "kms:Decrypt"], "Resource": [ "*" ] } ] }