tencent cloud

Feedback

Key Management Service

Last updated: 2024-07-13 09:15:44

    Fundamental information

    Product Abbreviation in CAM Console Authorization by Tag Authorization Granularity IP Restriction
    Key Management Service kms Supported Supported Resource level Partially supported

    Note:

    The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.

    • Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
    • Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
    • Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.

    API authorization granularity

    Two authorization granularity levels of API are supported: resource level, and operation level.

    • Resource level: It supports the authorization of a specific resource.
    • Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.

    Write operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    ArchiveKey ArchiveKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    BindCloudResource Bind Cloud Resource Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
    CancelKeyArchive CancelKeyArchive Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    CancelKeyDeletion Cancel Key Deletion Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    CreateKey Create key Operation level * Supported
    CreateWhiteBoxKey Create WhiteBox Key Operation level * Supported
    DeleteImportedKeyMaterial Delete Imported Key Material Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DeleteWhiteBoxKey Delete White Box Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableKey Disable Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableKeyRotation Disable Key Rotation Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableKeys Disable Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableWhiteBoxKey Disable WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableWhiteBoxKeys Disable WhiteBox Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableKey Enable Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableKeyRotation Enable Key Rotation Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableKeys Enable Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableWhiteBoxKey Enable WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableWhiteBoxKeys Enable White Box Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    ImportKeyMaterial Import Key Material Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    OverwriteWhiteBoxDeviceFingerprints Overwrite WhiteBox Device Fingerprints Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    ScheduleKeyDeletion Schedule Key Deletion Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    SetKeyAttributes Set Key Attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
    UnbindCloudResource Unbind Cloud Resource Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    UpdateAlias Update Alias Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    UpdateKeyDescription Update Key Description Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported

    Read operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    AsymmetricRsaDecrypt Asymmetric Rsa Decrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    AsymmetricSm2Decrypt Asymmetric Sm2 Decrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    Decrypt Decrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DescribeKey Describe Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DescribeWhiteBoxDecryptKey Describe WhiteBox Decrypt Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DescribeWhiteBoxKey Describe White Box Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DescribeWhiteBoxServiceStatus Describe White Box Service Status Operation level * Supported
    Encrypt Encrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EncryptByWhiteBox Encrypt By WhiteBox Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    GenerateDataKey Generate data key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    GenerateRandom Generate Random Operation level * Supported
    GetEncryptionSDKDownloadLink Retrieve encryption SDK download link. Operation level * Supported
    GetKeyAttributes Get Key Attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
    GetKeyRotationStatus Get Key Rotation Status Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    GetParametersForImport Get Parameters For Import Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    GetPublicKey Get Public Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    GetRegions Get Regions Operation level * Supported
    GetSDKDownloadLink Get SDK download link. Operation level * Supported
    GetServiceStatus Get Service Status Operation level * Supported
    ListAlgorithms List Algorithms Operation level * Supported
    ListEncryptionSDKVariants Get Encryption SDK list. Operation level * Supported
    ListSDKVariants Get list of SDKs Operation level * Supported
    ReEncrypt ReEncrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    SignByAsymmetricKey SignByAsymmetricKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    VerifyByAsymmetricKey VerifyByAsymmetricKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported

    List Operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    DescribeKeys Describe Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DescribeResourceIds Describe ResourceIds Operation level * Supported
    DescribeWhiteBoxDeviceFingerprints Describe WhiteBox Device Fingerprints Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DescribeWhiteBoxKeyDetails Describe WhiteBox Key Details Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    ListKey List Key Operation level * not supported
    ListKeyDetail List Key Detail Operation level * Supported
    ListKeys List Keys Operation level * Supported
    ListKmsPremiumInstances List KMS premium instances. Operation level * Supported

    Other Operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    PostQuantumCryptoDecrypt Post quantum cryptography decryption Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
    PostQuantumCryptoEncrypt Post quantum cryptography encryption Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
    PostQuantumCryptoSign Post quantum cryptography sign Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
    PostQuantumCryptoVerify Post quantum cryptography signature verify Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support