Key Management Service
Last updated:2026-03-28 09:23:29
Fundamental information
| Product | Abbreviation in CAM | Console | Authorization by Tag | Authorization Granularity | IP Restriction |
|---|---|---|---|---|---|
| Key Management Service | kms | Supported | Supported | Resource level | Partially supported |
Note:
The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.
- Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
- Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
- Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.
API authorization granularity
Two authorization granularity levels of API are supported: resource level, and operation level.
- Resource level: It supports the authorization of a specific resource.
- Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.
Write operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| ArchiveKey | ArchiveKey | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| AsymmetricRsaDecrypt | Asymmetric Rsa Decrypt | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| AsymmetricSm2Decrypt | Asymmetric Sm2 Decrypt | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| BindCloudResource | Bind Cloud Resource | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | not supported |
| CancelDataKeyDeletion | Cancel Scheduled Data Key Deletion | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| CancelKeyArchive | CancelKeyArchive | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| CancelKeyDeletion | Cancel scheduled deletion of key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| CreateKey | Create master key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/* | Supported |
| CreateWhiteBoxKey | Create WhiteBox Key | Resource level | qcs::kms:$region:uin/$uin:key/* | Supported |
| Decrypt | Decrypt data | Operation level | * | Supported |
| DeleteImportedKeyMaterial | Delete Imported Key Material | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| DeleteWhiteBoxKey | Delete White Box Key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| DisableDataKey | Disable Data Key | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| DisableDataKeys | Bulk Disable Data Keys | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| DisableTrustedService | Disable Trusted Service | Operation level | * | not supported |
| DisableWhiteBoxKey | Disable WhiteBox Key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| DisableWhiteBoxKeys | Disable WhiteBox Keys | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| EnableDataKey | Enable Data Key | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$datKeyId | Supported |
| EnableDataKeys | Bulk Enable Data Keys | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| EnableTrustedService | Enable Trusted Service | Operation level | * | Supported |
| EnableWhiteBoxKey | Enable WhiteBox Key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| EnableWhiteBoxKeys | Enable White Box Keys | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| Encrypt | Encrypt data | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| EncryptByWhiteBox | Encrypt By WhiteBox | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| GenerateDataKey | Generate data key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| GenerateRandom | Generate Random | Operation level | * | Supported |
| ImportDataKey | Import data Key | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$keyId | Supported |
| ImportKeyMaterial | ImportKeyMaterial | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| ModifySyncTask | Modify and save synchronization task | Operation level | * | Supported |
| OverwriteWhiteBoxDeviceFingerprints | Overwrite WhiteBox Device Fingerprints | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| ReEncrypt | Cipher text refresh | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| ScheduleDataKeyDeletion | Schedule Data Key Deletion | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| ScheduleKeyDeletion | Plan to delete key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| SetKeyAttributes | Set Key Attributes | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | not supported |
| SignByAsymmetricKey | SignByAsymmetricKey | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| UnbindCloudResource | Unbind Cloud Resource | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| UpdateDataKeyDescription | Modify Data Key Description | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| UpdateDataKeyName | Modify Data Key Name | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| VerifyByAsymmetricKey | VerifyByAsymmetricKey | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
Read operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| DescribeDataKey | Retrieve Details of Data Keys | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| DescribeDataKeys | Retrieve Details List of Data Keys | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| DescribeKey | Get the master key attribute | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| DescribeKeys | Get multiple master key attributes | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| DescribeWhiteBoxDecryptKey | Describe WhiteBox Decrypt Key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| DescribeWhiteBoxKey | Describe White Box Key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| DescribeWhiteBoxServiceStatus | Describe White Box Service Status | Operation level | * | Supported |
| DisableKey | DisableKey | Operation level | * | Supported |
| DisableKeyRotation | DisableKeyRotation | Operation level | * | Supported |
| DisableKeys | DisableKeys | Operation level | * | Supported |
| EnableKey | EnableKey | Operation level | * | Supported |
| EnableKeyRotation | EnableKeyRotation | Operation level | * | Supported |
| EnableKeys | EnableKeys | Operation level | * | Supported |
| GetDataKeyCiphertextBlob | Download Data Key CipherText | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| GetDataKeyPlaintext | Retrieve Data Key Plaintext | Resource level | qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId | Supported |
| GetEncryptionSDKDownloadLink | Retrieve encryption SDK download link. | Operation level | * | Supported |
| GetKeyAttributes | Get Key Attributes | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | not supported |
| GetKeyRotationStatus | Query key rotation status | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| GetParametersForImport | Get Parameters For Import | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| GetPublicKey | Get Public Key | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| GetRegions | Get region | Operation level | * | Supported |
| GetSDKDownloadLink | Get SDK download link. | Operation level | * | Supported |
| GetServiceStatus | Query service status | Operation level | * | Supported |
| GetSyncSupportRegion | Get regions that support key synchronization | Operation level | * | Supported |
| GetUserStatus | Get User Status | Operation level | * | Supported |
| ListAlgorithms | List Algorithms | Operation level | * | Supported |
| ListDataKeyDetail | Get data key details list | Operation level | * | Supported |
| ListDataKeys | List of Data Keys | Operation level | * | Supported |
| ListEncryptionSDKVariants | Get Encryption SDK list. | Operation level | * | Supported |
| ListKeyDetail | Get master key details list | Operation level | * | Supported |
| ListKeys | Get master key list | Operation level | * | Supported |
| ListMultiAccountMembers | LIst Trusted Service Status Members | Operation level | * | Supported |
| ListSDKVariants | Get list of SDKs | Operation level | * | Supported |
| UpdateAlias | UpdateAlias | Operation level | * | Supported |
| UpdateKeyDescription | UpdateKeyDescription | Operation level | * | Supported |
List Operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| DescribeMonitorActionList | query monitor action list | Operation level | * | Supported |
| DescribeResourceIds | Describe ResourceIds | Operation level | * | Supported |
| DescribeServiceList | query service list | Resource level | qcs::kms::uin/${uin}:kmsservice/* | Supported |
| DescribeWhiteBoxDeviceFingerprints | Describe WhiteBox Device Fingerprints | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| DescribeWhiteBoxKeyDetails | Describe WhiteBox Key Details | Resource level | qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId | Supported |
| ListKey | List Key | Operation level | * | not supported |
| ListKmsPremiumInstances | List KMS premium instances. | Operation level | * | Supported |
Other Operations
| API | API Description | Authorization Granularity | Six-segment Resource Description | IP Restriction |
|---|---|---|---|---|
| PostQuantumCryptoDecrypt | Post quantum cryptography decryption | Resource level | qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId | Supported |
| PostQuantumCryptoEncrypt | Post quantum cryptography encryption | Resource level | qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId | Supported |
| PostQuantumCryptoSign | Post quantum cryptography sign | Resource level | qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId | Supported |
| PostQuantumCryptoVerify | Post quantum cryptography signature verify | Resource level | qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId | Supported |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback