forked from docs/doc-exports
Li, Qiao
d9e750baf4
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com> Co-authored-by: Li, Qiao <qiaoli@huawei.com> Co-committed-by: Li, Qiao <qiaoli@huawei.com>
3.1 KiB
3.1 KiB
Creating a Custom KMS Policy
Custom policies can be created as a supplement to the system policies of KMS. For details about the actions supported by custom policies, see "Permissions Policies and Supported Actions" in Key Management Service API Reference.
You can create custom policies in either of the following ways:
- Visual editor: You can select policy configurations without the need to know policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy. This section describes typical KMS custom policies.
Example Custom Policies of KMS
- Example: authorizing users to create and import keys
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:cmk:create", "kms:cmk:getMaterial", "kms:cmkTag:create", "kms:cmkTag:batch", "kms:cmk:importMaterial" ] } ] }
- Example: authorizing users to use keys
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:dek:crypto", "kms:cmk:get", "kms:cmk:crypto", "kms:cmk:generate", "kms:cmk:list" ] } ] } - Example: multi-action policy
A custom policy can contain actions of multiple services that are all of the global or project-level type. The following is a policy with multiple statements:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "rds:task:list" ] }, { "Effect": "Allow", "Action": [ "kms:dek:crypto", "kms:cmk:get", "kms:cmk:crypto", "kms:cmk:generate", "kms:cmk:list" ] } ] }
Parent topic: Permission Control