Product |
Abbreviation in CAM |
Console |
Authorization by Tag |
Authorization Granularity |
IP Restriction |
Key Management Service |
kms |
Supported |
Supported |
Resource level |
Partially supported |
Note:
The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.
- Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
- Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
- Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.
API authorization granularity
Two authorization granularity levels of API are supported: resource level, and operation level.
- Resource level: It supports the authorization of a specific resource.
- Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.
Write operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
ArchiveKey |
ArchiveKey |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
BindCloudResource |
Bind Cloud Resource |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
not supported |
CancelKeyArchive |
CancelKeyArchive |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
CreateWhiteBoxKey |
Create WhiteBox Key |
Operation level |
* |
Supported |
DeleteImportedKeyMaterial |
Delete Imported Key Material |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
DeleteWhiteBoxKey |
Delete White Box Key |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
DisableKey |
Disable Key |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
DisableKeyRotation |
Disable Key Rotation |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
DisableKeys |
Disable Keys |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
DisableWhiteBoxKey |
Disable WhiteBox Key |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
DisableWhiteBoxKeys |
Disable WhiteBox Keys |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
EnableKey |
Enable Key |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
EnableKeyRotation |
Enable Key Rotation |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
EnableKeys |
Enable Keys |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
EnableWhiteBoxKey |
Enable WhiteBox Key |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
EnableWhiteBoxKeys |
Enable White Box Keys |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
ImportKeyMaterial |
ImportKeyMaterial |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
OverwriteWhiteBoxDeviceFingerprints |
Overwrite WhiteBox Device Fingerprints |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
SetKeyAttributes |
Set Key Attributes |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
not supported |
UnbindCloudResource |
Unbind Cloud Resource |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
UpdateAlias |
Update Alias |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
UpdateKeyDescription |
Update Key Description |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
Other Operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
AsymmetricRsaDecrypt |
Asymmetric Rsa Decrypt |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
AsymmetricSm2Decrypt |
Asymmetric Sm2 Decrypt |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
EncryptByWhiteBox |
Encrypt By WhiteBox |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
PostQuantumCryptoDecrypt |
Post quantum cryptography decryption |
Resource level |
qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId |
Supported |
PostQuantumCryptoEncrypt |
Post quantum cryptography encryption |
Resource level |
qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId |
Supported |
PostQuantumCryptoSign |
Post quantum cryptography sign |
Resource level |
qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId |
Supported |
PostQuantumCryptoVerify |
Post quantum cryptography signature verify |
Resource level |
qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId |
Supported |
SignByAsymmetricKey |
SignByAsymmetricKey |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
VerifyByAsymmetricKey |
VerifyByAsymmetricKey |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
Read operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
CancelKeyDeletion |
Cancel scheduled deletion of key |
Operation level |
* |
Supported |
CreateKey |
Create master key |
Operation level |
* |
Supported |
Decrypt |
Decrypt data |
Operation level |
* |
Supported |
DescribeKey |
Get the master key attribute |
Operation level |
* |
Supported |
DescribeKeys |
Get multiple master key attributes |
Operation level |
* |
Supported |
DescribeWhiteBoxDecryptKey |
Describe WhiteBox Decrypt Key |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
DescribeWhiteBoxKey |
Describe White Box Key |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
DescribeWhiteBoxServiceStatus |
Describe White Box Service Status |
Operation level |
* |
Supported |
Encrypt |
Encrypt data |
Operation level |
* |
Supported |
GenerateDataKey |
Generate data key |
Operation level |
* |
Supported |
GenerateRandom |
Generate Random |
Operation level |
* |
Supported |
GetEncryptionSDKDownloadLink |
Retrieve encryption SDK download link. |
Operation level |
* |
Supported |
GetKeyAttributes |
Get Key Attributes |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
not supported |
GetKeyRotationStatus |
Query key rotation status |
Operation level |
* |
Supported |
GetParametersForImport |
Get Parameters For Import |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
GetPublicKey |
Get Public Key |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
GetRegions |
Get region |
Operation level |
* |
Supported |
GetSDKDownloadLink |
Get SDK download link. |
Operation level |
* |
Supported |
GetServiceStatus |
Query service status |
Operation level |
* |
Supported |
ListAlgorithms |
List Algorithms |
Operation level |
* |
Supported |
ListEncryptionSDKVariants |
Get Encryption SDK list. |
Operation level |
* |
Supported |
ListKeyDetail |
Get master key details list |
Operation level |
* |
Supported |
ListKeys |
Get master key list |
Operation level |
* |
Supported |
ListSDKVariants |
Get list of SDKs |
Operation level |
* |
Supported |
ReEncrypt |
Cipher text refresh |
Operation level |
* |
Supported |
ScheduleKeyDeletion |
Plan to delete key |
Operation level |
* |
Supported |
List Operations
API |
API Description |
Authorization Granularity |
Six-segment Resource Description |
IP Restriction |
DescribeResourceIds |
Describe ResourceIds |
Operation level |
* |
Supported |
DescribeServiceList |
query service list |
Resource level |
qcs::kms::uin/${uin}:kmsservice/* |
Supported |
DescribeWhiteBoxDeviceFingerprints |
Describe WhiteBox Device Fingerprints |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
DescribeWhiteBoxKeyDetails |
Describe WhiteBox Key Details |
Resource level |
qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId |
Supported |
ListKey |
List Key |
Operation level |
* |
not supported |
ListKmsPremiumInstances |
List KMS premium instances. |
Operation level |
* |
Supported |
문제 해결에 도움이 되었나요?