tencent cloud

피드백

Key Management Service

마지막 업데이트 시간:2024-11-26 09:55:20

    Fundamental information

    Product Abbreviation in CAM Console Authorization by Tag Authorization Granularity IP Restriction
    Key Management Service kms Supported Supported Resource level Partially supported

    Note:

    The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.

    • Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
    • Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
    • Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.

    API authorization granularity

    Two authorization granularity levels of API are supported: resource level, and operation level.

    • Resource level: It supports the authorization of a specific resource.
    • Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.

    Write operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    ArchiveKey ArchiveKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    BindCloudResource Bind Cloud Resource Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
    CancelKeyArchive CancelKeyArchive Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    CreateWhiteBoxKey Create WhiteBox Key Operation level * Supported
    DeleteImportedKeyMaterial Delete Imported Key Material Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DeleteWhiteBoxKey Delete White Box Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableKey Disable Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableKeyRotation Disable Key Rotation Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableKeys Disable Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableWhiteBoxKey Disable WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DisableWhiteBoxKeys Disable WhiteBox Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableKey Enable Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableKeyRotation Enable Key Rotation Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableKeys Enable Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableWhiteBoxKey Enable WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EnableWhiteBoxKeys Enable White Box Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    ImportKeyMaterial ImportKeyMaterial Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    OverwriteWhiteBoxDeviceFingerprints Overwrite WhiteBox Device Fingerprints Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    SetKeyAttributes Set Key Attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
    UnbindCloudResource Unbind Cloud Resource Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    UpdateAlias Update Alias Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    UpdateKeyDescription Update Key Description Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported

    Other Operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    AsymmetricRsaDecrypt Asymmetric Rsa Decrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    AsymmetricSm2Decrypt Asymmetric Sm2 Decrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    EncryptByWhiteBox Encrypt By WhiteBox Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    PostQuantumCryptoDecrypt Post quantum cryptography decryption Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
    PostQuantumCryptoEncrypt Post quantum cryptography encryption Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
    PostQuantumCryptoSign Post quantum cryptography sign Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
    PostQuantumCryptoVerify Post quantum cryptography signature verify Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
    SignByAsymmetricKey SignByAsymmetricKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    VerifyByAsymmetricKey VerifyByAsymmetricKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported

    Read operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    CancelKeyDeletion Cancel scheduled deletion of key Operation level * Supported
    CreateKey Create master key Operation level * Supported
    Decrypt Decrypt data Operation level * Supported
    DescribeKey Get the master key attribute Operation level * Supported
    DescribeKeys Get multiple master key attributes Operation level * Supported
    DescribeWhiteBoxDecryptKey Describe WhiteBox Decrypt Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DescribeWhiteBoxKey Describe White Box Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DescribeWhiteBoxServiceStatus Describe White Box Service Status Operation level * Supported
    Encrypt Encrypt data Operation level * Supported
    GenerateDataKey Generate data key Operation level * Supported
    GenerateRandom Generate Random Operation level * Supported
    GetEncryptionSDKDownloadLink Retrieve encryption SDK download link. Operation level * Supported
    GetKeyAttributes Get Key Attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
    GetKeyRotationStatus Query key rotation status Operation level * Supported
    GetParametersForImport Get Parameters For Import Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    GetPublicKey Get Public Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    GetRegions Get region Operation level * Supported
    GetSDKDownloadLink Get SDK download link. Operation level * Supported
    GetServiceStatus Query service status Operation level * Supported
    ListAlgorithms List Algorithms Operation level * Supported
    ListEncryptionSDKVariants Get Encryption SDK list. Operation level * Supported
    ListKeyDetail Get master key details list Operation level * Supported
    ListKeys Get master key list Operation level * Supported
    ListSDKVariants Get list of SDKs Operation level * Supported
    ReEncrypt Cipher text refresh Operation level * Supported
    ScheduleKeyDeletion Plan to delete key Operation level * Supported

    List Operations

    API API Description Authorization Granularity Six-segment Resource Description IP Restriction
    DescribeResourceIds Describe ResourceIds Operation level * Supported
    DescribeServiceList query service list Resource level qcs::kms::uin/${uin}:kmsservice/* Supported
    DescribeWhiteBoxDeviceFingerprints Describe WhiteBox Device Fingerprints Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    DescribeWhiteBoxKeyDetails Describe WhiteBox Key Details Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
    ListKey List Key Operation level * not supported
    ListKmsPremiumInstances List KMS premium instances. Operation level * Supported
    문의하기

    고객의 업무에 전용 서비스를 제공해드립니다.

    기술 지원

    더 많은 도움이 필요하시면, 티켓을 통해 연락 바랍니다. 티켓 서비스는 연중무휴 24시간 제공됩니다.

    연중무휴 24시간 전화 지원