Encryption Key Management

Permission	API	Action	Dependent Permission	IAM Project (Project)	Enterprise Project (Enterprise Project)
Creating a CMK	POST /v1.0/{project_id}/kms/create-key	kms:cmk:create	-	√	√
Enabling a CMK	POST /v1.0/{project_id}/kms/enable-key	kms:cmk:enable	-	√	√
Disabling a CMK	POST /v1.0/{project_id}/kms/disable-key	kms:cmk:disable	-	√	√
Scheduling the deletion of a CMK	POST /v1.0/{project_id}/kms/schedule-key-deletion	kms:cmk:update	-	√	√
Canceling the scheduled deletion of a CMK	POST /v1.0/{project_id}/kms/cancel-key-deletion	kms:cmk:update	-	√	√
Querying the list of CMKs	POST /v1.0/{project_id}/kms/list-keys	kms:cmk:list	-	√	√
Queries the CMK information.	POST /v1.0/{project_id}/kms/describe-key	kms:cmk:get	-	√	√
Generating a random number	POST /v1.0/{project_id}/kms/gen-random	kms:cmk:generate	-	√	×
Creating a DEK	POST /v1.0/{project_id}/kms/create-datakey	kms:dek:create	-	√	√
Creating a plaintext-free DEK	POST /v1.0/{project_id}/kms/create-datakey-without-plaintext	kms:dek:create	-	√	√
Encrypting a DEK	POST /v1.0/{project_id}/kms/encrypt-datakey	kms:dek:crypto or kms:dek:encrypt	-	√	√
Decrypting a DEK	POST /v1.0/{project_id}/kms/decrypt-datakey	kms:dek:crypto or kms:dek:decrypt	-	√	√
Querying the number of instances	GET /v1.0/{project_id}/kms/user-instances	kms:cmk:getInstance	-	√	×
Querying the user quota	GET /v1.0/{project_id}/kms/user-quotas	kms:cmk:getQuota	-	√	×
Modifying the CMK alias	POST /v1.0/{project_id}/kms/update-key-alias	kms:cmk:update	-	√	√
Modifying the description of a CMK	POST /v1.0/{project_id}/kms/update-key-description	kms:cmk:update	-	√	√
Creating a grant	POST /v1.0/{project_id}/kms/create-grant	kms:grant:create	-	√	√
Revoking a grant	POST /v1.0/{project_id}/kms/revoke-grant	kms:grant:revoke	-	√	√
Retiring a grant	POST /v1.0/{project_id}/kms/retire-grant	kms:grant:retire	-	√	√
Querying the grant list of a CMK	POST /v1.0/{project_id}/kms/list-grants	kms:grant:list	-	√	×
Querying the list of grants that can be retired	POST /v1.0/{project_id}/kms/list-retirable-grants	kms:grant:list	-	√	×
Encrypting data	POST /v1.0/{project_id}/kms/encrypt-data	kms:cmk:crypto or kms:cmk:encrypt	-	√	√
Decrypting data	POST /v1.0/{project_id}/kms/decrypt-data	kms:cmk:crypto or kms:cmk:decrypt	-	√	√
Obtaining parameters for importing a key	POST /v1.0/{project_id}/kms/get-parameters-for-import	kms:cmk:getMaterial	-	√	√
Importing key material	POST /v1.0/{project_id}/kms/import-key-material	kms:cmk:importMaterial	-	√	√
Deleting key material	POST /v1.0/{project_id}/kms/delete-imported-key-material	kms:cmk:deleteMaterial	-	√	√
Enabling key rotation	POST /v1.0/{project_id}/kms/enable-key-rotation	kms:cmk:enableRotation	-	√	√
Modifying the rotation interval	POST /v1.0/{project_id}/kms/update-key-rotation-interval	kms:cmk:updateRotation	-	√	√
Disabling key rotation	POST /v1.0/{project_id}/kms/disable-key-rotation	kms:cmk:disableRotation	-	√	√
Querying the key rotation status	POST /v1.0/{project_id}/kms/get-key-rotation-status	kms:cmk:getRotation	-	√	√
Querying key resource instances	POST /v1.0/{project_id}/kms/resource_instances/action	kms:cmkTag:listInstance	-	√	√
Querying tags of a key	GET /v1.0/{project_id}/kms/{key_id}/tags	kms:cmkTag:list	-	√	√
Querying the project tags	GET /v1.0/{project_id}/kms/tags	kms:cmkTag:list	-	√	×
Adding or deleting key tags in batches	POST /v1.0/{project_id}/kms/{key_id}/tags/action	kms:cmkTag:batch	-	√	√
Adding tags to a key	POST /v1.0/{project_id}/kms/{key_id}/tags	kms:cmkTag:create	-	√	√
Deleting tags of a key	POST /v1.0/{project_id}/kms/{key_id}/tags/{key}	kms:cmkTag:delete	-	√	√