Encryption Key Management
| Permission | API | Action | Dependent Permission | IAM Project (Project) | Enterprise Project (Enterprise Project) |
|---|---|---|---|---|---|
| Creating a CMK | POST /v1.0/{project_id}/kms/create-key | kms:cmk:create | - | √ | √ |
| Enabling a CMK | POST /v1.0/{project_id}/kms/enable-key | kms:cmk:enable | - | √ | √ |
| Disabling a CMK | POST /v1.0/{project_id}/kms/disable-key | kms:cmk:disable | - | √ | √ |
| Scheduling the deletion of a CMK | POST /v1.0/{project_id}/kms/schedule-key-deletion | kms:cmk:update | - | √ | √ |
| Canceling the scheduled deletion of a CMK | POST /v1.0/{project_id}/kms/cancel-key-deletion | kms:cmk:update | - | √ | √ |
| Querying the list of CMKs | POST /v1.0/{project_id}/kms/list-keys | kms:cmk:list | - | √ | √ |
| Queries the CMK information. | POST /v1.0/{project_id}/kms/describe-key | kms:cmk:get | - | √ | √ |
| Generating a random number | POST /v1.0/{project_id}/kms/gen-random | kms:cmk:generate | - | √ | × |
| Creating a DEK | POST /v1.0/{project_id}/kms/create-datakey | kms:dek:create | - | √ | √ |
| Creating a plaintext-free DEK | POST /v1.0/{project_id}/kms/create-datakey-without-plaintext | kms:dek:create | - | √ | √ |
| Encrypting a DEK | POST /v1.0/{project_id}/kms/encrypt-datakey | kms:dek:crypto or kms:dek:encrypt | - | √ | √ |
| Decrypting a DEK | POST /v1.0/{project_id}/kms/decrypt-datakey | kms:dek:crypto or kms:dek:decrypt | - | √ | √ |
| Querying the number of instances | GET /v1.0/{project_id}/kms/user-instances | kms:cmk:getInstance | - | √ | × |
| Querying the user quota | GET /v1.0/{project_id}/kms/user-quotas | kms:cmk:getQuota | - | √ | × |
| Modifying the CMK alias | POST /v1.0/{project_id}/kms/update-key-alias | kms:cmk:update | - | √ | √ |
| Modifying the description of a CMK | POST /v1.0/{project_id}/kms/update-key-description | kms:cmk:update | - | √ | √ |
| Creating a grant | POST /v1.0/{project_id}/kms/create-grant | kms:grant:create | - | √ | √ |
| Revoking a grant | POST /v1.0/{project_id}/kms/revoke-grant | kms:grant:revoke | - | √ | √ |
| Retiring a grant | POST /v1.0/{project_id}/kms/retire-grant | kms:grant:retire | - | √ | √ |
| Querying the grant list of a CMK | POST /v1.0/{project_id}/kms/list-grants | kms:grant:list | - | √ | × |
| Querying the list of grants that can be retired | POST /v1.0/{project_id}/kms/list-retirable-grants | kms:grant:list | - | √ | × |
| Encrypting data | POST /v1.0/{project_id}/kms/encrypt-data | kms:cmk:crypto or kms:cmk:encrypt | - | √ | √ |
| Decrypting data | POST /v1.0/{project_id}/kms/decrypt-data | kms:cmk:crypto or kms:cmk:decrypt | - | √ | √ |
| Obtaining parameters for importing a key | POST /v1.0/{project_id}/kms/get-parameters-for-import | kms:cmk:getMaterial | - | √ | √ |
| Importing key material | POST /v1.0/{project_id}/kms/import-key-material | kms:cmk:importMaterial | - | √ | √ |
| Deleting key material | POST /v1.0/{project_id}/kms/delete-imported-key-material | kms:cmk:deleteMaterial | - | √ | √ |
| Enabling key rotation | POST /v1.0/{project_id}/kms/enable-key-rotation | kms:cmk:enableRotation | - | √ | √ |
| Modifying the rotation interval | POST /v1.0/{project_id}/kms/update-key-rotation-interval | kms:cmk:updateRotation | - | √ | √ |
| Disabling key rotation | POST /v1.0/{project_id}/kms/disable-key-rotation | kms:cmk:disableRotation | - | √ | √ |
| Querying the key rotation status | POST /v1.0/{project_id}/kms/get-key-rotation-status | kms:cmk:getRotation | - | √ | √ |
| Querying key resource instances | POST /v1.0/{project_id}/kms/resource_instances/action | kms:cmkTag:listInstance | - | √ | √ |
| Querying tags of a key | GET /v1.0/{project_id}/kms/{key_id}/tags | kms:cmkTag:list | - | √ | √ |
| Querying the project tags | GET /v1.0/{project_id}/kms/tags | kms:cmkTag:list | - | √ | × |
| Adding or deleting key tags in batches | POST /v1.0/{project_id}/kms/{key_id}/tags/action | kms:cmkTag:batch | - | √ | √ |
| Adding tags to a key | POST /v1.0/{project_id}/kms/{key_id}/tags | kms:cmkTag:create | - | √ | √ |
| Deleting tags of a key | POST /v1.0/{project_id}/kms/{key_id}/tags/{key} | kms:cmkTag:delete | - | √ | √ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
