Overview
Based on Resource Access Manager (RAM), resource owners can configure the sharing permissions based on the least privilege principle and different usage requirements. Resource users can only access resources within their permissions, improving resource management security and user experience. For more information about RAM, see What Is RAM?
If your account is managed by Huawei Cloud organizations, you can enable this function to share resources more easily. If your account is in an organization, you can share resources with a specified account or all accounts in the organizations, needless to select all accounts one by one. For details, see Enabling Sharing with Organizations.
Constraints
- You must own the KMS key resources. You cannot share the KMS key resources that have been shared with you.
- If you need to share KMS key resources with your organization, enable this function. For more information, see Enabling Sharing with Organizations.
Key Owner and Recipient Permissions
Key owners can perform all operations on keys, while recipients can only perform certain operations. For details, see Table 1.
|
Role |
Allowed Operation |
Description |
|---|---|---|
|
Recipient |
kms:cmk:get |
Access through the console or API |
|
kms:cmk:createDataKey |
Access through API only |
|
|
kms:cmk:createDataKeyWithoutPlaintext |
Access through API only |
|
|
kms:cmk:encryptDataKey |
Access through API only |
|
|
kms:cmk:decryptDataKey |
Access through API only |
|
|
kms:cmk:encryptData |
Access through the console or API |
|
|
kms:cmk:decryptData |
Access through the console or API |
|
|
kms:cmk:sign |
Access through API only |
|
|
kms:cmk:verify |
Access through API only |
|
|
kms:cmk:generateMac |
Access through API only |
|
|
kms:cmk:verifyMac |
Access through API only |
|
|
kms:cmk:getPublicKey |
Access through the console or API |
|
|
kms:cmk:getRotation |
Access through the console or API |
|
|
kms:cmk:getTags |
Access through the console or API |
Supported Resource Types and Regions
The following table lists the resource types and regions can be shared in DEW.
|
Cloud Service |
Resource Type |
Supported Region |
|---|---|---|
|
KMS |
CMK |
CN North-Beijing1 CN North-Beijing4 CN East-Shanghai1 CN East-Shanghai2 CN South-Shenzhen CN Southwest-Guiyang1 CN South-Guangzhou |
Billing
For details about KMS billing, see .
Owners of shared keys need to pay for the key instance and API calling fees, that is, only the resource owner will be charged for shared resources.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
