Updated on 2025-07-18 GMT+08:00

Sharing KMS Resources

Scenarios

To share your KMS resources with other accounts, create a resource share first. During the creation, you need to specify resources to be shared, configure permissions, specify users to be shared with, and confirm the configuration.

You can use shared KMS to encrypt the secrets and key pairs in DEW, and create an encryption task for instances in Relational Database Service (RDS), Document Database Service (DDS), and Object Storage Service (OBS).

Creating Shared KMS Resources

  1. Log in to the management console.
  2. Click in the upper left corner and choose Management & Governance > Resource Access Manager .
  3. In the navigation pane on the left, choose Shared by Me > Resource Shares.
  4. Click Create Resource Share in the upper right corner.

    Figure 1 Specifying shared resources

  5. Set resource type to kms:KeyId, choose the corresponding region, and select keys to be shared. Click Next: Associate Permissions.
  6. Associate a RAM managed permission with each resource type on the displayed page. Then, click Next: Specify Principals in the lower right corner.
  7. Specify the target principals and click Next: Confirm in the lower right corner.

    Table 1 Parameters

    Parameter

    Description

    Principal Type

    • Organization

      For details about how to create an organization, see .

      NOTE:

      If you have not enabled resource sharing with organizations, this parameter cannot be set to Organization. For details, see .

    • Huawei Cloud account ID

  8. Check the configurations and click Submit in the lower right corner.

    After a shared instance is created, the organization accepts the instance automatically, while Huawei cloud accounts need to perform certain operations. For details, see .

Viewing Shared KMS Resources

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click on the left. Choose Security & Compliance > Data Encryption Workshop.
  4. Check the shared key resources in the Shared Key tab.

    Figure 2 Shared keys

    In the Shared Key tab, you can choose a scenario by entering the copied KMS encryption key ID.

Using Shared KMS Resources

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click on the left. Choose Security & Compliance > Data Encryption Workshop.
  4. In the navigation pane on the left, choose Cloud Secret Management Service.
  5. Click Create Secret. On the displayed page, select or enter a shared key for KMS Encryption Key.

    Figure 3 Selecting a shared key
    • When creating a key pair, you can select shared KMS keys.
    • When creating an RDS, DDS, or OBS instance, you can choose shared KMS keys.