Help Center> Data Encryption Workshop> User Guide> Key Management Service> Managing a Grant> Creating a Grant
Updated on 2024-05-27 GMT+08:00
View PDF

Creating a Grant

You can create grants for other IAM users or accounts to use the custom key. You can create a maximum of 100 grants on a custom key.

Prerequisites

  • You have obtained the ID of the grantee (user to whom permissions are to be authorized).
  • The target custom key is in Enabled status.

Constraints

  • The owner of a custom key can create a grant for the custom key on the KMS console or by calling APIs. The IAM users or accounts who have the grant creation permission assigned by the owner of the custom key can create grants for the custom key only by calling APIs.
  • A maximum of 100 grants can be created for a custom key.
  • Only users and accounts can be authorized. Agency authorization is not supported.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click . Choose Security & Compliance > Data Encryption Workshop.
  4. Click the alias of the target custom key to go to its details page and create a grant on it.
  5. Click the Grants tab.
  6. Click Create Grant. The Create Grant dialog box is displayed.

    Figure 1 Creating a grant (for a user)
    Figure 2 Creating a grant (for an account)

  7. In the dialog box that is displayed, enter the ID of the user to be authorized and select permissions to be granted. For details, see Table 1.

    A grantee can perform the authorized operations only by calling the necessary APIs. For details, see the Data Encryption Workshop API Reference.

    Table 1 Parameter description

    Parameter

    Description

    Example Value

    Key ID

    ID of a custom key (automatically read by the system)

    -

    User or Tenant

    Whether a user or an account is authorized.

    • User

      User ID: Enter the IAM user ID. To obtain the ID, click the username in the upper right corner of the page, choose My Credentials. Choose API Credentials from the navigation pane, and copy the value of IAM User ID.

      After the authorization is complete, the IAM user can use the specified keys.

    • Account

      Account ID: Enter the IAM user ID. To obtain the ID, click the username in the upper right corner of the page, choose My Credentials. Choose API Credentials from the navigation pane and copy the value of Account ID.

      After the authorization is complete, all IAM users under the account can use the specified keys.

    d9a6b2bdaedd4ba586cabe6372d1b312

    Grant Name

    You can name the grant.

    test

    Operations

    -

  8. Click OK. When message Grant created successfully is displayed in the upper right corner, the grant has been created.

    In the list of grants, you can view the grant name, grant type, grantee ID, granted operation, and creation time of the grant.

Parent topic: Managing a Grant