Help Center/ Data Encryption Workshop/ User Guide/ Key Management Service/ Managing a Grant/ Creating a Grant
Updated on 2024-12-19 GMT+08:00
View PDF
Share

Creating a Grant

You can create grants for other IAM users or accounts to use the custom key. You can create a maximum of 100 grants on a custom key.

Prerequisites

  • You have obtained the ID of the grantee (user to whom permissions are to be authorized).
  • The target custom key is in Enabled status.

Constraints

  • The owner of a custom key can create a grant for the custom key on the KMS console or by calling APIs. The IAM users or accounts who have the grant creation permission assigned by the owner of the custom key can create grants for the custom key only by calling APIs.
  • A maximum of 100 grants can be created for a custom key.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click on the left. Choose Security & Compliance > Data Encryption Workshop.
  4. Click the name of the target custom key to go to its details page and create a grant on it.
  5. Click the Grants tab.
  6. Click Create Grant. The Create Grant dialog box is displayed.

    Figure 1 Creating a grant (for a user)
    Figure 2 Creating a grant (for an account)

  7. In the dialog box that is displayed, enter the ID of the user to be authorized and select permissions to be granted. For details, see Table 1.

    A grantee can perform the authorized operations only by calling the necessary APIs. For details, see the Data Encryption Workshop API Reference.

    Table 1 Parameter description

    Parameter

    Description

    Example Value

    User or Tenant

    Whether a user or an account is authorized.

    • User

      User ID: Enter the IAM user ID. To obtain the ID, click the username in the upper right corner of the page, choose My Credentials. Choose API Credentials from the navigation pane, and copy the value of IAM User ID.

      After the authorization is complete, the IAM user can use the specified keys.

    • Account

      Account ID: Enter the IAM user ID. To obtain the ID, click the username in the upper right corner of the page, choose My Credentials. Choose API Credentials from the navigation pane and copy the value of Account ID.

      After the authorization is complete, all IAM users under the account can use the specified keys.

    d9a6b2bdaedd4ba586cabe6372d1b312

    Grant Name

    You can name the grant.

    NOTE:
    • You can enter digits, letters, underscores (_), hyphens (-), colons (:), and slashes (/).

    test

    Operations

    You can authorize multiple permissions. The following permissions can be authorized:

    • Query Key Details
    • Create Grant
    • Retire Grant

    For details about how to authorize a key algorithm, see Table 2.

    -
    Table 2 Granting operations

    Key Algorithm

    Key Type

    Usage

    Granted Operations
    • AES_256

    Symmetric key

    ENCRYPT_DECRYPT
    • Create Data Key Without Plaintext
    • Create Data Key
    • Encrypt Data Key
    • Decrypt Data Key
    • Encrypt Data
    • Decrypt Data
    • RSA_2048
    • RSA_3072
    • RSA_4096
    • EC_P256
    • EC_P384

    Asymmetric key

    SIGN_VERIFY
    • Query a public key
    • Signature
    • Signature verification
    • RSA_2048
    • RSA_3072
    • RSA_4096

    Asymmetric key

    ENCRYPT_DECRYPT
    • Query a public key
    • Encrypt Data
    • Decrypt Data
    • HMAC_256
    • HMAC_384
    • HMAC_512

    Digest key

    GENERATE_VERIFY_MAC
    • Generate HMAC
    • Verify HMAC

  8. Click OK. When message Grant created successfully is displayed in the upper right corner, the grant has been created.

    In the list of grants, you can view the grant name, grant type, grantee ID, granted operation, and creation time of the grant.

Parent topic: Managing a Grant