Overview
Based on Resource Access Manager (RAM), resource owners can configure the sharing permissions based on the least privilege principle and different usage requirements. Resource users can only access resources within their permissions, improving resource management security and user experience. For more information about RAM, see What Is RAM?.
If your account is managed by Huawei Cloud organizations, you can enable this function to share resources more easily. If your account is in an organization, you can share resources with a specified account or all accounts in the organizations, needless to select all accounts one by one. For details, see Enabling Sharing with Organizations.
Constraints
- You must own the KMS key resources. You cannot share the KMS key resources that have been shared with you.
- If you need to share KMS key resources with your organization, enable this function. For more information, see Enabling Sharing with Organizations.
Key Owner and Recipient Permissions
Key owners can perform all operations on keys, while recipients can only perform certain operations. For details, see Table 1.
Role |
Allowed Operation |
Description |
---|---|---|
Recipient |
kms:cmk:get |
Access through the console or API |
kms:cmk:createDataKey |
Access through API only |
|
kms:cmk:createDataKeyWithoutPlaintext |
Access through API only |
|
kms:cmk:encryptDataKey |
Access through API only |
|
kms:cmk:decryptDataKey |
Access through API only |
|
kms:cmk:encryptData |
Access through the console or API |
|
kms:cmk:decryptData |
Access through the console or API |
|
kms:cmk:sign |
Access through API only |
|
kms:cmk:verify |
Access through API only |
|
kms:cmk:generateMac |
Access through API only |
|
kms:cmk:verifyMac |
Access through API only |
|
kms:cmk:getPublicKey |
Access through the console or API |
|
kms:cmk:getRotation |
Access through the console or API |
|
kms:cmk:getTags |
Access through the console or API |
Supported Resource Types and Regions
The following table lists the resource types and regions can be shared in DEW.
Cloud Service |
Resource Type |
Supported Region |
---|---|---|
KMS |
CMK |
All regions support sharing. |
Services That Support Shared Key Encryption and System-defined Policies
If you choose to encrypt created resources using a shared key when purchasing yearly/monthly resources, you need to grant the corresponding policy to the user so that the shared key can be used. Table 3 lists the services and the corresponding system-defined policies that support shared key encryption.
For details about how to grant permissions to an IAM user, see Assigning Permissions to an IAM User. Select the system policy based on Table 3.
Service |
System-defined Policy |
---|---|
Relational Database Service (RDS) |
ServicePolicyForRDSFulfillment |
TaurusDB |
ServicePolicyForGaussDBFulfillment |
Document Database Service (DDS) |
ServicePolicyForDDSFulfillment |
Scalable File Service Turbo (SFS Turbo) |
ServicePolicyForSFSTurboFulfillment |
Workspace |
ServicePolicyForWorkspaceFulfillment |
GeminiDB |
ServicePolicyForNosqlFulfillment |
Billing
For details about KMS billing, see Billing Items.
Owners of shared keys need to pay for the key instance and API calling fees, that is, only the resource owner will be charged for shared resources.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot