Updated on 2025-06-23 GMT+08:00

Overview

Based on Resource Access Manager (RAM), resource owners can configure the sharing permissions based on the least privilege principle and different usage requirements. Resource users can only access resources within their permissions, improving resource management security and user experience. For more information about RAM, see What Is RAM?.

If your account is managed by Huawei Cloud organizations, you can enable this function to share resources more easily. If your account is in an organization, you can share resources with a specified account or all accounts in the organizations, needless to select all accounts one by one. For details, see Enabling Sharing with Organizations.

Constraints

  • You must own the KMS key resources. You cannot share the KMS key resources that have been shared with you.
  • If you need to share KMS key resources with your organization, enable this function. For more information, see Enabling Sharing with Organizations.

Key Owner and Recipient Permissions

Key owners can perform all operations on keys, while recipients can only perform certain operations. For details, see Table 1.

Table 1 Operations supported for key recipients

Role

Allowed Operation

Description

Recipient

kms:cmk:get

Access through the console or API

kms:cmk:createDataKey

Access through API only

kms:cmk:createDataKeyWithoutPlaintext

Access through API only

kms:cmk:encryptDataKey

Access through API only

kms:cmk:decryptDataKey

Access through API only

kms:cmk:encryptData

Access through the console or API

kms:cmk:decryptData

Access through the console or API

kms:cmk:sign

Access through API only

kms:cmk:verify

Access through API only

kms:cmk:generateMac

Access through API only

kms:cmk:verifyMac

Access through API only

kms:cmk:getPublicKey

Access through the console or API

kms:cmk:getRotation

Access through the console or API

kms:cmk:getTags

Access through the console or API

Supported Resource Types and Regions

The following table lists the resource types and regions can be shared in DEW.

Table 2 Supported resource types and regions in DEW

Cloud Service

Resource Type

Supported Region

KMS

CMK

All regions support sharing.

Services That Support Shared Key Encryption and System-defined Policies

If you choose to encrypt created resources using a shared key when purchasing yearly/monthly resources, you need to grant the corresponding policy to the user so that the shared key can be used. Table 3 lists the services and the corresponding system-defined policies that support shared key encryption.

For details about how to grant permissions to an IAM user, see Assigning Permissions to an IAM User. Select the system policy based on Table 3.

Table 3 Services that support shared key encryption and system-defined policies

Service

System-defined Policy

Relational Database Service (RDS)

ServicePolicyForRDSFulfillment

TaurusDB

ServicePolicyForGaussDBFulfillment

Document Database Service (DDS)

ServicePolicyForDDSFulfillment

Scalable File Service Turbo (SFS Turbo)

ServicePolicyForSFSTurboFulfillment

Workspace

ServicePolicyForWorkspaceFulfillment

GeminiDB

ServicePolicyForNosqlFulfillment

Billing

For details about KMS billing, see Billing Items.

Owners of shared keys need to pay for the key instance and API calling fees, that is, only the resource owner will be charged for shared resources.