Overview
Based on Resource Access Manager (RAM), owners of resources can specify sharing permissions based on the least privilege principle and usage requirements. Principals can access resources within permissions, improving resource management security. For more information about RAM, see What Is RAM?.
If your account is managed by Huawei Cloud organizations, you can enable this function to share resources more easily. If your account is in an organization, you can share resources with a specified account or all accounts in the organizations, needless to select all accounts one by one. For details, see Enabling Sharing with Organizations.
Constraints
- You must own resources. You cannot share the resources that have been shared with you.
- If you need to share resources with your organization, enable this function. For more information, see Enabling Sharing with Organizations.
Resource Owner and Recipient Permissions
Resource owners can perform all operations on resources, while recipients can only perform certain operations. For details, see Table 1.
|
Role |
Allowed Operation |
Description |
|---|---|---|
|
Key recipient |
kms:cmk:get |
Access through the console or API |
|
kms:cmk:createDataKey |
Access through API only |
|
|
kms:cmk:createDataKeyWithoutPlaintext |
Access through API only |
|
|
kms:cmk:encryptDataKey |
Access through API only |
|
|
kms:cmk:decryptDataKey |
Access through API only |
|
|
kms:cmk:encryptData |
Access through the console or API |
|
|
kms:cmk:decryptData |
Access through the console or API |
|
|
kms:cmk:sign |
Access through API only |
|
|
kms:cmk:verify |
Access through API only |
|
|
kms:cmk:generateMac |
Access through API only |
|
|
kms:cmk:verifyMac |
Access through API only |
|
|
kms:cmk:getPublicKey |
Access through the console or API |
|
|
kms:cmk:getRotation |
Access through the console or API |
|
|
kms:cmk:getTags |
Access through the console or API |
Supported Resource Types and Regions
The following table lists the resource types and regions can be shared in DEW.
|
Cloud Service |
Resource Type |
Supported Region |
|---|---|---|
|
KMS |
CMK |
All regions support sharing. |
Services That Support Shared Key Encryption and System-defined Policies
If you choose to encrypt created resources using a shared key when purchasing yearly/monthly resources, you need to grant the corresponding policy to the user so that the shared key can be used. You can create an agency for each service with one click. For details, see "Purchasing Resources" in the user guide of each service. Table 3 lists the services and the corresponding system-defined policies that support shared key encryption.
|
Service |
System-defined Policy |
|---|---|
|
Relational Database Service (RDS) |
ServicePolicyForRDSFulfillment |
|
TaurusDB |
ServicePolicyForGaussDBFulfillment |
|
Document Database Service (DDS) |
ServicePolicyForDDSFulfillment |
|
Scalable File Service Turbo (SFS Turbo) |
ServicePolicyForSFSTurboFulfillment |
|
Workspace |
ServicePolicyForWorkspaceFulfillment |
|
GeminiDB |
ServicePolicyForNosqlFulfillment |
Billing
For details about KMS billing, see Billing Items.
Resource owners need to pay for the resource instance fees and API calling fees.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
