Help Center/ Workspace/ FAQs/ FAQs for Administrators/ Identity Authentication and AD Configuration/ What Permissions Are Required to Use OBS SSE-KMS Encryption When Screen Recording Is Enabled?
Updated on 2026-05-11 GMT+08:00

What Permissions Are Required to Use OBS SSE-KMS Encryption When Screen Recording Is Enabled?

Scenarios

When screen recording is enabled, if you want to use the SSE-KMS server-side encryption function of OBS, you need to configure the kms:cmk:get, kms:cmk:list, kms:cmk:create, kms:dek: create, and kms:dek:crypto permissions, in addition to the object upload/download permissions. You can create a custom policy with the required permissions using any of the following methods:

Creating a Custom Policy and Granting Permissions (in the Old IAM Edition)

  1. Log in to the console.
  2. In the upper right corner, click the account information and choose Identity and Access Management. The Identity and Access Management page is displayed.
  3. On the IAM console, choose Permissions > Policies/Roles in the navigation pane, and click Create Custom Policy in the upper right corner.
  4. On the Create Custom Policy page, enter a policy name.
  5. Select the option Select service for Policy Content, enter KMS in the text box, and click Key Management Service (KMS), as shown in the following figure.

  6. Select the permissions, as shown in the following figure.

    • kms:cmk:create
    • kms:cmk:get
    • kms:dek:create
    • kms:cmk:list
    • kms:dek:crypto

  7. Click OK.
  1. In the navigation pane of the IAM console, choose Agencies.
  2. On the Agencies page, search for the agency name workspace_trust_for_obs, and click Authorize in the Operation column.
  3. On the Authorize Agency page, select the policy created in 4.
  4. Click Next, and retain the default value All resources for Scope.
  5. Click OK.

Creating a Custom Policy and Granting Permissions (in the New IAM Edition)

  1. Log in to the console.
  2. In the upper right corner, click the account information and choose Identity and Access Management. The Identity and Access Management page is displayed.
  3. On the IAM console, click Go to New Console in the upper right corner.

    If you are already on the new IAM console, skip this step.

  4. In the left navigation pane, choose Identity Policies. In the upper right corner, click Create Identity Policy.
  5. On the Create Identity Policy page, enter a policy name.
  6. Select the option Select service for Policy Content, enter KMS in the text box, and click Key Management Service (KMS), as shown in the following figure.

  7. Select the permissions, as shown in the following figure.

    • kms:cmk:create
    • kms:cmk:get
    • kms:cmk:createDataKey
    • kms:cmk:list
    • kms:cmk:encryptDataKey

  8. Click OK.
  1. In the navigation pane of the IAM console, choose Agencies.
  2. On the Agencies page, search for the agency name workspace_trust_for_obs, and click Authorize in the Operation column.
  3. On the Authorize page, select the policy created in 5.
  4. Click OK.