Updated on 2025-07-30 GMT+08:00

Shared KMS

To share your KMS resources with other accounts, create a resource share first. During the creation, you need to specify resources to be shared, configure permissions, specify users to be shared with, and confirm the configuration.

You can use shared KMS to encrypt the secrets and key pairs in DEW, and create an encryption task for instances in Relational Database Service (RDS), Document Database Service (DDS), and Object Storage Service (OBS).

Prerequisites

You have granted the billing system policy of the corresponding service to the IAM user. For details, see Services That Support Shared Key Encryption and System-defined Policies.

Creating Shared KMS Resources

  1. Log in to the DEW console.
  2. Click in the upper left corner and choose Management & Governance > Resource Access Manager.
  3. In the navigation pane on the left, choose Shared by Me > Resource Shares.
  4. Click Create Resource Share in the upper right corner.

    Figure 1 Specifying shared resources

  5. Set resource type to kms:KeyId, choose the corresponding region, and select keys to be shared. Click Next: Associate Permissions.
  6. Associate a RAM managed permission with each resource type on the displayed page. Then, click Next: Specify Principals in the lower right corner.
  7. Specify the target principals and click Next: Confirm in the lower right corner.

    Table 1 Parameters

    Parameter

    Description

    Principal Type

    • Organization

      For details about how to create an organization, see .

      NOTE:

      If you have not enabled resource sharing with organizations, this parameter cannot be set to Organization. For details, see .

    • Huawei Cloud account ID

  8. Check the configurations and click Submit in the lower right corner.

    After a shared instance is created, the organization accepts the instance automatically, while Huawei cloud accounts need to perform certain operations. For details, see .

Viewing Shared KMS Resources

  1. Log in to the DEW console.
  2. Click in the upper left corner and select a region or project.
  3. Check the shared key resources in the Shared Key tab.

    Figure 2 Shared keys

    In the Shared Key tab, you can choose a scenario by entering the copied KMS encryption key ID.

Using Shared KMS Resources

When you use a shared key to create related resources, ensure that your account has the permission to perform operations on keys. For details, see Key Owner and Recipient Permissions.

  1. Log in to the DEW console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Cloud Secret Management Service.
  4. Click Create Secret. On the displayed page, select or enter a shared key for KMS Encryption Key.

    Figure 3 Selecting a shared key
    • When creating a key pair, you can select shared KMS keys.
    • When creating an RDS, DDS, or OBS instance, you can choose shared KMS keys. For details, see Cloud Services with KMS Integrated.

Updating a Resource Share

You can update a resource share at any time, including its name, description, tags, shared resources, shared permissions, and principals.

  1. Log in to the DEW console.
  2. Click in the upper left corner and choose Management & Governance > Resource Access Manager.
  3. In the navigation pane on the left, choose Shared by Me > Resource Shares.
  4. Locate the target share and click Edit in the Operation column.
  5. On the displayed Specify Resource Share Details page, update the name, description, tag, and resources to be added or deleted as required.
  6. After the update is complete, click Next: Associate Permissions in the lower right corner.
  7. Add or delete the permissions supported by kms:KeyId. Wait until the update is complete, click Next: Grant Access to Principals.
  8. On the displayed page, add or delete principals based on your needs. Then, click Next: Confirm in the lower right corner.
  9. Confirm the configurations and click OK in the lower right corner.

Leaving a Resource Share

If you no longer need to access shared key resources, you can leave at any time. After leaving the share, you cannot access the shared keys.

  1. Log in to the DEW console.
  2. Click in the upper left corner and choose Management & Governance > Resource Access Manager.
  3. In the navigation pane on the left, choose Shared with Me > Resource Shares.
  4. In the Accepted Resource Shares tab, locate the target instance, and click Leave in the Operation column.
  5. In the displayed dialog box, click Leave.