Updated on 2025-04-17 GMT+08:00

Integration with Huawei Cloud KMS

Huawei Cloud Key Management Service (KMS) has built-in attestation support for QingTian Enclave instances. You can use the Huawei Cloud KMS APIs included in the QingTian Enclave SDK to perform Huawei Cloud KMS actions, such as decryption, random number generation, and encryption in QingTian Enclave instances based on the attestation documents. KMS can ingest attestation documents from QingTian Enclave instances and validates the measurements in the attestation documents against these specified in the IAM policies to determine whether QingTian Enclave instances can access KMS APIs.

The following is an example IAM authorization policy. This policy allows you to call KMS APIs for decrypting data or data keys only in the QingTian Enclave environment, and the measurements for PCR0 and PCR8 of QingTian Enclave must be the same as the specified measurements.

After the authorization is successful, the exported JSON information is as follows:

{ 
    "Version": "1.1", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "kms:cmk:decrypt", 
                "kms:dek:decrypt" 
            ], 
            "Resource": "*", 
            "Condition": { 
                "StringEqualsIgnoreCase": { 
                    "kms:RecipientAttestation/PCR0": [ 
                        "c5158cb6ee9dbb0ead648c3dc80e472c85e0d67f19fb53fbd3fb94c3371aec63cdb93b80d727a7084248873b1d8e8b41" 
  
                    ], 
                    "kms:RecipientAttestation/PCR8": [ 
                        "705afb1012d27f4e07a25e674e6a17dec57305e29cd412184b7bcb78d9e67f16a0cc26d8706a4fab418a5da5788bc949" 
                    ] 
                } 
            } 
        }
     ]
}

JSON information description:

  • Action: actions allowed by the identity policy.
  • Resource: resources that can be obtained by the identity policy.
  • *: all resources can be obtained.
  • Condition: request condition. In QingTian Enclave, any combinations of PCR0, PCR3, PCR4, and PCR8 can be used as request conditions. PCR0 and PCR8 are used in this example.

For details about how to create a user group, see Creating a User Group and Assigning Permissions.

For details about how to create a custom policy, see Creating a Custom Policy.