Encryption Key Management

Permission

API

Action

Dependent Permission

IAM Project

(Project)

Enterprise Project

(Enterprise Project)

Creating a CMK

POST /v1.0/{project_id}/kms/create-key

kms:cmk:create

-

Y

Y

Enabling a CMK

POST /v1.0/{project_id}/kms/enable-key

kms:cmk:enable

-

Y

Y

Disabling a CMK

POST /v1.0/{project_id}/kms/disable-key

kms:cmk:disable

-

Y

Y

Scheduling the deletion of a CMK

POST /v1.0/{project_id}/kms/schedule-key-deletion

kms:cmk:update

-

Y

Y

Canceling the scheduled deletion of a CMK

POST /v1.0/{project_id}/kms/cancel-key-deletion

kms:cmk:update

-

Y

Y

Querying the list of CMKs

POST /v1.0/{project_id}/kms/list-keys

kms:cmk:list

-

Y

Y

Queries the CMK information.

POST /v1.0/{project_id}/kms/describe-key

kms:cmk:get

-

Y

Y

Generating a random number

POST /v1.0/{project_id}/kms/gen-random

kms:cmk:generate

-

Y

Y

Creating a DEK

POST /v1.0/{project_id}/kms/create-datakey

kms:dek:create

-

Y

Y

Creating a plaintext-free DEK

POST /v1.0/{project_id}/kms/create-datakey-without-plaintext

kms:dek:create

-

Y

Y

Encrypting a DEK

POST /v1.0/{project_id}/kms/encrypt-datakey

kms:dek:crypto

-

Y

Y

Decrypting a DEK

POST /v1.0/{project_id}/kms/decrypt-datakey

kms:dek:crypto

-

Y

Y

Querying the number of instances

GET /v1.0/{project_id}/kms/user-instances

kms:cmk:getInstance

-

Y

Y

Querying the user quota

GET /v1.0/{project_id}/kms/user-quotas

kms:cmk:getQuota

-

Y

Y

Modifying the CMK alias

POST /v1.0/{project_id}/kms/update-key-alias

kms:cmk:update

-

Y

Y

Modifying the description of a CMK

POST /v1.0/{project_id}/kms/update-key-description

kms:cmk:update

-

Y

Y

Creating a grant

POST /v1.0/{project_id}/kms/create-grant

kms:grant:create

-

Y

Y

Revoking a grant

POST /v1.0/{project_id}/kms/revoke-grant

kms:grant:revoke

-

Y

Y

Retiring a grant

POST /v1.0/{project_id}/kms/retire-grant

kms:grant:retire

-

Y

Y

Querying the grant list of a CMK

POST /v1.0/{project_id}/kms/list-grants

kms:grant:list

-

Y

Y

Querying the list of grants that can be retired

POST /v1.0/{project_id}/kms/list-retirable-grants

kms:grant:list

-

Y

Y

Encrypting data

POST /v1.0/{project_id}/kms/encrypt-data

kms:cmk:crypto

-

Y

Y

Decrypting data

POST /v1.0/{project_id}/kms/decrypt-data

kms:cmk:crypto

-

Y

Y

Obtaining parameters for importing a key

POST /v1.0/{project_id}/kms/get-parameters-for-import

kms:cmk:getMaterial

-

Y

Y

Importing key material

POST /v1.0/{project_id}/kms/import-key-material

kms:cmk:importMaterial

-

Y

Y

Deleting key material

POST /v1.0/{project_id}/kms/delete-imported-key-material

kms:cmk:deleteMaterial

-

Y

Y

Querying key resource instances

POST /v1.0/{project_id}/kms/resource_instances/action

kms:cmkTag:listInstance

-

Y

Y

Querying tags of a key

GET /v1.0/{project_id}/kms/{key_id}/tags

kms:cmkTag:list

-

Y

Y

Querying the project tags

GET /v1.0/{project_id}/kms/tags

kms:cmkTag:list

-

Y

Y

Adding or deleting key tags in batches

POST /v1.0/{project_id}/kms/{key_id}/tags/action

kms:cmkTag:batch

-

Y

Y

Adding tags to a key

POST /v1.0/{project_id}/kms/{key_id}/tags

kms:cmkTag:create

-

Y

Y

Deleting tags of a key

POST /v1.0/{project_id}/kms/{ key_id }/tags/{key}

kms:cmkTag:delete

-

Y

Y