Access management in Key Management Service
In this section, you'll learn:
- Which resources you can assign roles to.
- Which roles exist in the service.
- Which roles are required for particular actions.
About access management
All transactions in Yandex Cloud are checked by the Yandex Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.
What resources you can assign roles to
Roles can be assigned for a cloud, folder, or key. These roles also apply to nested resources. For example, the editor role includes all viewer role permissions. A description of each role is given under the diagram.
What roles exist in the service
You can manage access to KMS keys using both service and primitive roles.
Service roles
Service roles provide more granular control over KMS keys, taking into account the service specifics: a strict division of subjects into key administrators (the kms.admin role) and users (the kms.keys.encrypterDecrypter role).
Users without the resource-manager.clouds.owner or admin role can't assign roles via the management console.
List of service roles:
kms.keys.encrypterDecrypter: Enables you to encrypt and decrypt data and view information about keys.kms.admin: Enables you to assign random roles for keys using the CLI and API, delete keys and key versions, update the primary version. Includes all access rights of thekms.editorrole.kms.editor: Enables you to manage keys (view, create, update, rotate keys as well as encrypt and decrypt data). Includes all access rights of thekms.viewerandkms.keys.encrypterDecrypterroles.kms.viewer: Enables you to read information about keys.
Primitive roles
Primitive roles are common to all resources Yandex Cloud. Assigning any of them grants certain permissions in KMS and other cloud services. For example, the admin role assigned for a folder can enable you to remove any KMS keys in a folder and modify the folder itself or the resources it contains. You can manage primitive roles using the management console.
List of primitive roles:
viewer: Provides viewing access only to resource information.editor: Lets you manage (create and edit) resources.admin: Lets you manage access to resources as well as the resources themselves (create, modify, and delete).
What roles do I need
Example of key access control
We recommend working with roles as follows:
- The cloud owner (the
resource-manager.clouds.ownerrole) or administrator (theadminrole) assigns thekms.adminrole to the KMS administrator. - The KMS administrator creates the required number of keys and assigns (through the CLI or API) roles to use them: subjects from different teams are granted the
kms.keys.encrypterDecrypterandkms.editorroles for keys and folders.
It's good practice to store KMS keys in a dedicated folder apart from other Yandex Cloud resources.
| Action | Methods | Required roles |
|---|---|---|
| KMS | ||
| Get information about keys and versions | get, listVersions |
kms.viewer for a key and folder |
| Encryption and decryption operations | encrypt, decrypt, reEncrypt, generateDataKey |
kms.keys.encrypterDecrypter for a key |
| Get a list of keys in a folder | list |
kms.viewer for a folder |
| Create and update a key | create, update |
kms.editor for a folder |
| Rotating keys | rotate |
kms.editor for a key |
| Change the primary version | setPrimaryVersion |
kms.admin for a key |
| Destroy a key and version | delete, scheduleVersionDestruction, cancelVersionDestruction |
kms.admin for a key |
| Grant a role, revoke a role | setAccessBindings, updateAccessBindings |
kms.admin for a key |
| View roles granted for a key | listAccessBindings |
kms.viewer for a key |