tencent cloud

Cloud Access Management

プロダクトの概要
CAMの概要
製品機能
適用シーン
基本概念
使用制限
ユーザータイプ
購入ガイド
クイックスタート
管理者ユーザーを作成する
サブアカウントの作成と権限付与
サブアカウントのコンソールログイン
ユーザーガイド
概要
ユーザー
アクセスキー
ユーザーグループ
ロール
アイデンティティプロバイダー
ポリシー
権限境界
トラブルシューティング
セキュリティ分析レポートのダウンロード
CAM-Enabled Role
Overview
Compute
Container
Microservice
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Database SaaS Service
Networking
CDN and Acceleration
Network Security
Data Security
Application Security
Domains & Websites
Big Data
Middleware
Interactive Video Services
Real-Time Interaction
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
CAM-Enabled API
Overview
Compute
Edge Computing
Container
Distributed cloud
Microservice
Serverless
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Networking
CDN and Acceleration
Network Security
Endpoint Security
Data Security
Business Security
Application Security
Domains & Websites
Office Collaboration
Big Data
Voice Technology
Image Creation
Tencent Big Model
AI Platform Service
Natural Language Processing
Optical Character Recognition
Middleware
Communication
Interactive Video Services
Real-Time Interaction
Stream Services
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Education Sevices
Medical Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
実践のチュートリアル
セキュリティの実践チュートリアル
複数アイデンティティ権限管理
Tag下の一部操作権限を付与する
従業員間のリソース分離アクセスのサポート
企業マルチアカウント権限管理
従業員のTencent Cloud操作ログを閲覧する
ABACによる従業員のリソースアクセス権限管理
タグ認証時にタグキーのみマッチをサポート
商用事例
MySQL関連ケース
CLB 関連ケース
CMQ関連ケース
COS 関連ケース
CVM関連ケース
VPC 関連ケース
VOD関連ケース
その他のケース
よくあるご質問
ロール関連問題
キー関連の問題
その他の問題
CAMユーザーと権限の問題
用語一覧
ドキュメントCloud Access ManagementCAM-Enabled APIData SecurityKey Management Service

Key Management Service

フォーカスモード
フォントサイズ
最終更新日: 2026-04-03 09:44:20

Fundamental information

Product Abbreviation in CAM Console Authorization by Tag Authorization Granularity IP Restriction
Key Management Service kms Supported Supported Resource level Partially supported

Note:

The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.

  • Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
  • Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
  • Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.

API authorization granularity

Two authorization granularity levels of API are supported: resource level, and operation level.

  • Resource level: It supports the authorization of a specific resource.
  • Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.

Write operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
ArchiveKey ArchiveKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
AsymmetricRsaDecrypt Asymmetric Rsa Decrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
AsymmetricSm2Decrypt Asymmetric Sm2 Decrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
BindCloudResource Bind Cloud Resource Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
CancelDataKeyDeletion Cancel Scheduled Data Key Deletion Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
CancelKeyArchive CancelKeyArchive Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
CancelKeyDeletion Cancel scheduled deletion of key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
CreateKey Create master key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/* Supported
CreateWhiteBoxKey Create WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/* Supported
Decrypt Decrypt data Operation level * Supported
DeleteImportedKeyMaterial Delete Imported Key Material Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DeleteWhiteBoxKey Delete White Box Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DisableDataKey Disable Data Key Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
DisableDataKeys Bulk Disable Data Keys Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
DisableTrustedService Disable Trusted Service Operation level * not supported
DisableWhiteBoxKey Disable WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DisableWhiteBoxKeys Disable WhiteBox Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
EnableDataKey Enable Data Key Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$datKeyId Supported
EnableDataKeys Bulk Enable Data Keys Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
EnableTrustedService Enable Trusted Service Operation level * Supported
EnableWhiteBoxKey Enable WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
EnableWhiteBoxKeys Enable White Box Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
Encrypt Encrypt data Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
EncryptByWhiteBox Encrypt By WhiteBox Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GenerateDataKey Generate data key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GenerateRandom Generate Random Operation level * Supported
ImportDataKey Import data Key Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
ImportKeyMaterial ImportKeyMaterial Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
ModifySyncTask Modify and save synchronization task Operation level * Supported
OverwriteWhiteBoxDeviceFingerprints Overwrite WhiteBox Device Fingerprints Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
ReEncrypt Cipher text refresh Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
ScheduleDataKeyDeletion Schedule Data Key Deletion Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
ScheduleKeyDeletion Plan to delete key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
SetKeyAttributes Set Key Attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
SignByAsymmetricKey SignByAsymmetricKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
UnbindCloudResource Unbind Cloud Resource Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
UpdateDataKeyDescription Modify Data Key Description Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
UpdateDataKeyName Modify Data Key Name Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
VerifyByAsymmetricKey VerifyByAsymmetricKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported

Read operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
DescribeDataKey Retrieve Details of Data Keys Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
DescribeDataKeys Retrieve Details List of Data Keys Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
DescribeKey Get the master key attribute Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeKeys Get multiple master key attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeWhiteBoxDecryptKey Describe WhiteBox Decrypt Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeWhiteBoxKey Describe White Box Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeWhiteBoxServiceStatus Describe White Box Service Status Operation level * Supported
DisableKey DisableKey Operation level * Supported
DisableKeyRotation DisableKeyRotation Operation level * Supported
DisableKeys DisableKeys Operation level * Supported
EnableKey EnableKey Operation level * Supported
EnableKeyRotation EnableKeyRotation Operation level * Supported
EnableKeys EnableKeys Operation level * Supported
GetDataKeyCiphertextBlob Download Data Key CipherText Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
GetDataKeyPlaintext Retrieve Data Key Plaintext Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
GetEncryptionSDKDownloadLink Retrieve encryption SDK download link. Operation level * Supported
GetKeyAttributes Get Key Attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
GetKeyRotationStatus Query key rotation status Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GetParametersForImport Get Parameters For Import Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GetPublicKey Get Public Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GetRegions Get region Operation level * Supported
GetSDKDownloadLink Get SDK download link. Operation level * Supported
GetServiceStatus Query service status Operation level * Supported
GetSyncSupportRegion Get regions that support key synchronization Operation level * Supported
GetUserStatus Get User Status Operation level * Supported
ListAlgorithms List Algorithms Operation level * Supported
ListDataKeyDetail Get data key details list Operation level * Supported
ListDataKeys List of Data Keys Operation level * Supported
ListEncryptionSDKVariants Get Encryption SDK list. Operation level * Supported
ListKeyDetail Get master key details list Operation level * Supported
ListKeys Get master key list Operation level * Supported
ListMultiAccountMembers LIst Trusted Service Status Members Operation level * Supported
ListSDKVariants Get list of SDKs Operation level * Supported
UpdateAlias UpdateAlias Operation level * Supported
UpdateKeyDescription UpdateKeyDescription Operation level * Supported

List Operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
DescribeMonitorActionList query monitor action list Operation level * Supported
DescribeResourceIds Describe ResourceIds Operation level * Supported
DescribeServiceList query service list Resource level qcs::kms::uin/${uin}:kmsservice/* Supported
DescribeWhiteBoxDeviceFingerprints Describe WhiteBox Device Fingerprints Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeWhiteBoxKeyDetails Describe WhiteBox Key Details Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
ListKey List Key Operation level * not supported
ListKmsPremiumInstances List KMS premium instances. Operation level * Supported

Other Operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
PostQuantumCryptoDecrypt Post quantum cryptography decryption Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
PostQuantumCryptoEncrypt Post quantum cryptography encryption Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
PostQuantumCryptoSign Post quantum cryptography sign Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
PostQuantumCryptoVerify Post quantum cryptography signature verify Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
前の記事へ: Data Security Center次の記事へ: Secrets Manager

ヘルプとサポート

この記事はお役に立ちましたか?

フィードバック