tencent cloud

Cloud Access Management

Product Introduction
CAM Overview
Features
Scenarios
Basic Concepts
Use Limits
User Types
Purchase Guide
Getting Started
Creating Admin User
Creating and Authorizing Sub-account
Logging In to Console with Sub-account
User Guide
Overview
Users
Access Key
User Groups
Role
Identity Provider
Policies
Permissions Boundary
Troubleshooting
Downloading Security Analysis Report
CAM-Enabled Role
Overview
Compute
Container
Microservice
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Database SaaS Service
Networking
CDN and Acceleration
Network Security
Data Security
Application Security
Domains & Websites
Big Data
Middleware
Interactive Video Services
Real-Time Interaction
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
CAM-Enabled API
Overview
Compute
Edge Computing
Container
Distributed cloud
Microservice
Serverless
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Networking
CDN and Acceleration
Network Security
Endpoint Security
Data Security
Business Security
Application Security
Domains & Websites
Office Collaboration
Big Data
Voice Technology
Image Creation
Tencent Big Model
AI Platform Service
Natural Language Processing
Optical Character Recognition
Middleware
Communication
Interactive Video Services
Real-Time Interaction
Stream Services
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Education Sevices
Medical Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
Use Cases
Security Practical Tutorial
Multi-Identity Personnel Permission Management
Authorizing Certain Operations by Tag
Supporting Isolated Resource Access for Employees
Enterprise Multi-Account Permissions Management
Reviewing Employee Operation Records on Tencent Cloud
Implementing Attribute-Based Access Control for Employee Resource Permissions Management
During tag-based authentication, only tag key matching is supported
Business Use Cases
TencentDB for MySQL
CLB
CMQ
COS
CVM
VPC
VOD
Others
API Documentation
History
Introduction
API Category
Making API Requests
User APIs
Policy APIs
Role APIs
Identity Provider APIs
Data Types
Error Codes
FAQs
Role
Key
Others
CAM Users and Permissions
Glossary
문서Cloud Access ManagementCAM-Enabled APIData SecurityKey Management Service

Key Management Service

PDF
포커스 모드
폰트 크기
마지막 업데이트 시간: 2026-04-03 09:44:20

Fundamental information

Product Abbreviation in CAM Console Authorization by Tag Authorization Granularity IP Restriction
Key Management Service kms Supported Supported Resource level Partially supported

Note:

The authorization granularity of cloud products is divided into three levels: service level, operation level, and resource level, based on the degree of granularity.

  • Service level: It defines whether a user has the permission to access the service as a whole. A user can have either full access or no access to the service. For the authorization granularity of cloud products at service level, the authorization of specific APIs are not supported.
  • Operation level: It defines whether a user has the permission to call a specific API of the service. For example, granting an account read-only access to the CVM service is an authorization at the operation level.
  • Resource level: It is the finest authorization granularity which defines whether a user has the permission to access specific resources. For example, granting an account read/write access to a specific CVM instance is an authorization at the resource level.

API authorization granularity

Two authorization granularity levels of API are supported: resource level, and operation level.

  • Resource level: It supports the authorization of a specific resource.
  • Operation level: It does not support the authorization of a specific resource. If the policy syntax restricts a specific resource during authorization, CAM will determine that this API is not within the scope of authorization, and deem it as unauthorized.

Write operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
ArchiveKey ArchiveKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
AsymmetricRsaDecrypt Asymmetric Rsa Decrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
AsymmetricSm2Decrypt Asymmetric Sm2 Decrypt Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
BindCloudResource Bind Cloud Resource Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
CancelDataKeyDeletion Cancel Scheduled Data Key Deletion Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
CancelKeyArchive CancelKeyArchive Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
CancelKeyDeletion Cancel scheduled deletion of key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
CreateKey Create master key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/* Supported
CreateWhiteBoxKey Create WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/* Supported
Decrypt Decrypt data Operation level * Supported
DeleteImportedKeyMaterial Delete Imported Key Material Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DeleteWhiteBoxKey Delete White Box Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DisableDataKey Disable Data Key Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
DisableDataKeys Bulk Disable Data Keys Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
DisableTrustedService Disable Trusted Service Operation level * not supported
DisableWhiteBoxKey Disable WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DisableWhiteBoxKeys Disable WhiteBox Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
EnableDataKey Enable Data Key Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$datKeyId Supported
EnableDataKeys Bulk Enable Data Keys Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
EnableTrustedService Enable Trusted Service Operation level * Supported
EnableWhiteBoxKey Enable WhiteBox Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
EnableWhiteBoxKeys Enable White Box Keys Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
Encrypt Encrypt data Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
EncryptByWhiteBox Encrypt By WhiteBox Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GenerateDataKey Generate data key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GenerateRandom Generate Random Operation level * Supported
ImportDataKey Import data Key Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
ImportKeyMaterial ImportKeyMaterial Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
ModifySyncTask Modify and save synchronization task Operation level * Supported
OverwriteWhiteBoxDeviceFingerprints Overwrite WhiteBox Device Fingerprints Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
ReEncrypt Cipher text refresh Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
ScheduleDataKeyDeletion Schedule Data Key Deletion Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
ScheduleKeyDeletion Plan to delete key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
SetKeyAttributes Set Key Attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
SignByAsymmetricKey SignByAsymmetricKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
UnbindCloudResource Unbind Cloud Resource Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
UpdateDataKeyDescription Modify Data Key Description Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
UpdateDataKeyName Modify Data Key Name Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
VerifyByAsymmetricKey VerifyByAsymmetricKey Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported

Read operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
DescribeDataKey Retrieve Details of Data Keys Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
DescribeDataKeys Retrieve Details List of Data Keys Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
DescribeKey Get the master key attribute Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeKeys Get multiple master key attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeWhiteBoxDecryptKey Describe WhiteBox Decrypt Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeWhiteBoxKey Describe White Box Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeWhiteBoxServiceStatus Describe White Box Service Status Operation level * Supported
DisableKey DisableKey Operation level * Supported
DisableKeyRotation DisableKeyRotation Operation level * Supported
DisableKeys DisableKeys Operation level * Supported
EnableKey EnableKey Operation level * Supported
EnableKeyRotation EnableKeyRotation Operation level * Supported
EnableKeys EnableKeys Operation level * Supported
GetDataKeyCiphertextBlob Download Data Key CipherText Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
GetDataKeyPlaintext Retrieve Data Key Plaintext Resource level qcs::kms::uin/${uin}:key/creatorUin/$creatorUin/$dataKeyId Supported
GetEncryptionSDKDownloadLink Retrieve encryption SDK download link. Operation level * Supported
GetKeyAttributes Get Key Attributes Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId not supported
GetKeyRotationStatus Query key rotation status Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GetParametersForImport Get Parameters For Import Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GetPublicKey Get Public Key Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
GetRegions Get region Operation level * Supported
GetSDKDownloadLink Get SDK download link. Operation level * Supported
GetServiceStatus Query service status Operation level * Supported
GetSyncSupportRegion Get regions that support key synchronization Operation level * Supported
GetUserStatus Get User Status Operation level * Supported
ListAlgorithms List Algorithms Operation level * Supported
ListDataKeyDetail Get data key details list Operation level * Supported
ListDataKeys List of Data Keys Operation level * Supported
ListEncryptionSDKVariants Get Encryption SDK list. Operation level * Supported
ListKeyDetail Get master key details list Operation level * Supported
ListKeys Get master key list Operation level * Supported
ListMultiAccountMembers LIst Trusted Service Status Members Operation level * Supported
ListSDKVariants Get list of SDKs Operation level * Supported
UpdateAlias UpdateAlias Operation level * Supported
UpdateKeyDescription UpdateKeyDescription Operation level * Supported

List Operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
DescribeMonitorActionList query monitor action list Operation level * Supported
DescribeResourceIds Describe ResourceIds Operation level * Supported
DescribeServiceList query service list Resource level qcs::kms::uin/${uin}:kmsservice/* Supported
DescribeWhiteBoxDeviceFingerprints Describe WhiteBox Device Fingerprints Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
DescribeWhiteBoxKeyDetails Describe WhiteBox Key Details Resource level qcs::kms:$region:uin/$uin:key/creatorUin/$creatorUin/$keyId Supported
ListKey List Key Operation level * not supported
ListKmsPremiumInstances List KMS premium instances. Operation level * Supported

Other Operations

API API Description Authorization Granularity Six-segment Resource Description IP Restriction
PostQuantumCryptoDecrypt Post quantum cryptography decryption Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
PostQuantumCryptoEncrypt Post quantum cryptography encryption Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
PostQuantumCryptoSign Post quantum cryptography sign Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
PostQuantumCryptoVerify Post quantum cryptography signature verify Resource level qcs::kms:${region}:uin/${uin}:key/creatorUin/$creatorUin/$keyId Supported
이전 주제: Data Security Center다음 주제: Secrets Manager

도움말 및 지원

문제 해결에 도움이 되었나요?

피드백