Available in Classic and VPC
You can set different access permissions for Key Management Service using NAVER Cloud Platform's Sub Account service. Sub Account offers both system-managed (System Managed) and user-defined (User Created) policies to help you configure management and operation permissions.
Sub Account is a free service with no additional charges. For more information about Sub Account, see Services > Management & Governance > Sub Account on the NAVER Cloud Platform portal and the Sub Account user guide.
As of November 23, 2023, the key permission management feature provided by Key Management Service is changed to be handled by detailed permission management through Sub Account. Existing role-based key permissions are migrated to the same level of policy. For more information, see Migration of role-based permissions.
System-managed policies
System-managed policies are pre-built, role-based policies that NAVER Cloud Platform provides for your convenience. When you assign one of these policies to a sub account, that account gets access to Key Management Service. Here are the available system-managed policies for Key Management Service:
| Policy name | Policy description |
|---|---|
| NCP_ADMINISTRATOR | Full access to all services, same as the main account |
| NCP_INFRA_MANAGER | Access to all NAVER Cloud Platform services, except the My Account > Pricing information and cost management > Billing and payment management menu on the console |
| NCP_FINANCE_MANAGER | Access to Cost Explorer and the My Account > Pricing information and cost management > Billing and payment management menu on the console |
| NCP_KMS_MANAGER | Permission to use all the features of Key Management Service |
| NCP_KMS_VIEWER | View-only access to all Key Management Service features |
User-defined policies
User-defined policies let you create custom permissions. When you assign a user-defined policy to a sub account, that account can only perform the specific actions you've allowed. Here are the available user-defined policies for Key Management Service:
Token action
Actions related to token and descriptions thereof are as follows:
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| Change | Change/createTokenGenerator | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Create metadata to generate token. |
| Change | Change/createToken | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Generate token to use password feature. |
| Change | Change/updateTokenGenerator | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Initialize metadata to generate token. |
| Change | View/validateToken | - | Key | Key Management Service | Validate token. |
Password feature action
Actions related to password feature and descriptions thereof are as follows:
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| View | View/createCustomKey | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Generate random symmetric key using RSA and AES keys. |
| View | View/sign | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Sign with asymmetric key. |
| View | View/verify | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Validate using asymmetric key. |
| View | View/decrypt | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Decrypt passphrase using (a)symmetric key. |
| View | View/encrypt | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Encrypt plain text using (a)symmetric key. |
| View | View/reEncrypt | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Re-encrypt passphrase using (a)symmetric key. |
Key management action
Actions to manage lifecycle of a key and descriptions thereof are as follows:
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| View | View/getKeyList | - | - | Key Management Service | View list of keys with View/getKeyInfo permissions. |
| View | View/getKeyInfo | View/getKeyList | Key | Key Management Service | View key details. |
| View | View/getLastUseInfo | View/getKeyList View/getKeyInfo |
Key | Key Management Service | View last usage history of current key. |
| View | View/getAclRuleList | View/getKeyList View/getKeyInfo |
Key | Key Management Service | View ACL list of key password feature. |
| View | View/getPubKey | View/getKeyList View/getKeyInfo |
Key | Key Management Service | View RSA and ECDSA public keys. |
| View | View/getActivityList | View/getKeyList View/getKeyInfo |
Key | Key Management Service | View key history. |
| Change | Change/updateMemo | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Edit key memo. |
| Change | Change/updateRotationPeriod | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Change key rotation cycle. |
| Change | Change/enableAutoRotation | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Activate automatic rotation of key. |
| Change | Change/disableAutoRotation | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Deactivate automatic rotation of key. |
| Change | Change/enableKey | View/getKeyList View/getKeyInfo View/getLastUseInfo |
Key | Key Management Service | Activate key. |
| Change | Change/disableKey | View/getKeyList View/getKeyInfo View/getLastUseInfo |
Key | Key Management Service | Deactivate key. |
| Change | Change/requestDeletion | View/getKeyList View/getKeyInfo View/getLastUseInfo |
Key | Key Management Service | Request key deletion. |
| Change | Change/cancelDeletion | View/getKeyList View/getKeyInfo View/getLastUseInfo |
Key | Key Management Service | Cancel key deletion request. |
| Change | Change/addAclRule | View/getKeyList View/getKeyInfo View/getAclRuleList |
Key | Key Management Service | Add ACL of key password feature. |
| Change | Change/deleteAclRule | View/getKeyList View/getKeyInfo View/getAclRuleList |
Key | Key Management Service | Delete ACL of key password feature. |
| Change | Change/updateAclConfig | View/getKeyList View/getKeyInfo View/getAclRuleList |
Key | Key Management Service | Change ACL setting of key password feature. |
| Change | Change/createKey | View/getKeyList | - | Key Management Service | Create key. |
| Change | Change/rotateKey | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Renew key. |
| Change | Change/deleteKey | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Delete key. |
| Change | Change/enableVersion | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Activate version status of key. |
| Change | Change/disableVersion | View/getKeyList View/getKeyInfo |
Key | Key Management Service | Deactivate version status of key. |
| Change | Change/subscribeKms | - | - | Key Management Service | Subscribe to Key Management Service. |
| Change | Change/unsubscribeKms | - | - | Key Management Service | Unsubscribe from Key Management Service. |
Key subscription action
Actions to use the client's master key and descriptions thereof are as follows:
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| View | View/getKeySubscriptionList | - | Key | Key Management Service | View key integration list by NAVER Cloud Platform services. |
| View | View/getKeySubscriptionInfo | View/getKeySubscriptionList | Key | Key Management Service | View key integration details by NAVER Cloud Platform services. |
| Change | Change/createKeySubscription | View/getKeyList View/getKeyInfo View/getKeySubscriptio$nList View/getKeySubscriptionInfo Change/deleteKeySubscription |
Key | Key Management Service | Allow key integration by NAVER Cloud Platform services. |
| Change | Change/deleteKeySubscription | View/getKeyList View/getKeyInfo View/getKeySubscriptionList View/getKeySubscriptionInfo Change/createKeySubscription |
Key | Key Management Service | Allow to cancel key integration by NAVER Cloud Platform services. |
If you grant someone access to a specific action but not to the required related actions, they won't be able to complete their tasks. Sub Account automatically includes these related permissions to prevent this issue. However, if you manually uncheck these auto-selected related actions, the system assumes this was intentional and won't override your selection.
Migration of role-based permissions
The [Permission management] feature provided by Key Management Service is integrated into the Policy feature of Sub Account. The 5 roles of Key Manager, Key Encryptor, Key Decryptor, Key Encryptor and Decryptor, and Key Reviewer in operation are automatically migrated to policies with the same level of permissions. The migrated policies have the following permissions:
| Role name | Policy name to be migrated | Permissions to be migrated |
|---|---|---|
| Key Manager | KMS_KEY_MGR-{Key Id} | View*, Change* |
| Key Encryptor | KMS_KEY_ENC-{Key Id} | View/getKeyList, View/getKeyInfo, Change/encrypt, Change/reEncrypt, Change/createCustomKey, Change/sign |
| Key Decryptor | KMS_KEY_DEC-{Key Id} | View/getKeyList, View/getKeyInfo, Change/decrypt, Change/verify |
| Key Encryptor and Decryptor | KMS_KEY_ENC_DEC-{Key Id} | View/getKeyList, View/getKeyInfo, Change/encrypt, Change/reEncrypt, Change/createCustomKey, Change/sign, Change/decrypt, Change/verify |
| Key Reviewer | KMS_KEY_RVR-{Key Id} | View/getKeyList, View/getKeyInfo, View/getActivityList |
To view the migrated policies, navigate to
> Services > Management & Governance > Sub Account > Policies and check the [User-defined policies] tab from the NAVER Cloud Platform console.
