- Print
- PDF
Managing Key Management Service permissions
- Print
- PDF
Available in Classic and VPC
By using Sub Account, NAVER Cloud Platform's account management service, you can set various Services access permissions for Key Management Service. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions.
Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, see the Services > Management & Governance > Sub Account menu in the NAVER Cloud Platform portal, as well as the Sub Account guide.
As of November 23, 2023, the key permission management feature provided by the Key Management Service will be changed to detailed permission management through Sub Account. Existing role-based key permissions will be migrated to the same level of policy. For more information, see Migration of role-based permissions.
System Managed policies
System Managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. Once System Managed policies are granted to a sub account created in Sub Account, that sub account can use Key Management Service. A brief description about System Managed policies of Key Management Service is as follows.
Policy Name | Policy description |
---|---|
NCP_ADMINISTRATOR | Permission to access the portal and console in NAVER Cloud Platform in the same manner as main accounts |
NCP_INFRA_MANAGER | Permission to use all services on NAVER Cloud Platform, but limited access to some features of My Page in the portal (manage usage, manage payment) |
NCP_KMS_MANAGER | Permission to use all the features of Key Management Service |
NCP_KMS_VIEWER | Permission to only use the view feature of Key Management Service |
User Created policies
User Created policies are policies that users can create. Once user created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description about User Created policies of Key Management Service.
Token action
The following describes the token-related actions for using the password feature.
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
Change | Change/createTokenGenerator | View/getKeyList View/getKeyInfo | Key | Key Management Service | Create metadata to generate a token |
Change | Change/createToken | View/getKeyList View/getKeyInfo | Key | Key Management Service | Generate a token to use the password feature |
Change | Change/updateTokenGenerator | View/getKeyList View/getKeyInfo | Key | Key Management Service | Initialize metadata to generate a token |
Change | View/validateToken | - | Key | Key Management Service | Validate token |
Password feature actions
The following describes the password feature actions.
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/createCustomKey | View/getKeyList View/getKeyInfo | Key | Key Management Service | Generate a random symmetric key using RSA, AES keys |
View | View/sign | View/getKeyList View/getKeyInfo | Key | Key Management Service | Sign with an asymmetric key |
View | View/verify | View/getKeyList View/getKeyInfo | Key | Key Management Service | Validate with an asymmetric key |
View | View/decrypt | View/getKeyList View/getKeyInfo | Key | Key Management Service | Decrypt a passphrase using a(n) (a)symmetric key |
View | View/encrypt | View/getKeyList View/getKeyInfo | Key | Key Management Service | Encrypt a plain text using a(n) (a)symmetric key |
View | View/reEncrypt | View/getKeyList View/getKeyInfo | Key | Key Management Service | Re-encrypt a passphrase using a(n) (a)symmetric key |
Key management actions
The following describes the actions for managing the lifecycle of a key.
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getKeyList | - | - | Key Management Service | View a list of keys with View/getKeyList permissions |
View | View/getKeyInfo | View/getKeyList | Key | Key Management Service | View key details |
View | View/getLastUseInfo | View/getKeyList View/getKeyInfo | Key | Key Management Service | View the last usage history of the present key |
View | View/getAclRuleList | View/getKeyList View/getKeyInfo | Key | Key Management Service | View the ACL list of key password feature |
View | View/getPubKey | View/getKeyList View/getKeyInfo | Key | Key Management Service | View RSA, ECDSA public key |
View | View/getActivityList | View/getKeyList View/getKeyInfo | Key | Key Management Service | View key history |
Change | Change/updateMemo | View/getKeyList View/getKeyInfo | Key | Key Management Service | Change key memo |
Change | Change/updateRotationPeriod | View/getKeyList View/getKeyInfo | Key | Key Management Service | Change key rotation cycle |
Change | Change/enableAutoRotation | View/getKeyList View/getKeyInfo | Key | Key Management Service | Activate the automatic rotation of key |
Change | Change/disableAutoRotation | View/getKeyList View/getKeyInfo | Key | Key Management Service | Deactivate the automatic rotation of key |
Change | Change/enableKey | View/getKeyList View/getKeyInfo View/getLastUseInfo | Key | Key Management Service | Activate key status |
Change | Change/disableKey | View/getKeyList View/getKeyInfo View/getLastUseInfo | Key | Key Management Service | Deactivate key status |
Change | Change/requestDeletion | View/getKeyList View/getKeyInfo View/getLastUseInfo | Key | Key Management Service | Request key deletion |
Change | Change/cancelDeletion | View/getKeyList View/getKeyInfo View/getLastUseInfo | Key | Key Management Service | Cancel key deletion request |
Change | Change/addAclRule | View/getKeyList View/getKeyInfo View/getAclRuleList | Key | Key Management Service | Add the ACL of key password feature |
Change | Change/deleteAclRule | View/getKeyList View/getKeyInfo View/getAclRuleList | Key | Key Management Service | Delete the ACL of key password feature |
Change | Change/updateAclConfig | View/getKeyList View/getKeyInfo View/getAclRuleList | Key | Key Management Service | Change the ACL setting of key password feature |
Change | Change/createKey | View/getKeyList | - | Key Management Service | Create keys |
Change | Change/rotateKey | View/getKeyList View/getKeyInfo | Key | Key Management Service | Renew keys |
Change | Change/deleteKey | View/getKeyList View/getKeyInfo | Key | Key Management Service | Delete keys |
Change | Change/enableVersion | View/getKeyList View/getKeyInfo | Key | Key Management Service | Activate the version status of a key |
Change | Change/disableVersion | View/getKeyList View/getKeyInfo | Key | Key Management Service | Deactivate the version status of a key |
Change | Change/subscribeKms | - | - | Key Management Service | Subscribe Key Management Service |
Change | Change/unsubscribeKms | - | - | Key Management Service | Unsubscribe Key Management Service |
Key subscription actions
The following describes the actions for using customer master key.
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getKeySubscriptionList | - | Key | Key Management Service | View key integration list by NAVER Cloud Platform services |
View | View/getKeySubscriptionInfo | View/getKeySubscriptionList | Key | Key Management Service | View detailed key integration information by NAVER Cloud Platform services |
Change | Change/createKeySubscription | View/getKeyList View/getKeyInfo View/getKeySubscriptio$nList View/getKeySubscriptionInfo Change/deleteKeySubscription | Key | Key Management Service | Allow the key integration of NAVER Cloud Platform services |
Change | Change/deleteKeySubscription | View/getKeyList View/getKeyInfo View/getKeySubscriptionList View/getKeySubscriptionInfo Change/createKeySubscription | Key | Key Management Service | Allow to unsubscribe the key integration of NAVER Cloud Platform services |
Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and won't forcibly include them. So, be careful when setting permissions.
Migration of role-based permissions
The [Permission management] feature provided by the existing Key Management Service is integrated into the Policy feature of Sub Account. The 5 roles of Key Manager, Key Encryptor, Key Decryptor, Key Encryptor and Decryptor, and Key Reviewer in operation are automatically migrated to policies with the same level of permissions. The migrated policies have the following permissions.
Role name | Policy name to be migrated | Permissions to be migrated |
---|---|---|
Key Manager | KMS_KEY_MGR-{Key Id} | View*, Change* |
Key Encryptor | KMS_KEY_ENC-{Key Id} | View/getKeyList, View/getKeyInfo, Change/encrypt, Change/reEncrypt, Change/createCustomKey, Change/sign |
Key Decryptor | KMS_KEY_DEC-{Key Id} | View/getKeyList, View/getKeyInfo, Change/decrypt, Change/verify |
Key Encryptor and Decryptor | KMS_KEY_ENC_DEC-{Key Id} | View/getKeyList, View/getKeyInfo, Change/encrypt, Change/reEncrypt, Change/createCustomKey, Change/sign, Change/decrypt, Change/verify |
Key Reviewer | KMS_KEY_RVR-{Key Id} | View/getKeyList, View/getKeyInfo, View/getActivityList |
You may view the migrated policies on the [User Created policies] tab of the Management & Governance > Sub Account > Policies menu.