Managing Key Management Service permissions
    • PDF

    Managing Key Management Service permissions

    • PDF

    Article Summary

    Available in Classic and VPC

    By using Sub Account, NAVER Cloud Platform's account management service, you can set various Services access permissions for Key Management Service. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions.

    Note

    Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, see the Services > Management & Governance > Sub Account menu in the NAVER Cloud Platform portal, as well as the Sub Account guide.

    Note

    As of November 23, 2023, the key permission management feature provided by the Key Management Service will be changed to detailed permission management through Sub Account. Existing role-based key permissions will be migrated to the same level of policy. For more information, see Migration of role-based permissions.

    System Managed policies

    System Managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. Once System Managed policies are granted to a sub account created in Sub Account, that sub account can use Key Management Service. A brief description about System Managed policies of Key Management Service is as follows.

    Policy NamePolicy description
    NCP_ADMINISTRATORPermission to access the portal and console in NAVER Cloud Platform in the same manner as main accounts
    NCP_INFRA_MANAGERPermission to use all services on NAVER Cloud Platform, but limited access to some features of My Page in the portal (manage usage, manage payment)
    NCP_KMS_MANAGERPermission to use all the features of Key Management Service
    NCP_KMS_VIEWERPermission to only use the view feature of Key Management Service

    User Created policies

    User Created policies are policies that users can create. Once user created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description about User Created policies of Key Management Service.

    Token action

    The following describes the token-related actions for using the password feature.

    ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
    ChangeChange/createTokenGeneratorView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceCreate metadata to generate a token
    ChangeChange/createTokenView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceGenerate a token to use the password feature
    ChangeChange/updateTokenGeneratorView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceInitialize metadata to generate a token
    ChangeView/validateToken-KeyKey Management ServiceValidate token

    Password feature actions

    The following describes the password feature actions.

    ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
    ViewView/createCustomKeyView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceGenerate a random symmetric key using RSA, AES keys
    ViewView/signView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceSign with an asymmetric key
    ViewView/verifyView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceValidate with an asymmetric key
    ViewView/decryptView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceDecrypt a passphrase using a(n) (a)symmetric key
    ViewView/encryptView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceEncrypt a plain text using a(n) (a)symmetric key
    ViewView/reEncryptView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceRe-encrypt a passphrase using a(n) (a)symmetric key

    Key management actions

    The following describes the actions for managing the lifecycle of a key.

    ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
    ViewView/getKeyList--Key Management ServiceView a list of keys with View/getKeyList permissions
    ViewView/getKeyInfoView/getKeyListKeyKey Management ServiceView key details
    ViewView/getLastUseInfoView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceView the last usage history of the present key
    ViewView/getAclRuleListView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceView the ACL list of key password feature
    ViewView/getPubKeyView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceView RSA, ECDSA public key
    ViewView/getActivityListView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceView key history
    ChangeChange/updateMemoView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceChange key memo
    ChangeChange/updateRotationPeriodView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceChange key rotation cycle
    ChangeChange/enableAutoRotationView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceActivate the automatic rotation of key
    ChangeChange/disableAutoRotationView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceDeactivate the automatic rotation of key
    ChangeChange/enableKeyView/getKeyList
    View/getKeyInfo
    View/getLastUseInfo
    KeyKey Management ServiceActivate key status
    ChangeChange/disableKeyView/getKeyList
    View/getKeyInfo
    View/getLastUseInfo
    KeyKey Management ServiceDeactivate key status
    ChangeChange/requestDeletionView/getKeyList
    View/getKeyInfo
    View/getLastUseInfo
    KeyKey Management ServiceRequest key deletion
    ChangeChange/cancelDeletionView/getKeyList
    View/getKeyInfo
    View/getLastUseInfo
    KeyKey Management ServiceCancel key deletion request
    ChangeChange/addAclRuleView/getKeyList
    View/getKeyInfo
    View/getAclRuleList
    KeyKey Management ServiceAdd the ACL of key password feature
    ChangeChange/deleteAclRuleView/getKeyList
    View/getKeyInfo
    View/getAclRuleList
    KeyKey Management ServiceDelete the ACL of key password feature
    ChangeChange/updateAclConfigView/getKeyList
    View/getKeyInfo
    View/getAclRuleList
    KeyKey Management ServiceChange the ACL setting of key password feature
    ChangeChange/createKeyView/getKeyList-Key Management ServiceCreate keys
    ChangeChange/rotateKeyView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceRenew keys
    ChangeChange/deleteKeyView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceDelete keys
    ChangeChange/enableVersionView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceActivate the version status of a key
    ChangeChange/disableVersionView/getKeyList
    View/getKeyInfo
    KeyKey Management ServiceDeactivate the version status of a key
    ChangeChange/subscribeKms--Key Management ServiceSubscribe Key Management Service
    ChangeChange/unsubscribeKms--Key Management ServiceUnsubscribe Key Management Service

    Key subscription actions

    The following describes the actions for using customer master key.

    ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
    ViewView/getKeySubscriptionList-KeyKey Management ServiceView key integration list by NAVER Cloud Platform services
    ViewView/getKeySubscriptionInfoView/getKeySubscriptionListKeyKey Management ServiceView detailed key integration information by NAVER Cloud Platform services
    ChangeChange/createKeySubscriptionView/getKeyList
    View/getKeyInfo
    View/getKeySubscriptio$nList
    View/getKeySubscriptionInfo
    Change/deleteKeySubscription
    KeyKey Management ServiceAllow the key integration of NAVER Cloud Platform services
    ChangeChange/deleteKeySubscriptionView/getKeyList
    View/getKeyInfo
    View/getKeySubscriptionList
    View/getKeySubscriptionInfo
    Change/createKeySubscription
    KeyKey Management ServiceAllow to unsubscribe the key integration of NAVER Cloud Platform services
    Caution

    Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and won't forcibly include them. So, be careful when setting permissions.

    Migration of role-based permissions

    The [Permission management] feature provided by the existing Key Management Service is integrated into the Policy feature of Sub Account. The 5 roles of Key Manager, Key Encryptor, Key Decryptor, Key Encryptor and Decryptor, and Key Reviewer in operation are automatically migrated to policies with the same level of permissions. The migrated policies have the following permissions.

    Role namePolicy name to be migratedPermissions to be migrated
    Key ManagerKMS_KEY_MGR-{Key Id}View*, Change*
    Key EncryptorKMS_KEY_ENC-{Key Id}View/getKeyList, View/getKeyInfo, Change/encrypt, Change/reEncrypt, Change/createCustomKey, Change/sign
    Key DecryptorKMS_KEY_DEC-{Key Id}View/getKeyList, View/getKeyInfo, Change/decrypt, Change/verify
    Key Encryptor and DecryptorKMS_KEY_ENC_DEC-{Key Id}View/getKeyList, View/getKeyInfo, Change/encrypt, Change/reEncrypt, Change/createCustomKey, Change/sign, Change/decrypt, Change/verify
    Key ReviewerKMS_KEY_RVR-{Key Id}View/getKeyList, View/getKeyInfo, View/getActivityList

    You may view the migrated policies on the [User Created policies] tab of the Management & Governance > Sub Account > Policies menu.
    kms-subaccount_1123_01_ko


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.