Creating a Grant

Scenario

You can create grants for other users to use the CMK. You can create a maximum of 100 grants for a CMK.

The owner of a CMK can create a grant for the CMK on the KMS management console or by making the API calls. A user, who has been granted with the grant creation permission by the owner of the CMK, can create grants for the CMK only by making the API calls.

Prerequisites

  • You have obtained the user ID of the grantee (user to whom permissions are to be authorized).

  • The desired CMK is in Enabled status.

Procedure

  1. Log in to the management console.

  2. Click image1 in the upper left corner of the management console and select a region or project.

  3. Choose Security > Key Management Service . The key management page is displayed.

  4. Click the alias of the desired CMK to go to the page displaying its details. You can create grants on the Grants tab page.

    **Figure 1** Grants tab

    Figure 1 Grants tab

  5. Click Create Grant. The Create Grant dialog box is displayed.

    **Figure 2** Creating a grant

    Figure 2 Creating a grant

  6. In the dialog box that is displayed, enter the ID of the user to be authorized and select permissions to be granted.

    Important

    A grantee can perform the authorized operations only by calling the necessary API. For details, see the Key Management Service API Reference.

    Table 1 Parameter description

    Parameter

    Description

    Example Value

    Key ID

    ID of a CMK (automatically read by the system)

    -

    Grantee

    The user ID of the grantee is required.

    Note

    The user IDs are provided by grantees who can obtain their IDs by clicking their portraits and choosing My Credential > User ID.

    d9a6b2bdaedd4ba586cabe6372d1b312

    Granted Operations

    The following permissions can be authorized:

    Note

    • You can create multiple grants on a CMK to provide different permissions to the same user. The user's permissions on the CMK are the combination of all the grants.

    • This parameter cannot be left blank.

    • Create Grant cannot be selected exclusively.

    • Create Data Key Without Plaintext

    • Create Data Key

    • Encrypt Data Key

    • Decrypt Data Key

    • Query Key Information

    • Create Grant

    • Retire Grant

      • A grantee can retire a grant if the grantee does not need that permission.

      • If, before retiring a grant, the grantee has granted the permission to another user, that user's permission will not be affected by the grant retirement.

    -

  7. Click OK. When message Grant of key alias created successfully is displayed in the upper right corner, the grant has been created.

    In the list of grants, you can view the grant ID, grantee ID, granted operation, and creation time of the grant.

last updated: 2024-09-09 12:41 UTC - commit: 631c3371bf1525e323351ea3b76daf0f43c197e7