Oracle Cloud Infrastructure Documentation

Details for the Key Management Service

This topic covers details for writing policies to control access to the Key Management service.

Resource-Types

vaults

keys

key-delegates

Supported Variables

Key Management supports all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.

Variable Variable Type Comments
target.key.id Entity (OCID) Use this variable to control access to specific keys by OCID.
target.vault.id Entity (OCID) Use this variable to control access to specific vaults by OCID.
request.includePlainTextKey String Use this variable to control whether to return the plaintext key in addition to the encrypted key in response to a request to generate a data encryption key.
request.kms-key.id String Use this variable to control whether block volumes or buckets can be created without a Key Management master encryption key.
target.boot-volume.kms-key.id String Use this variable to control whether Compute instances can be launched with boot volumes that were created without a Key Management master encryption key.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the use verb for the keys resource-type includes the same permissions and API operations as the read verb, plus the KEY_ENCRYPT and KEY_DECRYPT permissions and a number of API operations (Encrypt, Decrypt, and GenerateDataEncryptionKey). The manage verb allows even more permissions and API operations when compared to the use verb.

vaults
keys

key-delegate

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListVaults VAULT_INSPECT
GetVault VAULT_READ
CreateVault VAULT_CREATE
UpdateVault VAULT_UPDATE
ListKeys KEY_INSPECT
ListKeyVersions KEY_INSPECT
GetKey KEY_READ
CreateKey KEY_CREATE and VAULT_CREATE_KEY
EnableKey KEY_UPDATE
DisableKey KEY_UPDATE
UpdateKey KEY_UPDATE
GenerateDataEncryptionKey KEY_ENCRYPT
Encrypt KEY_ENCRYPT
Decrypt KEY_DECRYPT