With the latest update of the Key Management Service, you can now also configure very detailed permissions on the Key Management Service. You can now also set fine-grained permissions via the "Custom Policy Designer", which is available to you in the IAM Service in the "Permissions" tab via "Create Custom Policy".
The "Custom Policy Designer" allows you to define permissions for specific "actions". This can be the permission to e.g. "create customer keys" or "disable customer keys". You can select from a total 28 actions which can be assigned to your custom policy. Permissions on "actions" can not only be "granted" but also explicitly forbidden.
Furthermore, it is possible to limit the access rules to specific resources. This allows you to define different action permissions for different users/user groups on different customer keys. The permission policy can be linked to further conditional parameters. Those criteria must first be met before the user is then allowed to perform the corresponding action. For example, permissions can be bound to time periods. This allows you to issue permissions only for certain periods of time, so that they expire at a certain given time.
Below you will find the short overview of the update again
Permissions can be
- set up on action level (28 individual actions in total)
- allowed or explicitly forbidden
- dedicated to buckets or objects
- linked to conditional parameters
Further information can be found in the Open Telekom Cloud help center.
KMS - https://docs.otc.t-systems.com/en-us/kms/index.html
IAM - https://docs.otc.t-systems.com/en-us/iam/index.html
An example setup with 3 use cases can be found as a post in the Open Telekom Cloud Community via the following link: