本頁面由 Cloud Translation API 翻譯而成。

權限與角色

在 Cloud KMS 中，資源會以階層結構排列。這個階層可協助您管理及授予資源的存取權，且可提供不同層級的精細度。金鑰位於金鑰環中，而金鑰環則位於專案中。專案中也會有 EKM 連線。專案可進一步分類整理至資料夾或機構。

本主題將進一步說明 Cloud KMS 中的資源階層。如要進一步瞭解 Google Cloud 資源的一般資訊，請參閱「資源階層」。

資源階層

IAM 角色的範圍會因授予角色的資源階層層級而異。下表列出 Cloud KMS CryptoKey 加密者角色 (roles/cloudkms.cryptoKeyEncrypter) 在階層中不同層級授予的有效功能。

您可以管理金鑰或金鑰環的存取權，但無法管理個別金鑰版本的存取權。

資源階層	功能
機構	使用機構內所有專案中的所有金鑰進行加密
資料夾	使用資料夾中所有專案的所有金鑰進行加密
專案	使用專案中的所有金鑰進行加密
金鑰環	使用金鑰環上的所有金鑰加密
鍵	僅使用該金鑰加密

安全性原則

IAM 可協助您強制執行職責區隔和最低權限等相關安全性原則：

當您實施職責區隔原則時，沒有任何一位成員擁有完成重要業務功能所需的所有存取權。舉例來說，銀行櫃員只有在帳戶持有人親自到場並發起交易時，才能從帳戶中提款。
實施最小權限原則後，成員只能取得完成特定業務功能所需的最低存取權。舉例來說，銀行櫃員並不會自動獲得核准客戶貸款的權限。

預先定義的角色

IAM 提供預先定義的角色，可授予各類 Google Cloud 資源的存取權。如果沒有任何預先定義的角色符合您的需求，您可以建立自訂角色。

IAM 提供下列預先定義的 Cloud KMS 角色：

Role Permissions

Role	Permissions
Cloud KMS Admin (`roles/cloudkms.admin`) Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.autokeyConfigs.` `cloudkms.autokeyConfigs.get` `cloudkms.autokeyConfigs.update` `cloudkms.cryptoKeyVersions.create` `cloudkms.cryptoKeyVersions.destroy` `cloudkms.cryptoKeyVersions.get` `cloudkms.cryptoKeyVersions.list` `cloudkms.cryptoKeyVersions.restore` `cloudkms.cryptoKeyVersions.update` `cloudkms.cryptoKeyVersions.useToDecryptViaDelegation` `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation` `cloudkms.cryptoKeys.` `cloudkms.cryptoKeys.create` `cloudkms.cryptoKeys.get` `cloudkms.cryptoKeys.getIamPolicy` `cloudkms.cryptoKeys.list` `cloudkms.cryptoKeys.setIamPolicy` `cloudkms.cryptoKeys.update` `cloudkms.ekmConfigs.` `cloudkms.ekmConfigs.get` `cloudkms.ekmConfigs.getIamPolicy` `cloudkms.ekmConfigs.setIamPolicy` `cloudkms.ekmConfigs.update` `cloudkms.ekmConnections.` `cloudkms.ekmConnections.create` `cloudkms.ekmConnections.get` `cloudkms.ekmConnections.getIamPolicy` `cloudkms.ekmConnections.list` `cloudkms.ekmConnections.setIamPolicy` `cloudkms.ekmConnections.update` `cloudkms.ekmConnections.use` `cloudkms.ekmConnections.verifyConnectivity` `cloudkms.importJobs.` `cloudkms.importJobs.create` `cloudkms.importJobs.get` `cloudkms.importJobs.getIamPolicy` `cloudkms.importJobs.list` `cloudkms.importJobs.setIamPolicy` `cloudkms.importJobs.useToImport` `cloudkms.kajPolicyConfigs.` `cloudkms.kajPolicyConfigs.get` `cloudkms.kajPolicyConfigs.update` `cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.keyRings.` `cloudkms.keyRings.create` `cloudkms.keyRings.createTagBinding` `cloudkms.keyRings.deleteTagBinding` `cloudkms.keyRings.get` `cloudkms.keyRings.getIamPolicy` `cloudkms.keyRings.list` `cloudkms.keyRings.listEffectiveTags` `cloudkms.keyRings.listTagBindings` `cloudkms.keyRings.setIamPolicy` `cloudkms.locations.get` `cloudkms.locations.list` `cloudkms.locations.optOutKeyDeletionMsa` `cloudkms.operations.get` `cloudkms.projects.*` `cloudkms.projects.showEffectiveAutokeyConfig` `cloudkms.projects.showEffectiveKajEnrollmentConfig` `cloudkms.projects.showEffectiveKajPolicyConfig` `resourcemanager.projects.get`
Cloud KMS Autokey Admin (`roles/cloudkms.autokeyAdmin`) Enables management of AutokeyConfig.	`cloudkms.autokeyConfigs.*` `cloudkms.autokeyConfigs.get` `cloudkms.autokeyConfigs.update` `cloudkms.projects.showEffectiveAutokeyConfig`
Cloud KMS Autokey User (`roles/cloudkms.autokeyUser`) Grants ability to use KeyHandle resources.	`cloudkms.keyHandles.*` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig`
Cloud KMS CryptoKey Decrypter (`roles/cloudkms.cryptoKeyDecrypter`) Provides ability to use Cloud KMS resources for decrypt operations only. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecrypt` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Decrypter Via Delegation (`roles/cloudkms.cryptoKeyDecrypterViaDelegation`) Enables Decrypt operations via other Google Cloud services Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecryptViaDelegation` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS CryptoKey Encrypter (`roles/cloudkms.cryptoKeyEncrypter`) Provides ability to use Cloud KMS resources for encrypt operations only. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToEncrypt` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Encrypter/Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) Provides ability to use Cloud KMS resources for encrypt and decrypt operations only. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecrypt` `cloudkms.cryptoKeyVersions.useToEncrypt` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation`) Enables Encrypt and Decrypt operations via other Google Cloud services Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecryptViaDelegation` `cloudkms.cryptoKeyVersions.useToEncryptViaDelegation` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS CryptoKey Encrypter Via Delegation (`roles/cloudkms.cryptoKeyEncrypterViaDelegation`) Enables Encrypt operations via other Google Cloud services Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToEncryptViaDelegation` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS Crypto Operator (`roles/cloudkms.cryptoOperator`) Enables all Crypto Operations. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToDecrypt` `cloudkms.cryptoKeyVersions.useToEncrypt` `cloudkms.cryptoKeyVersions.useToSign` `cloudkms.cryptoKeyVersions.useToVerify` `cloudkms.cryptoKeyVersions.viewPublicKey` `cloudkms.locations.generateRandomBytes` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS EkmConnections Admin (`roles/cloudkms.ekmConnectionsAdmin`) Enables management of EkmConnections.	`cloudkms.ekmConfigs.get` `cloudkms.ekmConfigs.update` `cloudkms.ekmConnections.create` `cloudkms.ekmConnections.get` `cloudkms.ekmConnections.list` `cloudkms.ekmConnections.update` `cloudkms.ekmConnections.verifyConnectivity` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS Expert Raw AES-CBC Key Manager (`roles/cloudkms.expertRawAesCbc`) Enables raw AES-CBC keys management. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.manageRawAesCbcKeys` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS Expert Raw AES-CTR Key Manager (`roles/cloudkms.expertRawAesCtr`) Enables raw AES-CTR keys management. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.manageRawAesCtrKeys` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS Expert Raw PKCS#1 Key Manager (`roles/cloudkms.expertRawPKCS1`) Enables raw PKCS#1 keys management. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.manageRawPKCS1Keys` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Cloud KMS Importer (`roles/cloudkms.importer`) Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations	`cloudkms.importJobs.create` `cloudkms.importJobs.get` `cloudkms.importJobs.list` `cloudkms.importJobs.useToImport` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Key Access Justifications Enrollment Viewer ^Beta (`roles/cloudkms.keyAccessJustificationsEnrollmentConfigViewer`) Grant ability to view Key Access Justification enrollment configs of a project.	`cloudkms.projects.showEffectiveKajEnrollmentConfig`
Key Access Justifications Policy Config Admin ^Beta (`roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin`) Grant ability to manage Key Access Justifications Policy at parent resource level.	`cloudkms.kajPolicyConfigs.*` `cloudkms.kajPolicyConfigs.get` `cloudkms.kajPolicyConfigs.update` `cloudkms.projects.showEffectiveKajPolicyConfig`
Cloud KMS Organization Service Agent (`roles/cloudkms.orgServiceAgent`) Gives Cloud KMS organization-level service account access to managed resources. Warning: Do not grant service agent roles to any principals except service agents.	`cloudasset.assets.searchAllResources`
Cloud KMS Protected Resources Viewer (`roles/cloudkms.protectedResourcesViewer`) Enables viewing protected resources.	`cloudkms.protectedResources.search`
Cloud KMS CryptoKey Public Key Viewer (`roles/cloudkms.publicKeyViewer`) Enables GetPublicKey operations Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.viewPublicKey` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS Service Agent (`roles/cloudkms.serviceAgent`) Gives Cloud KMS service account access to managed resources. Warning: Do not grant service agent roles to any principals except service agents.	`cloudasset.assets.listCloudkmsCryptoKeys`
Cloud KMS CryptoKey Signer (`roles/cloudkms.signer`) Enables Sign operations Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToSign` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Signer/Verifier (`roles/cloudkms.signerVerifier`) Enables Sign, Verify, and GetPublicKey operations Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToSign` `cloudkms.cryptoKeyVersions.useToVerify` `cloudkms.cryptoKeyVersions.viewPublicKey` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS CryptoKey Verifier (`roles/cloudkms.verifier`) Enables Verify and GetPublicKey operations Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.cryptoKeyVersions.useToVerify` `cloudkms.cryptoKeyVersions.viewPublicKey` `cloudkms.locations.get` `cloudkms.locations.list` `resourcemanager.projects.get`
Cloud KMS Viewer (`roles/cloudkms.viewer`) Enables Get and List operations. Lowest-level resources where you can grant this role: CryptoKey	`cloudkms.autokeyConfigs.get` `cloudkms.cryptoKeyVersions.get` `cloudkms.cryptoKeyVersions.list` `cloudkms.cryptoKeys.get` `cloudkms.cryptoKeys.list` `cloudkms.ekmConfigs.get` `cloudkms.ekmConnections.get` `cloudkms.ekmConnections.list` `cloudkms.importJobs.get` `cloudkms.importJobs.list` `cloudkms.kajPolicyConfigs.get` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.keyRings.get` `cloudkms.keyRings.list` `cloudkms.locations.get` `cloudkms.locations.list` `cloudkms.operations.get` `resourcemanager.projects.get`
Cloud KMS KACLS Service Agent (`roles/cloudkmskacls.serviceAgent`) Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption. Warning: Do not grant service agent roles to any principals except service agents.	`cloudkms.cryptoKeyVersions.useToDecrypt` `cloudkms.cryptoKeyVersions.useToEncrypt` `cloudkms.cryptoKeys.get`

Cloud KMS Admin

(roles/cloudkms.admin)

Provides access to Cloud KMS resources, except for access to restricted resource types and cryptographic operations.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.autokeyConfigs.*

cloudkms.autokeyConfigs.get
cloudkms.autokeyConfigs.update

cloudkms.cryptoKeyVersions.create

cloudkms.cryptoKeyVersions.destroy

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeyVersions.restore

cloudkms.cryptoKeyVersions.update

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.cryptoKeys.*

cloudkms.cryptoKeys.create
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.getIamPolicy
cloudkms.cryptoKeys.list
cloudkms.cryptoKeys.setIamPolicy
cloudkms.cryptoKeys.update

cloudkms.ekmConfigs.*

cloudkms.ekmConfigs.get
cloudkms.ekmConfigs.getIamPolicy
cloudkms.ekmConfigs.setIamPolicy
cloudkms.ekmConfigs.update

cloudkms.ekmConnections.*

cloudkms.ekmConnections.create
cloudkms.ekmConnections.get
cloudkms.ekmConnections.getIamPolicy
cloudkms.ekmConnections.list
cloudkms.ekmConnections.setIamPolicy
cloudkms.ekmConnections.update
cloudkms.ekmConnections.use
cloudkms.ekmConnections.verifyConnectivity

cloudkms.importJobs.*

cloudkms.importJobs.create
cloudkms.importJobs.get
cloudkms.importJobs.getIamPolicy
cloudkms.importJobs.list
cloudkms.importJobs.setIamPolicy
cloudkms.importJobs.useToImport

cloudkms.kajPolicyConfigs.*

cloudkms.kajPolicyConfigs.get
cloudkms.kajPolicyConfigs.update

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.keyRings.*

cloudkms.keyRings.create
cloudkms.keyRings.createTagBinding
cloudkms.keyRings.deleteTagBinding
cloudkms.keyRings.get
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.list
cloudkms.keyRings.listEffectiveTags
cloudkms.keyRings.listTagBindings
cloudkms.keyRings.setIamPolicy

cloudkms.locations.get

cloudkms.locations.list

cloudkms.locations.optOutKeyDeletionMsa

cloudkms.operations.get

cloudkms.projects.*

cloudkms.projects.showEffectiveAutokeyConfig
cloudkms.projects.showEffectiveKajEnrollmentConfig
cloudkms.projects.showEffectiveKajPolicyConfig

resourcemanager.projects.get

Cloud KMS Autokey Admin

(roles/cloudkms.autokeyAdmin)

Enables management of AutokeyConfig.

cloudkms.autokeyConfigs.*

cloudkms.autokeyConfigs.get
cloudkms.autokeyConfigs.update

cloudkms.projects.showEffectiveAutokeyConfig

Cloud KMS Autokey User

(roles/cloudkms.autokeyUser)

Grants ability to use KeyHandle resources.

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

Cloud KMS CryptoKey Decrypter

(roles/cloudkms.cryptoKeyDecrypter)

Provides ability to use Cloud KMS resources for decrypt operations only.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Decrypter Via Delegation

(roles/cloudkms.cryptoKeyDecrypterViaDelegation)

Enables Decrypt operations via other Google Cloud services

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS CryptoKey Encrypter

(roles/cloudkms.cryptoKeyEncrypter)

Provides ability to use Cloud KMS resources for encrypt operations only.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter/Decrypter

(roles/cloudkms.cryptoKeyEncrypterDecrypter)

Provides ability to use Cloud KMS resources for encrypt and decrypt operations only.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation

(roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation)

Enables Encrypt and Decrypt operations via other Google Cloud services

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecryptViaDelegation

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS CryptoKey Encrypter Via Delegation

(roles/cloudkms.cryptoKeyEncrypterViaDelegation)

Enables Encrypt operations via other Google Cloud services

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToEncryptViaDelegation

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Crypto Operator

(roles/cloudkms.cryptoOperator)

Enables all Crypto Operations.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.generateRandomBytes

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS EkmConnections Admin

(roles/cloudkms.ekmConnectionsAdmin)

Enables management of EkmConnections.

cloudkms.ekmConfigs.get

cloudkms.ekmConfigs.update

cloudkms.ekmConnections.create

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.ekmConnections.update

cloudkms.ekmConnections.verifyConnectivity

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Expert Raw AES-CBC Key Manager

(roles/cloudkms.expertRawAesCbc)

Enables raw AES-CBC keys management.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.manageRawAesCbcKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Expert Raw AES-CTR Key Manager

(roles/cloudkms.expertRawAesCtr)

Enables raw AES-CTR keys management.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.manageRawAesCtrKeys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Expert Raw PKCS#1 Key Manager

(roles/cloudkms.expertRawPKCS1)

Enables raw PKCS#1 keys management.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.manageRawPKCS1Keys

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

resourcemanager.projects.list

Cloud KMS Importer

(roles/cloudkms.importer)

Enables ImportCryptoKeyVersion, CreateImportJob, ListImportJobs, and GetImportJob operations

cloudkms.importJobs.create

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.importJobs.useToImport

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Key Access Justifications Enrollment Viewer ^Beta

(roles/cloudkms.keyAccessJustificationsEnrollmentConfigViewer)

Grant ability to view Key Access Justification enrollment configs of a project.

cloudkms.projects.showEffectiveKajEnrollmentConfig

Key Access Justifications Policy Config Admin ^Beta

(roles/cloudkms.keyAccessJustificationsPolicyConfigAdmin)

Grant ability to manage Key Access Justifications Policy at parent resource level.

cloudkms.kajPolicyConfigs.*

cloudkms.kajPolicyConfigs.get
cloudkms.kajPolicyConfigs.update

cloudkms.projects.showEffectiveKajPolicyConfig

Cloud KMS Organization Service Agent

(roles/cloudkms.orgServiceAgent)

Gives Cloud KMS organization-level service account access to managed resources.

cloudasset.assets.searchAllResources

Cloud KMS Protected Resources Viewer

(roles/cloudkms.protectedResourcesViewer)

Enables viewing protected resources.

cloudkms.protectedResources.search

Cloud KMS CryptoKey Public Key Viewer

(roles/cloudkms.publicKeyViewer)

Enables GetPublicKey operations

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS Service Agent

(roles/cloudkms.serviceAgent)

Gives Cloud KMS service account access to managed resources.

cloudasset.assets.listCloudkmsCryptoKeys

Cloud KMS CryptoKey Signer

(roles/cloudkms.signer)

Enables Sign operations

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToSign

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Signer/Verifier

(roles/cloudkms.signerVerifier)

Enables Sign, Verify, and GetPublicKey operations

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToSign

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS CryptoKey Verifier

(roles/cloudkms.verifier)

Enables Verify and GetPublicKey operations

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.cryptoKeyVersions.useToVerify

cloudkms.cryptoKeyVersions.viewPublicKey

cloudkms.locations.get

cloudkms.locations.list

resourcemanager.projects.get

Cloud KMS Viewer

(roles/cloudkms.viewer)

Enables Get and List operations.

Lowest-level resources where you can grant this role:

CryptoKey

cloudkms.autokeyConfigs.get

cloudkms.cryptoKeyVersions.get

cloudkms.cryptoKeyVersions.list

cloudkms.cryptoKeys.get

cloudkms.cryptoKeys.list

cloudkms.ekmConfigs.get

cloudkms.ekmConnections.get

cloudkms.ekmConnections.list

cloudkms.importJobs.get

cloudkms.importJobs.list

cloudkms.kajPolicyConfigs.get

cloudkms.keyHandles.get

cloudkms.keyHandles.list

cloudkms.keyRings.get

cloudkms.keyRings.list

cloudkms.locations.get

cloudkms.locations.list

cloudkms.operations.get

resourcemanager.projects.get

Cloud KMS KACLS Service Agent

(roles/cloudkmskacls.serviceAgent)

Grants Cloud KMS KACLS Service Agent access to KMS resource permissions to perform DEK encryption/decryption.

cloudkms.cryptoKeyVersions.useToDecrypt

cloudkms.cryptoKeyVersions.useToEncrypt

cloudkms.cryptoKeys.get

自訂角色

除了預先定義的角色，您也可以建立自訂角色。您可以透過自訂角色，授予角色執行特定工作所需的最小權限，以便落實最低權限原則。

自訂角色包含 IAM 參考資料中列出的一或多個權限。與 Cloud Key Management Service API 相關的權限開頭為字串 cloudkms。詳情請參閱「自訂角色的權限支援級別」。

如要瞭解叫用特定 Cloud Key Management Service API 方法所需的權限，請參閱該方法的 API 參考資料。

管理 Cloud KMS 存取權的一般規範

建議您避免使用 owner、editor 和 viewer 等基本專案全域角色。這些角色不會將管理金鑰的功能與使用金鑰執行加密編譯作業的功能分開，因此不建議用於實際工作環境。請改用預先定義的角色，或是建立符合業務需求的自訂角色。

以下範例說明一些良好的安全指南：

如果是大型或複雜的機構，您可以採用下列做法：
- 授予 IT 安全團隊成員在所有專案中具備 Cloud KMS 管理員角色 (roles/cloudkms.admin)。如果不同的團隊成員負責金鑰生命週期的不同層面，您可以授予這些團隊成員更精細的角色，例如 Cloud KMS 匯入者角色 (roles/cloudkms.importer)。
- 將 Cloud KMS 加密者 / 解密者角色 (roles/cloudkms.cryptoKeyEncrypterDecrypter) 授予可讀取或寫入加密資料的使用者或應用程式。
- 將 Cloud KMS 公開金鑰檢視者角色 (roles/cloudkms.publicKeyViewer) 授予需要查看用於非對稱加密的金鑰公開部分的使用者或應用程式。
- 建立符合業務需求的預先定義角色。舉例來說，同一位使用者可能需要監控專案配額，以及查看記錄資料。
如果是安全性要求簡單的小型機構，您可以選擇採用較簡單的方式，例如授予機構管理員 (roles/resourcemanager.organizationAdmin) 這類廣泛的角色。不過，這種做法可能無法因應您持續的需求。
建議您將金鑰託管在與這些金鑰所保護資料不同的 Google Cloud 專案中。在某個專案中具備基本或高權限角色的使用者 (例如 editor)，無法使用這個角色取得其他專案中金鑰的未授權存取權。
請勿將 owner 角色授予任何成員。如果沒有 owner 角色，專案中的任何成員都無法同時建立金鑰，並使用該金鑰解密資料或進行簽署，除非將這些權限逐一授予該成員。如要授予廣泛的管理員存取權，但不授予加密或解密功能，請改為授予 Cloud KMS 管理員角色 (roles/cloudkms.admin)。
如要限制對加密資料 (例如客戶資料) 的存取權，您可以限制哪些人可以存取金鑰，以及哪些人可以使用金鑰進行解密。如有需要，您可以建立細微的自訂角色，以滿足業務需求。

檢查權限

對於可設定精細 IAM 權限的每個 Cloud KMS 物件類型，該物件都會提供 testIamPermissions 方法。testIamPermissions 方法會傳回呼叫者已獲授予該物件的權限組合。

針對金鑰環，您可以叫用 cloudkms.keyRings.testIamPermissions 方法。
如要使用鍵，您可以叫用 cloudkms.cryptoKeys.testIamPermissions 方法。
針對金鑰匯入工作，您可以叫用 cloudkms.keyRings.importJobs.testIamPermissions 方法。
如要使用 EKM 連線，您可以呼叫 cloudkms.ekmConnections.testIamPermissions 方法。

您無法為金鑰版本設定 IAM 權限，因此 CryptoKeyVersion 物件類型沒有這個方法。

物件的 testIamPermissions 方法會傳回 TestIamPermissionsResponse。

如需叫用 testIamPermissions 方法的範例，請參閱 IAM 說明文件中的「測試權限」說明文件。

後續步驟

瞭解 IAM 如何集中管理 Google Cloud 資源的權限和存取範圍。
瞭解不同類型的 Cloud KMS 物件。

權限與角色 透過集合功能整理內容 你可以依據偏好儲存及分類內容。

資源階層

安全性原則

預先定義的角色

Cloud KMS Admin

Cloud KMS Autokey Admin

Cloud KMS Autokey User

Cloud KMS CryptoKey Decrypter

Cloud KMS CryptoKey Decrypter Via Delegation

Cloud KMS CryptoKey Encrypter

Cloud KMS CryptoKey Encrypter/Decrypter

Cloud KMS CryptoKey Encrypter/Decrypter Via Delegation

Cloud KMS CryptoKey Encrypter Via Delegation

Cloud KMS Crypto Operator

Cloud KMS EkmConnections Admin

Cloud KMS Expert Raw AES-CBC Key Manager

Cloud KMS Expert Raw AES-CTR Key Manager

Cloud KMS Expert Raw PKCS#1 Key Manager

Cloud KMS Importer

Key Access Justifications Enrollment Viewer Beta

Key Access Justifications Policy Config Admin Beta

Cloud KMS Organization Service Agent

Cloud KMS Protected Resources Viewer

Cloud KMS CryptoKey Public Key Viewer

Cloud KMS Service Agent

Cloud KMS CryptoKey Signer

Cloud KMS CryptoKey Signer/Verifier

Cloud KMS CryptoKey Verifier

Cloud KMS Viewer

Cloud KMS KACLS Service Agent

自訂角色

管理 Cloud KMS 存取權的一般規範

檢查權限

後續步驟

權限與角色

Key Access Justifications Enrollment Viewer ^Beta

Key Access Justifications Policy Config Admin ^Beta