The cloud provider has special hardware that allows it to store keys in a way that makes them accessible only to particular programs. We say such a key is bound to a program.
The customer and the cloud provider agree a policy about how the data is to be manipulated. This policy is embodied in a program p.
The client securely uploads to the cloud a key k, which is bound to p.
The client uploads data encrypted with the key k to the cloud. The cloud can now run p, which can access k in order to manipulate the data. But the cloud cannot use any other program to manipulate the data, because a program different from p cannot access k.