All Products
Search

This Product

    Key Management Service:Initialize client

    Document Center

    Key Management Service:Initialize client

    Last Updated:Mar 20, 2025

    This topic outlines the steps to initialize the client before sending a KMS instance API request using the KMS instance SDK.

    Procedure

    1. Initialize a client instance.

      # -*- coding: utf-8 -*-
from openapi.models import Config
from sdk.client import Client

config = Config()
# The connection protocol. Set the value to https. The KMS instance service only allows access through the HTTPS protocol.
config.protocol = "https"

# Client Key.
config.client_key_file = "<CLIENT_KEY_FILE>"

# Client Key decryption password.
config.password = os.getenv('CLIENT_KEY_PASSWORD')

# The endpoint of your KMS instance. Set the value in the following format: <ID of your KMS instance>.cryptoservice.kms.aliyuncs.com.
config.endpoint = "<ENDPOINT>"
client = Client(config)

    2. Configure the CA certificate for the KMS instance by setting runtime parameters (RuntimeOptions).

      Important

      Configuring the instance CA certificate is important for securing communications in a production environment by verifying the SSL/TLS certificate's authenticity. We recommend keeping this security measure enabled at all times. If you must disable SSL/TLS certificate verification, such as for offline testing, you can do so by setting the IgnoreSSL field in the RuntimeOptions parameter to true.

      Assign the CA certificate path of the KMS instance to the verify field in RuntimeOptions. Below is a code example:

      # -*- coding: utf-8 -*-
from openapi_util.models import RuntimeOptions

runtime_options = RuntimeOptions()
# CA certificate path
runtime_options.verify = "<CA_CERTIFICATE_FILE_PATH>"

    Parameter description

    endpoint

    The Endpoint refers to a dedicated gateway endpoint, representing the domain address of the KMS instance.

    1. Navigate to the Instances page, click on either the Software Key Management or Hardware Key Management tab, then click the KMS instance you want.

    2. In the Basic Information section, find the endpoint in the Instance VPC Endpoint field.image

    client_key_file

    The client_key_file is where the application's identity credentials are stored. Upon creation of the ClientKey, it will be automatically downloaded by the browser, typically with a default filename like clientKey_****.json.

    password

    The password is the security token for the ClientKey. Similar to the ClientKey, it will be automatically downloaded by the browser upon creation, with a default filename such as clientKey_****_Password.txt.

    verify

    The verify field refers to the CA certificate that is associated with the KMS instance.

    1. On the Instances page, locate the Instance CA Certificate section and click Download.

    2. In the Instance CA Certificate dialog box, select the instance ID, click Download, and store it securely.

      The default filename for the downloaded CA certificate is PrivateKmsCA_kst-******.pem.image