Community Blog How to Manage Application Secrets Using Alibaba Cloud Key Management Service

How to Manage Application Secrets Using Alibaba Cloud Key Management Service

This article explains how to manage application secrets using Alibaba Cloud Key Management Service (KMS).

By Wamala Emmanuel Nsubuga

What Is Key Management Service?

Alibaba Cloud Key Management Service (KMS) is a cloud-managed service that allows you to create, manage, and store keys, certificates, and secrets. KMS enables you to maintain control over who can access your secrets and keys by letting you assign permissions. You can also manage the lifecycle of each secret by setting the rotation period. Auditing can be set up by integrating with Alibaba Cloud Services like ActionTrail or CloudMonitor to provide usage logs informing you who is accessing the secrets.

KMS Components

KMS consists of four components:

  • Key Service
  • Secrets Manager
  • Certificates Manager
  • Dedicated KMS

This article will focus on the secrets manager component of KMS.

Secrets Manager

Secrets Manager provides secret encryption, secret hosting, regular rotation (referring to the secret's periodic updating, which leads to a new version of the secret), secure distribution, and centralized management features. Secrets Manager reduces the security risks caused by static secrets configured in traditional IT facilities. You can use secrets to store sensitive data like passwords.

A secret consists of three components: the metadata, versions, and stage labels that mark the secret versions.


The metadata of a secret contains the following parts:

  • The secret's name is used to specify the secret when you call an API operation of Secrets Manager
  • The identifier of the encryption key is used to specify your user-managed customer master key (CMK)
  • Other data, such as description and resource tags

Secret Versions

Each secret value you write into a secret is stored as a secret version. The secret value is sensitive data. You can read the secret value of a secret version based on the secret name and version number. Each secret version identified by the version number can only be written into a secret once and cannot be modified.

Stage Labels

Secret versions are marked with stage labels and can be referenced using stage labels. Secrets Manager has two built-in stage labels: ACSCurrent and ACSPrevious. You can call the PutSecretValue operation to mark the newly stored secret version with ACSCurrent by default. Then, you can call the GetSecretValue operation to read the secret version marked with ACSCurrent. You can also customize stage labels.

Benefits of Using Secrets Manager in KMS

  • Simplified Application Access: KMS provides multiple methods to help you use dynamic secrets, such as KMS SDKs, Secrets Manager Client, and the Kubernetes plug-in.
  • Centralized and Large-Scale Management: KMS can be automatically activated and supports services, such as ROS and Terraform. KMS allows you to implement the automatic orchestration of Alibaba Cloud resources, such as databases, OSS buckets, and automated secrets management. The secrets are fully managed in Secrets Manager. This achieves centralized management.

Managing Secrets in Alibaba Cloud KMS

Create a Secret

  • Step 1: Navigate to the key management console and select Secrets:


  • Step 2: Click Create Secret:


  • Step 3: A window will pop up. Select Other Secrets:


  • Step 4: Fill in the required fields and click Next:


  • Step 5: Review the configuration and click OK:


Finally, the secret is successfully created.


Update a Secret

  • Step 1: Click the Secret you have created:


  • Step 2: All secret details will be displayed. Click Deposit Secret Value:


  • Step 3: Enter the Version name you want to use and the new secret value and click OK:


  • Step 4: The new version of the password is automatically given the default stage label of ACSCurrent:


Delete a Secret

  • Step 1: Navigate to the secrets dashboard and hover the cursor over more under the secrets actions column. Select Plan Deletion Secrets:


  • Step 2: Select the option to execute a planned deletion or an immediate deletion of the secret. A scheduled deletion enables you to delete the secret by selecting the number of days the secret will be deleted. The days range from 7 to 30. Immediate deletion erases the secret immediately:


  • Step 3: I chose to delete the secret immediately, and the image below shows the secret was deleted successfully:


0 0 0
Share on

Alibaba Cloud Community

818 posts | 182 followers

You may also like