How to access secrets by using an AAP - Key Management Service

You can create an application access point (AAP) to control how an application uses secrets.

Note

This topic applies only to users of the old version of Key Management Service (KMS). If you use KMS 3.0, see SDK references.

Create an AAP

Log on to the KMS console.
In the top navigation bar, select the region where you want to create an AAP.
In the left-side navigation pane, click Applications.
Click Create Application Access Point.

In the Create Application Access Point dialog box, configure the basic AAP information.

Configure Name and Description.
Note
The name of the AAP must be unique in the selected region within your Alibaba Cloud account.

In the Authentication Method section, specify an authentication method.

Authentication method

Description

Example

RAMRole

If you bind a RAM role to the environment in which your application runs, you can use the RAMRole authentication method. Your application can run on an Elastic Compute Service (ECS) instance, in a Container Service for Kubernetes (ACK) cluster, or in Function Compute. In this case, you must configure the following parameters:

Trusted Role: KMS verifies the delegated trust rules of the RAM role to authenticate your application. You can configure this parameter to specify the type of the RAM role. Then, the system automatically configures the delegated trust rules based on the type of the RAM role.
Valid values:
- ECS Instance Role: If your application is deployed on an ECS instance, select this value.
- ACK Worker Role: If your application is deployed in an ACK cluster, select this value.
- Function Compute Role: If your application is deployed in Function Compute, select this value.
Role Name: You must enter the name of the RAM role.

Trusted Role: ECS Instance Role
Role Name: ECSRole

Client Key

You can use the ClientKey authentication method and bind a client key to the AAP. KMS uses the client key to authenticate your application.

If you use this method, you must bind a client key to the AAP after you create the AAP. For more information, see Bind a client key to the AAP.

Click Next.

Configure permission policies.

Click the icon to the right of Policies.

In the RBAC Policy dialog box, configure the parameters and click Create.

Parameter	Description	Example
Policy Name	The name of the permission policy.	RAMPolicy
Scope	The scope of the permission policy. Valid values: Shared KMS: The permission policy applies to KMS. ID of a dedicated KMS instance: The permission policy applies to a specified dedicated KMS instance.	Shared KMS
RBAC Permissions	The permission management template. The template specifies the operation that can be performed on specific resources. Valid values: SecretUser: performs secret-related operations on KMS. You can call the GetSecretValue operation. CryptoServiceKeyUser: performs cryptographic operations on a dedicated KMS instance.	SecretUser
Accessible Resources	The resources on which the permission policy takes effect. You can use one of the following methods to configure resources: Method 1: In the Resources section, select existing resources and click the icon. Method 2: In the Selected Resources section, click the icon, enter resources, and then click Add. Note You can use the asterisk (*) wildcard character as a suffix.	secret/dataKey****
Network Access Rules	The network type and IP address that can access KMS based on the permission policy. In the Available Rules section, select existing rules or perform the following steps to create a rule. Click the icon. In the Create Network Access Rule dialog box, configure the following parameters: Name: Specify the name of the network access rule. Network Type: Select the type of network that you want to use to access KMS. Valid values: Public: If your application accesses the KMS instance by using a public endpoint, select this value. VPC: If your application accesses the KMS instance by using a virtual private cloud (VPC) address, select this value. Private: If your application accesses Dedicated KMS over a VPC, select this value. Description: Enter a description for the network access rule. Allowed IP addresses: Enter the addresses that can access KMS. Valid values: If you set Network Type to Public, enter public IP addresses. If you set Network Type to VPC, enter the ID of a VPC and the IP addresses or CIDR blocks of the VPC. If you set Network Type to Private, enter private IP addresses or CIDR blocks. Note Separate multiple IP addresses with commas (,). Click Create. Select the rule and click the icon.	Name: Network Network Type: VPC Description: Access the specified VPC VPC ID: vpc-bp1drih00fwsrgz2p** Allowed IP addresses**: 192.168.0.0/16

Select the permission policy and click the icon.
Click Next.

Check the information and click Create.

Bind a client key to the AAP

After you create a client key-based AAP, you must bind a client key to the AAP. The client key is used to identify the AAP.

Click the name of the AAP.
In the Client Key section, click Create Client Key.

In the Create Client Key dialog box, configure the parameters.

Parameter	Description	Example
Encryption Password	The password that is used to decrypt the private key file of the client key when the client key is used to access KMS. Keep the password confidential.	Test****
Validity Period	The validity period of the client key.	April 3, 2022 to March 4, 2027

Click OK.
In the Created dialog box, obtain the content of Password and Client Key.
- Password: Click Copy to the right of Decryption Password to obtain the password.
- Client Key: Click Download Client Key to obtain the content of the client key.
  The client key consists of the key ID (keyID) of the private key (PrivateKeyData). Example:
```
{
  "KeyId": "KAAP.71be72c8-73b9-44e0-bb75-81ee51b4****",
  "PrivateKeyData": "MIIJwwIBAz****ICNXX/pOw=="
}
```
  Note
  KMS does not save the private key of the client key. The private key is stored in an encrypted PKCS#12 file. You can obtain the file only when you create the client key. Keep the file confidential.