You can create application access points to configure how applications use secrets.

Supported regions

China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Shenzhen), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), and Indonesia (Jakarta), US (Virginia), China East 1 Finance, China East 2 Finance, China South 1 Finance, and China North 2 Ali Gov 1

Create an application access point

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region for the application access point that you want to create.
  3. In the left-side navigation pane, click Applications.
  4. Click Create Application Access Point.
  5. In the Create Application Access Point dialog box, specify the basic information.
    1. Configure Name and Description.
      Note The name of the application access point must be unique in the selected region within your Alibaba Cloud account.
    2. In the Authentication Method section, configure the authentication method.
      Authentication method Description
      RAMRole If you bind a RAM role to the environment in which your application runs, you can use the RAMRole authentication method. Your application can run in an Elastic Compute Service (ECS) instance, a Container Service for Kubernetes (ACK) cluster, or Function Compute. You must configure the following parameters:
      • Delegated trust: KMS verifies the delegated trust rules of the RAM role to authenticate your application. You can configure this parameter to specify the type of the RAM role. Then, the system automatically configures the delegated trust rules based on the type of the RAM role.

        Valid values:

        • ECS Instance Role: If your application is deployed on an ECS instance, select this value.
        • ACK Worker Role: If your application is deployed in an ACK cluster, select this value.
        • Function Compute Role: If your application is deployed in Function Compute, select this value.
      • Role Name: You must enter the name of the RAM role.
      Client Key KMS uses a client key to authenticate your application.

      If you use this method, you must bind a client key to the application access point after the application access point is created. For more information, see Bind a client key to the application access point.

    3. Click Next.
  6. Create policies.
    1. Click the Plus icon to the right of Policies.
    2. In the RBAC Policy dialog box, configure the following parameters and click Create.
      Parameter Description
      Policy Name The name of the policy.
      Scope The scope of the policy.

      Set the value to Shared KMS.

      RBAC Permissions The permission management template. The template specifies an operation that can be performed on specific resources.

      Set the value to SecretUser. This value indicates that the GetSecretValue operation can be performed.

      Accessible Resources The object on which the policy takes effect. You can configure objects in one of the following methods:
      • Method 1: In the Secret: Resources section, select existing resources and click the Left icon.
      • Method 2: In the Secret: Selected Resources section, click the Plus icon, specify the resource, and then click Add.
        Note You can use the asterisk (*) wildcard as a suffix.
      Network Access Rules The network type and IP address that the policy allows for access to KMS.

      In the Rules section, select existing rules or perform the following steps to create a rule.

      1. Click the Plus icon.
      2. In the Create Network Access Rule dialog box, configure the following parameters:
        • Name: Enter the name of the network access rule.
        • Network Type: Select the type of network that is used for access to KMS.

          Valid values:

          • Public: If your application uses a public endpoint to access KMS, select this value.
          • VPC: If your application accesses KMS over a virtual private cloud (VPC), select this value.
          • Private: If your application accesses Dedicated KMS over a VPC, select this value.
        • Description: Enter a description about the network access rule.
        • Allowed IP addresses: Enter the IP addresses that are allowed to access KMS.

          Valid values:

          • If Network Type is set to Public, enter public IP addresses.
          • If Network Type is set to VPC, enter the ID of a VPC and the IP addresses or CIDR blocks of the VPC.
          • If Network Type is set to Private, enter private IP addresses or CIDR blocks.
          Note Separate multiple IP addresses with commas (,).
      3. Click Create.
      4. Select the new rule and click the Left icon.
    3. Select the new policy and click the Left icon.
    4. Click Next.
  7. Confirm the information about the application access point and click Create.

Bind a client key to the application access point

After a client key-based application access point is created, you must bind a client key to the application access point. The client key is used to identify the application access point.

  1. Click the name of the application access point.
  2. In the Client Key section, click Create Client Key.
  3. In the Create Client Key dialog box, configure the following parameters.
    • Encryption Password

      When the client key is used for access to KMS, the password is used to decrypt the private key of the client key. Keep the encryption password confidential.

    • Validity Period

      You cannot use the client key for access to KMS beyond the validity period.

  4. Click OK.
  5. In the Created dialog box, click Download Client Key to save the private key file of the client key. The private key file is an encrypted PKCS 12 file.
    Note KMS does not save the private key of the client key. You can obtain the encrypted PKCS 12 file only when you create the client key. Keep the file confidential.