ACM provides encrypted configuration to meet the requirement for sensitive configurations (data sources, Tokens, usernames, passwords, and so on), and to lower the risk of leaking user configurations. An encrypted configuration is a configuration stored in an encrypted way. This topic explains how to create and use an encrypted configuration.
Log on to the ACM console, and select the target region in the upper-left corner.
In the left-side navigation pane of the console, choose Configurations. On the right side of the page, click Create Configuration.
On the Create Configuration page, switch on Data Encryption.
Note: When you use the data encryption function for the first time, the Activate Data Encryption Services dialog box appears. You must activate the key management service and authorize ACM to encrypt and decrypt with your key management service before you can use this function, because ACM data encryption function relies on key management service to encrypt configurations.
In the Activate Data Encryption Services dialog box, click Activate Now. On the Enable Service page, select I have read and agree with “Key Management Service Agreement”, and then click Enable Now.
In the Activate Data Encryption Services dialog box, click Authorize Now. On the Cloud Resource Access Authorization page, select the target permission, and click Confirm Authorization Policy.
On the Create Configuration page, fill the configuration content, and then click Publish.
Note: To make it easier for you to manage the configurations, everything is displayed in plain text in the console, although the configurations are actually encrypted.
In the Action column of the table, click Sample Code to obtain sample code.
Tip: Java SDK and Python SDK has incorporated KMS-SDK, so you can add decryption filters for automatic decryption. For more information about decryption of other languages, see Decrypt.
Click Details on top of the table, and click Obtain Now in the Namespace Details dialog box to obtain the initialization parameters.
Note: You can directly obtain the configuration data with the AccessKey/SecretKey of the primary account. However, we recommend that you use the AccessKey/SecretKey of sub-accounts. If you use the AccessKey/SecretKey of sub-accounts, then you must grant the sub-account the AliyunACMFullAccess and AliyunKMSCryptoAccess permission. For more information, see Authorize a RAM account.