You can create a dynamic Elastic Compute Service (ECS) secret and manually rotate the ECS secret to reduce the risk of ECS secret leaks. Secrets Manager can also automatically rotate the ECS secret on a regular basis. This topic describes how to create, rotate, delete, and restore a dynamic ECS secret in the Key Management Service (KMS) console.


  • An ECS instance is created. For more information, see Create an ECS instance.
  • An Alibaba Cloud account or a RAM user or RAM role that has permissions to manage dynamic ECS secrets is obtained.

    If you use a RAM user or RAM role to manage secrets, you must attach the system policy AliyunKMSSecretAdminAccess to the RAM user or the RAM role. This policy grants the following permissions:

    • The permissions to use the features of Secrets Manager.
    • The permissions to query ECS instances.
    • The permission to create the service-linked role that can create dynamic ECS secrets.

    For more information, see Grant permissions to a RAM user and Grant permissions to a RAM role.

Create a dynamic ECS Secret

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create a secret.
    Note The region of the secret must be the same as the region of the ECS instance for which you want to create the secret.
  3. In the left-side navigation pane, click Secrets.
  4. Click Create Secret.
  5. In the Create Secret dialog box, configure the following parameters and click Next:
    • Select Type: Select Managed ECS secret.
    • Secret name: Specify the name of the secret.
    • Managed instance: Select an existing ECS instance within your Alibaba Cloud account.
    • Managed User: Enter the name of an existing user on the ECS instance, such as root for the Linux operating system or Administrator for the Windows operating system.
    • Initial secret value: Select Password or Key pair and enter the initial value.
      Note If the initial value is invalid, you can obtain the valid password or AccessKey pair after the ECS secret is rotated for the first time.
    • Secret Description: Enter the description of the ECS secret.
  6. In the Configuration rotation dialog box, select Turn on automatic rotation, configure the Rotation Period parameter, and then click Next.
    Note If you do not want the ECS secret to be automatically rotated, select Turn off automatic rotation.
  7. In the Review and confirm dialog box, confirm the configurations of the secret and click OK.
    After the secret is created, you can view the secret in the secret list. The Secret Type parameter of the secret is Managed ECS secret.

Rotate a dynamic ECS secret

If a dynamic ECS secret is leaked, you can immediately rotate the ECS secret in the KMS console to eliminate intrusion risks.

  1. Click the name of the ECS secret that you want to rotate. On the secret details page, click Rotate Immediately in the upper-right corner.
  2. In the Prompt dialog box, turn on or off Use Custom Secret.
    • If you turn on the switch, you must specify a new secret value.
    • If you turn off the switch, KMS automatically creates a 32-character random password or a RSA-2048 public-private key pair.
  3. Click Confirm rotation.
  4. In the Rotation triggered message, click Close.

Delete a dynamic ECS secret

Before you delete a dynamic ECS secret, make sure that the ECS secret is no longer used.

You can schedule the deletion of a dynamic ECS secret or immediately delete a dynamic ECS secret. If you delete a dynamic ECS secret, the passwords and public-private key pairs that are configured on the ECS instance are not affected.

  1. Find the dynamic ECS secret that you want to delete and choose More > Plan Deletion Secret in the Actions column.
  2. In the Delete Secret dialog box, select a method to delete the secret and click OK.
    • If you select Plan Deletion Secret, you must configure the Delete In (7-30 days) parameter. Then, the system deletes the secret after the specified number of days.

      Before the system deletes the secret, you can restore the secret to cancel deletion. For more information, see Restore a dynamic ECS secret.

    • If you select Delete Secret Immediately, the system immediately deletes the secret.

Restore a dynamic ECS secret

If you schedule a dynamic ApsaraDB RDS secret to be deleted, you can restore the secret to cancel deletion before the system deletes the secret. After the dynamic ECS secret is restored, it can be used as normal.

  1. Find the dynamic ECS secret that you want to restore and choose More > Restore Secret in the Actions column.
  2. In the Restore Secret message, click OK.