Manage dynamic RAM secrets - Key Management Service - Alibaba Cloud Documentation Center

You can create a Resource Access Management (RAM) secret that is automatically rotated on a regular basis. This reduces the risks of RAM secret leaks. This topic describes how to create, delete, and restore a dynamic RAM secret in the Key Management Service (KMS) console.

Prerequisites

An Alibaba Cloud account or a RAM user or RAM role that has permissions to manage dynamic RAM secrets is obtained.
If you use a RAM user or RAM role to manage dynamic RAM secrets, you must attach the system policies AliyunKMSSecretAdminAccess and AliyunRAMFullAccess to the RAM user or the RAM role.
Secrets Manager is authorized to manage the AccessKey pairs of RAM users. You must use a RAM service role to grant Secrets Manager the permissions. For more information, see Authorize Secrets Manager to manage AccessKey pairs of RAM users.
An AccessKey pair is created for the RAM user for which you want to create a dynamic RAM secret. For more information, see Create an AccessKey pair for a RAM user.

Create a dynamic RAM secret

Log on to the KMS console.
In the top navigation bar, select the region in which you want to create a dynamic RAM secret.
In the left-side navigation pane, click Secrets.
Click Create Secret.
In the Create Secret dialog box, configure the following parameters and click Next:
- Select Type: Select Managed RAM secret.
- Select RAM User: Select the RAM user for which you want to create a dynamic RAM secret. The selected RAM user must have at least one AccessKey pair.
- Set secret value: Enter the AccessKey secret for the AccessKey ID that is displayed.
  
  Note We recommend that you enter the valid AccessKey secret. If the AccessKey secret is invalid, you can obtain a new AccessKey ID and AccessKey secret after the dynamic RAM secret is rotated for the first time.
- Secret Description: Enter the description of the dynamic RAM secret.
In the Configuration rotation dialog box, select Turn on automatic rotation, configure the Rotation Period parameter, and then click Next.

Note If you do not want the dynamic RAM secret to be automatically rotated, select Turn off automatic rotation.
In the Review and confirm dialog box, confirm the configurations of the secret and click OK.
In the Created successfully message, click Close.
You can also click View secret details to view the details about the secret that you create.

Delete a dynamic RAM secret

Before you delete a dynamic RAM secret, make sure that the dynamic RAM secret is no longer used.

You can schedule the deletion of a dynamic RAM secret or immediately delete a dynamic RAM secret. If you delete a dynamic RAM secret, the system does not delete the AccessKey pair of the RAM user that is associated with the secret.

In the left-side navigation pane, click Secrets.
Find the dynamic RAM secret that you want to delete and choose More > Plan Deletion Secret in the Actions column.
In the Delete Secret dialog box, select a method to delete the secret and click OK.
- If you select Plan Deletion Secret, you must configure the Delete In (7-30 days) parameter. Then, the system deletes the secret after the specified number of days.
  Before the system deletes the secret, you can restore the secret to cancel deletion. For more information, see Restore a dynamic RAM secret.
- If you select Delete Secret Immediately, the system immediately deletes the secret.

Restore a dynamic RAM secret

If you schedule a dynamic RAM secret to be deleted, you can restore the secret to cancel deletion before the system deletes the secret. After the dynamic RAM secret is restored, it can be used as normal.

In the left-side navigation pane, click Secrets.
Find the dynamic RAM secret that you want to restore and choose More > Restore Secret in the Actions column.
In the Restore Secret message, click OK.