You can create application access points (AAPs) to configure how secrets are used by applications.

Supported regions

China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Shenzhen), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), US (Virginia), China East 1 Finance, China East 2 Finance, China South 1 Finance, and China North 2 Ali Gov 1

Create an AAP

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create an AAP.
  3. In the left-side navigation pane, click Applications.
  4. Click Create Application Access Point.
  5. In the Create Application Access Point dialog box, configure the basic AAP information.
    1. Configure Name and Description.
      Note The name of the AAP must be unique in the selected region within your Alibaba Cloud account.
    2. In the Authentication Method section, configure the authentication method.
      Authentication method Description Example
      RAMRole If you bind a RAM role to the environment in which your application runs, you can use the RAMRole authentication method. Your application can run on an Elastic Compute Service (ECS) instance, a Container Service for Kubernetes (ACK) cluster, or Function Compute. You must configure the following parameters:
      • Delegated trust: KMS verifies the delegated trust rules of the RAM role to authenticate your application. You can configure this parameter to specify the type of the RAM role. Then, the system automatically configures the delegated trust rules based on the type of the RAM role.

        Valid values:

        • ECS Instance Role: If your application is deployed on an ECS instance, select this value.
        • ACK Worker Role: If your application is deployed in an ACK cluster, select this value.
        • Function Compute Role: If your application is deployed in Function Compute, select this value.
      • Role Name: You must enter the name of the RAM role.
      • Delegated trust: ECS Instance Role
      • Role Name: ECSRole
      Client Key You can use the ClientKey authentication method to associate a client key with the AAP. KMS uses a client key to authenticate your application.

      If you use this method, you must bind a client key to the AAP after you create the AAP. For more information, see Bind a client key to the AAP.

    3. Click Next.
  6. Create policies.
    1. Click the Plus icon to the right of Policies.
    2. In the RBAC Policy dialog box, configure the parameters and click Create. The following table describes the parameters.
      Parameter Description Example
      Policy Name The name of the policy. RAMPolicy
      Scope The scope of the policy.
      Valid values:
      • Shared KMS: The policy applies to KMS.
      • ID of a dedicated KMS instance: The policy applies to the specified dedicated KMS instance.
      Shared KMS
      RBAC Permissions The permission management template. The template specifies an operation that can be performed on specific resources.
      Valid values:
      • SecretUser: performs secret-related operations on KMS. You can call the GetSecretValue operation.
      • CryptoServiceKeyUser: performs cryptographic operations on a dedicated KMS instance.
      Accessible Resources The resources on which the policy takes effect. You can use one of the following methods to configure resources:
      • Method 1: In the Secret: Resources section, select existing resources and click the Left icon.
      • Method 2: In the Secret: Selected Resources section, click the Plus icon, specify resources, and then click Add.
        Note You can use the asterisk (*) wildcard as a suffix.
      Network Access Rules The network type and IP address that are allowed to access KMS based on the policy.

      In the Rules section, select existing rules or perform the following steps to create a rule.

      1. Click the Plus icon.
      2. In the Create Network Access Rule dialog box, configure the following parameters:
        • Name: Specify the name of the network access rule.
        • Network Type: Select the type of the network that you want to use to access KMS.

          Valid values:

          • Public: If your application accesses the public endpoint of KMS over the Internet, select this value.
          • VPC: If your application accesses the internal endpoint of KMS over a virtual private cloud (VPC), select this value.
          • Private: If your application accesses Dedicated KMS over a VPC, select this value.
        • Description: Enter a description about the network access rule.
        • Allowed IP addresses: Enter the IP addresses that are allowed to access KMS.

          Valid values:

          • If you set Network Type to Public, enter public IP addresses.
          • If you set Network Type to VPC, enter the ID of a VPC and the IP addresses or CIDR blocks of the VPC.
          • If you set Network Type to Private, enter private IP addresses or CIDR blocks.
          Note Separate multiple IP addresses with commas (,).
      3. Click Create.
      4. Select the new rule and click the Left icon.
      • Name: Network.
      • Network Type: VPC.
      • Description: Access the specified VPC.
      • VPC ID: vpc-bp1drih00fwsrgz2p****.
      • Source IP Address:
    3. Select the new policy and click the Left icon.
    4. Click Next.
  7. Confirm the AAP information and click Create.

Bind a client key to the AAP

After you create a client key-based AAP, you must bind a client key to the AAP. The client key is used to identify the AAP.

  1. Click the name of the AAP.
  2. In the Client Key section, click Create Client Key.
  3. In the Create Client Key dialog box, configure the following parameters.
    Authentication method Description Example
    Encryption Password The password that is used to decrypt the private key file of the client key when the client key is used to access KMS. Keep the password confidential. Test****
    Validity Period The validity period of the client key. April 3, 2022 - March 4, 2027
  4. Click OK.
  5. In the Created dialog box, obtain the values of Password and Client Key.
    • Password: Click Copy to the right of Decryption Password to obtain the password.
    • Client Key: Click Download Client Key to obtain the information about the client key.

      The information about the client key consists of keyID and PrivateKeyData. Example:

        "KeyId": "KAAP.71be72c8-73b9-44e0-bb75-81ee51b4****",
        "PrivateKeyData": "MIIJwwIBAz****ICNXX/pOw=="
      Note KMS does not save the private key of the client key. The private key is stored in an encrypted PKCS 12 file. You can obtain the file only when you create the client key. Keep the file confidential.