All Products
Document Center

Key Management Service:Create an AAP

Last Updated:Nov 07, 2023

You can use Terraform to create and manage application access points (AAPs). This topic describes how to create an AAP.


Before your self-managed applications perform cryptographic operations or retrieve secrets, the applications must use the client key of the required AAP to access your Key Management Service (KMS) instance. For more information about how to configure Terraform to manage AAPs, see alicloud_kms_application_access_point.


If you use keys in a KMS instance for server-side encryption in Alibaba Cloud services or call KMS SDK to use secrets, you do not need to create an AAP. If you want to call KMS Instance SDK to use a key or a secret in a KMS instance, you must create an AAP.


The Terraform version must be 0.14.0 or later. We recommend that you use the latest version. You can go to the Terraform official website to download the latest version.


A Resource Access Management (RAM) user is created, and the AliyunKMSFullAccess policy is attached to the RAM user. The condition is used when you log on to Terraform as a RAM user. The AliyunKMSFullAccess policy grants permissions to manage KMS resources. For more information, see Grant permissions to RAM users.


  1. Create a working directory and a file named in the directory. This file is the main file of Terraform and defines the resources that you want to deploy.

     1. Create network access rules.
     2. Create permission policies.
     3. Create an AAP.
     4. Create a client key.
    resource "alicloud_kms_network_rule" "network_rule_example"{
    network_rule_name			= "sample_network_rule"
    description				  	= "description_test_module"
    source_private_ip 	    	= ["10.10.XX.XX/16","192.168.XX.XX/8"]
    resource "alicloud_kms_policy" "policy_example"{
    policy_name						= "sample_policy"
    description						= "description_test_module"
    permissions						= ["RbacPermission/Template/CryptoServiceKeyUser","RbacPermission/Template/CryptoServiceSecretUser"]
    resources						= ["key/*","secret/*"]
    kms_instance_id					= "kst-hzz634e67d126u9p9****"
    access_control_rules = <<EOF
    resource "alicloud_kms_application_access_point" "application_access_point_example"{
    application_access_point_name		= "sample_aap"
    policies							= [alicloud_kms_policy.policy_example.policy_name]  
    description							= "aap_description"
    resource "alicloud_kms_client_key" "client_key"{
    aap_name				= alicloud_kms_application_access_point.application_access_point_example.application_access_point_name
    password				= "Kwcn0B****"
    not_before      = "2023-09-01T14:11:22Z"
    not_after       = "2032-09-01T14:11:22Z"
    // Specify the path of the local file that stores the client key.
    private_key_data_file = "./client_key.json"
    • After the AAP is created, you must obtain the client key by using the local file path and store the client key in a secure location.

    • You can configure the password parameter by using sensitive inputs of Terraform.

  2. Run the terraform init command to initialize the runtime environment for Terraform.

  3. Run the terraform plan command to create an execution plan.

  4. Run the terraform apply command.