Key Management Service:SDK references

Alibaba Cloud SDK

An application can access KMS by using a KMS endpoint and call KMS API to perform management operations and retrieve secrets. The management operations include operations to manage resources such as keys, secrets, tags, and aliases.

Alibaba Cloud SDK supports various programming languages, including Java (Java 6 and later), PHP, Go, Python, .NET (C# only), C++, and Node.js.

KMS Instance SDK

An application can access KMS by using a KMS instance endpoint and call KMS Instance API to perform cryptographic operations and retrieve secrets.

KMS Instance SDK supports various programming languages, including Java (Java 8 and later), PHP, Go, Python, and .NET (C# only).

Secret SDKs

Secret SDKs are exclusively designed for retrieving secrets.

You can use a secret client to retrieve secrets. The secret client supports custom encapsulation based on KMS API and KMS Instance API. You can cache and refresh secrets within applications. This helps ensure high business stability. For specific business scenarios, KMS also provides a secret Java Database Connectivity (JDBC) client and a Resource Access Management (RAM) secret plug-in to retrieve secrets. A client or plug-in can automatically retrieve secrets when the client or plug-in is created, making it easier for you to integrate an SDK into an application.

The following types of secret SDKs are available:

• Secret client: It supports all types of secrets. You can retrieve secrets by using a single line of code. The secret client supports Java (Java 8 or later), Go, and Python.

• Secret JDBC client: If you connect to a database by using JDBC connections, connection pools, or open source database frameworks, you can use this SDK to complete identity authentication and configure the custom secret refresh frequency. Connection pools include c3p0 and Database Connection Pools (DBCPs). The secret JDBC client supports only Java (Java 8 or later).

• RAM secret plug-in: When an application uses Alibaba Cloud SDK, you can use the RAM secret plug-in to retrieve secrets and complete identity authentication. In this case, the secrets refer to AccessKey pairs. The RAM secret plug-in supports Java (Java 8 or later), Go, and Python.

Endpoint description

KMS provides the following two types of endpoints:

• KMS endpoint: the global address of KMS. You can use a KMS endpoint to establish a connection with KMS and call KMS API. You can access KMS over the Internet or an internal network. For more information about KMS endpoints, see Endpoints.

• KMS instance endpoint: the address of a specific KMS instance. You can use a KMS instance endpoint to establish a connection with a KMS instance and call KMS Instance API. You can access a KMS instance only over an internal network.

  A KMS instance endpoint is in the {Instance ID}.cryptoservice.kms.aliyuncs.com format. To obtain the endpoint of a KMS instance, go to the Instances page, view the details of the instance, obtain the value of Instance VPC Endpoint, and then remove https:// from the value.

If you can use a secret SDK to retrieve secrets, you can use a KMS endpoint or a KMS instance endpoint to access KMS. Compared with KMS endpoints, KMS instance endpoints provide the following advantages. We recommend that you use KMS instance endpoints.

• A client can directly communicate with a KMS instance. This reduces network latency.

• A client can communicate with an instance only if the client is configured with the endpoint of the instance. This enhances security and control capabilities.

• High queries per second (QPS) is provided. For more information, see Performance quotas.