When you integrate Key Management Service (KMS) instance SDK, KMS uses application access points (AAPs) for identity authentication and access control. An AAP contains permission policy and credentials. The credentials (client key) are used to authenticate the identities and behavior of users that access KMS resources. This topic describes how to create client keys.
Notes
We recommend creating an AAP for each application to maintain distinct access permissions.
Client keys are valid for five years by default, which we recommend changing to a shorter time, such as one year. Remember to replace your client key before it expires to ensure continuous KMS access. For instructions, see Replace ClientKey.
Create a client key
You can create a client key using either the quick or standard method. Quick creation is efficient, ideal for rapid testing and development, and grants full access to KMS instance resources. For more granular control over resource access, we recommend using standard creation method.
Quick Creation
Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose .
On the Application Access tab, click Create AAP. In the Create AAP panel, configure the parameters.
Parameter
Description
Mode
Select Quick Creation.
Scope (KMS Instance)
Select the KMS instance that you want to access.
Application Access Point Name
Enter the name of the AAP.
Authentication Method
The default value is ClientKey, which cannot be changed.
Default Permission Policy
The default value is
key/*secret/*, which cannot be changed. Your application can access all keys and secrets in the specified KMS instance.Click OK. The browser automatically downloads the client key that is created.
The client key contains Application Access Secret(ClientKeyContent) and Password. By default, Application Access Secret(ClientKeyContent) is saved in a file whose name is in the
clientKey_****.jsonformat. By default, Password is saved in a file whose name is in theclientKey_****_Password.txtformat.
Standard Creation
Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose .
If you want to control access based on source IP addresses, create a network access rule.
NoteFor enhanced security, we recommend setting up network access rules.
Click Network Access Rules tab and then Create Network Access Rule.
Configure the parameters on the Create Network Access Rule panel and click OK.
Parameter
Description
Rule Name
The name of the network access rule.
Network Type
Select Private.
Allowed Source IP Addresses
The IP addresses from which access to your KMS instance is allowed. Specify the value based on the network type of your application server. If you use a proxy server, enter its IP address.
Description
Enter a description for the network access rule.
Create a permission policy.
Click Policies tab and then Create Policy.
Configure the parameters on the Create Permission Policy panel and click OK.
Parameter
Description
Policy Name
Specify the name of a custom permission policy.
Scope
Select your KMS instance.
RBAC Permissions
CryptoServiceKeyUser: allows for the use of keys in the KMS instance.
CryptoServiceSecretUser: allows for the use of secrets in the KMS instance.
Accessible Resources
The keys and secrets that your application needs to access.
ImportantIf you select multiple secrets and the total length of the secret names exceeds the limit, an "Invalid Parameter" error will be reported. In this case, use a wildcard character to configure the allowed secrets.
For example, configure as
secret/rds-ibm*, which means that secrets with the prefixrds-ibmare allowed.Network Access Rules
Select the network access rule that you created.
NoteOptional. For security purposes, we recommend setting up network access rules.
Description
Enter a description for the permission policy.
Create an AAP.
Click Application Access tab and then Create AAP.
Configure the parameters on the Create AAP panel.
Parameter
Description
Mode
Select Standard Creation.
Application Access Point Name
Enter the name of the AAP.
Authentication Method
Select ClientKey.
Encryption Password
Enter the password for your client key. It must be 8 to 64 characters in length, and include at least two of the following: numbers, uppercase or lowercase English letters, and special characters ~!@#$%^&*?_-.
Validity Period
Specify the validity period of your client key.
ImportantWe recommend that you set the value to one year to reduce the risk of client key leaks. To ensure access to KMS, you must change your client key before the expiration date of the client key. For specific operations, see Replace ClientKey.
Policies
Select the permission policy that you created.
Description
Enter a description for the AAP.
Click OK.
The browser automatically downloads the client key that is created.
The client key contains Application Access Secret(ClientKeyContent) and Password. By default, the Application Access Secret(ClientKeyContent) is stored in a JSON file named
clientKey_****.json, and the Password is stored in a text file namedclientKey_****_Password.txt.
Information to save
When integrating the SDK, ensure you configure and securely store the following details:
ClientKey
This file contains the application identity credentials. It will be automatically downloaded after creation, with the default file name clientKey_****.json.
ClientKey Password
This file will also be downloaded automatically, with the default file name clientKey_****_Password.txt.
KMS Instance CA Certificate
On the Instances page, locate the Instance CA Certificate field and click Download.
In the Instance CA Certificate dialog box, select the instance ID, click Download, and store it securely.
The default filename for the downloaded CA certificate is PrivateKmsCA_kst-******.pem.
KMS Instance Domain Name Address
Navigate to the Instances page, click on either the Software Key Management or Hardware Key Management tab, then click the KMS instance you want.
In the Basic Information section, find the endpoint in the Instance VPC Endpoint field.
