Use the Alibaba Cloud SDK to call GetSecretValue and retrieve a secret value through either a shared or dedicated gateway. The two gateways differ only in client initialization — the request and exception-handling code is identical.
Choose a gateway
| Shared gateway | Dedicated gateway | |
|---|---|---|
| When to use | General workloads accessing KMS over the public network or VPC | Workloads requiring a dedicated KMS instance with enhanced isolation |
| Endpoint format | Public network: kms.<REGION_ID>.aliyuncs.com / VPC: kms-vpc.<REGION_ID>.aliyuncs.com | <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com |
| CA certificate | Not required | SDK V2.0: required / SDK V1.0: not supported — set HTTPSInsecure to true via client.SetHTTPSInsecure(true) |
Prerequisites
Before you begin, make sure you have:
An Alibaba Cloud account with a secret created in KMS
ALIBABA_CLOUD_ACCESS_KEY_IDandALIBABA_CLOUD_ACCESS_KEY_SECRETset as environment variables
Storing AccessKey pairs in source code risks credential leakage. Use Security Token Service (STS) tokens for production workloads.
Get a secret value through a shared gateway
Complete example
package com.aliyun.sample;
import com.aliyun.tea.*;
public class Sample {
/**
* Use your AccessKey ID and AccessKey Secret to initialize the client.
* @return Client
* @throws Exception
*/
public static com.aliyun.kms20160120.Client createClient() throws Exception {
// If the project code is leaked, the AccessKey pair may be leaked and resources in your account become insecure. The following code is for reference only.
// We recommend that you use Security Token Service (STS) tokens, which provide higher security. For more information about authentication methods, see https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-access-credentials.
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
// Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID environment variable is configured in the code runtime environment.
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
// Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variable is configured in the code runtime environment.
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
// For more information about endpoints, see https://api.alibabacloud.com/product/Kms.
config.endpoint = "kms.ap-southeast-1.aliyuncs.com";
return new com.aliyun.kms20160120.Client(config);
}
public static void main(String[] args_) throws Exception {
java.util.List<String> args = java.util.Arrays.asList(args_);
com.aliyun.kms20160120.Client client = Sample.createClient();
com.aliyun.kms20160120.models.GetSecretValueRequest getSecretValueRequest = new com.aliyun.kms20160120.models.GetSecretValueRequest()
.setSecretName("test****");
com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
try {
// If you copy and run the sample code, write your own code to display the response of the API operation if necessary.
client.getSecretValueWithOptions(getSecretValueRequest, runtime);
} catch (TeaException error) {
// Handle exceptions with caution based on your actual business scenario and do not ignore exceptions in your project. The error messages displayed in this example are for reference only.
// Print error messages
System.out.println(error.getMessage());
// Provide the URL that is used for troubleshooting.
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
} catch (Exception _error) {
TeaException error = new TeaException(_error.getMessage(), _error);
// Handle exceptions with caution based on your actual business scenario and do not ignore exceptions in your project. The error messages displayed in this example are for reference only.
// Print error messages
System.out.println(error.getMessage());
// Provide the URL that is used for troubleshooting.
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
}
}
}Example analysis
Initialize the client
Set the endpoint to the shared gateway address for your region. The example uses the Singapore (ap-southeast-1) public network endpoint.
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
// For more information about endpoints, see https://api.alibabacloud.com/product/Kms.
config.endpoint = "kms.ap-southeast-1.aliyuncs.com";Call GetSecretValue
Replace test**** with your actual SecretName.
com.aliyun.kms20160120.models.GetSecretValueRequest getSecretValueRequest = new com.aliyun.kms20160120.models.GetSecretValueRequest()
.setSecretName("test****");
com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
try {
client.getSecretValueWithOptions(getSecretValueRequest, runtime);
} catch (TeaException error) {
System.out.println(error.getMessage());
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
} catch (Exception _error) {
TeaException error = new TeaException(_error.getMessage(), _error);
System.out.println(error.getMessage());
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
}The response contains the secret value and metadata. For the full list of response fields, see GetSecretValue.
Get a secret value through a dedicated gateway
Complete example
package com.aliyun.sample;
import com.aliyun.tea.*;
public class Sample {
/**
* Use your AccessKey ID and AccessKey Secret to initialize the client.
* @return Client
* @throws Exception
*/
public static com.aliyun.kms20160120.Client createClient() throws Exception {
// If the project code is leaked, the AccessKey pair may be leaked and resources in your account become insecure. The following code is for reference only.
// We recommend that you use Security Token Service (STS) tokens, which provide higher security. For more information about authentication methods, see https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-access-credentials.
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
// Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID environment variable is configured in the code runtime environment.
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
// Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variable is configured in the code runtime environment.
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
// Dedicated gateway endpoint
config.endpoint = "kst-hzz65f176a0ogplgq****.cryptoservice.kms.aliyuncs.com";
// KMS instance CA certificate
config.ca = "-----BEGIN CERTIFICATE-----MIIDuzCCAqOgAwIBAgIJALTKwWAjvbMiMA0GCS****";
return new com.aliyun.kms20160120.Client(config);
}
public static void main(String[] args_) throws Exception {
java.util.List<String> args = java.util.Arrays.asList(args_);
com.aliyun.kms20160120.Client client = Sample.createClient();
com.aliyun.kms20160120.models.GetSecretValueRequest getSecretValueRequest = new com.aliyun.kms20160120.models.GetSecretValueRequest()
.setSecretName("test****");
com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
try {
// If you copy and run the sample code, write your own code to display the response of the API operation if necessary.
client.getSecretValueWithOptions(getSecretValueRequest, runtime);
} catch (TeaException error) {
// Handle exceptions with caution based on your actual business scenario and do not ignore exceptions in your project. The error messages displayed in this example are for reference only.
// Print error messages
System.out.println(error.getMessage());
// Provide the URL that is used for troubleshooting.
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
} catch (Exception _error) {
TeaException error = new TeaException(_error.getMessage(), _error);
// Handle exceptions with caution based on your actual business scenario and do not ignore exceptions in your project. The error messages displayed in this example are for reference only.
// Print error messages
System.out.println(error.getMessage());
// Provide the URL that is used for troubleshooting.
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
}
}
}Example analysis
Initialize the client
The dedicated gateway requires two additional fields: the KMS instance endpoint and the CA certificate.
// Dedicated gateway endpoint
config.endpoint = "kst-hzz65f176a0ogplgq****.cryptoservice.kms.aliyuncs.com";
// KMS instance CA certificate
config.ca = "-----BEGIN CERTIFICATE-----MIIDuzCCAqOgAwIBAgIJALTKwWAjvbMiMA0GCS****";Replace kst-hzz65f176a0ogplgq**** with your KMS instance ID, and replace the CA certificate value with the CA certificate downloaded from your KMS instance.
SDK V1.0 does not support CA certificates. Set HTTPSInsecure to true instead: client.SetHTTPSInsecure(true).
Call GetSecretValue
The request and exception-handling code is identical to the shared gateway example. Replace test**** with your actual SecretName.
com.aliyun.kms20160120.models.GetSecretValueRequest getSecretValueRequest = new com.aliyun.kms20160120.models.GetSecretValueRequest()
.setSecretName("test****");
com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
try {
client.getSecretValueWithOptions(getSecretValueRequest, runtime);
} catch (TeaException error) {
System.out.println(error.getMessage());
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
} catch (Exception _error) {
TeaException error = new TeaException(_error.getMessage(), _error);
System.out.println(error.getMessage());
System.out.println(error.getData().get("Recommend"));
com.aliyun.teautil.Common.assertAsString(error.message);
}