All Products
Search
Document Center

Key Management Service:Sample code for getting a secret value

Last Updated:Mar 31, 2026

Use the Alibaba Cloud SDK to call GetSecretValue and retrieve a secret value through either a shared or dedicated gateway. The two gateways differ only in client initialization — the request and exception-handling code is identical.

Choose a gateway

Shared gatewayDedicated gateway
When to useGeneral workloads accessing KMS over the public network or VPCWorkloads requiring a dedicated KMS instance with enhanced isolation
Endpoint formatPublic network: kms.<REGION_ID>.aliyuncs.com / VPC: kms-vpc.<REGION_ID>.aliyuncs.com<KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com
CA certificateNot requiredSDK V2.0: required / SDK V1.0: not supported — set HTTPSInsecure to true via client.SetHTTPSInsecure(true)

Prerequisites

Before you begin, make sure you have:

  • An Alibaba Cloud account with a secret created in KMS

  • ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET set as environment variables

Important

Storing AccessKey pairs in source code risks credential leakage. Use Security Token Service (STS) tokens for production workloads.

Get a secret value through a shared gateway

Complete example

package com.aliyun.sample;

import com.aliyun.tea.*;

public class Sample {

    /**
     * Use your AccessKey ID and AccessKey Secret to initialize the client.
     * @return Client
     * @throws Exception
     */
    public static com.aliyun.kms20160120.Client createClient() throws Exception {
        // If the project code is leaked, the AccessKey pair may be leaked and resources in your account become insecure. The following code is for reference only.
        // We recommend that you use Security Token Service (STS) tokens, which provide higher security. For more information about authentication methods, see https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-access-credentials.
        com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
                // Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID environment variable is configured in the code runtime environment.
                .setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
                // Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variable is configured in the code runtime environment.
                .setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
        // For more information about endpoints, see https://api.alibabacloud.com/product/Kms.
        config.endpoint = "kms.ap-southeast-1.aliyuncs.com";
        return new com.aliyun.kms20160120.Client(config);
    }

    public static void main(String[] args_) throws Exception {
        java.util.List<String> args = java.util.Arrays.asList(args_);
        com.aliyun.kms20160120.Client client = Sample.createClient();
        com.aliyun.kms20160120.models.GetSecretValueRequest getSecretValueRequest = new com.aliyun.kms20160120.models.GetSecretValueRequest()
                .setSecretName("test****");
        com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
        try {
            // If you copy and run the sample code, write your own code to display the response of the API operation if necessary.
            client.getSecretValueWithOptions(getSecretValueRequest, runtime);
        } catch (TeaException error) {
            // Handle exceptions with caution based on your actual business scenario and do not ignore exceptions in your project. The error messages displayed in this example are for reference only.
            // Print error messages
            System.out.println(error.getMessage());
            // Provide the URL that is used for troubleshooting.
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        } catch (Exception _error) {
            TeaException error = new TeaException(_error.getMessage(), _error);
            // Handle exceptions with caution based on your actual business scenario and do not ignore exceptions in your project. The error messages displayed in this example are for reference only.
            // Print error messages
            System.out.println(error.getMessage());
            // Provide the URL that is used for troubleshooting.
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        }
    }
}

Example analysis

Initialize the client

Set the endpoint to the shared gateway address for your region. The example uses the Singapore (ap-southeast-1) public network endpoint.

com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
        .setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
        .setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
// For more information about endpoints, see https://api.alibabacloud.com/product/Kms.
config.endpoint = "kms.ap-southeast-1.aliyuncs.com";

Call GetSecretValue

Replace test**** with your actual SecretName.

com.aliyun.kms20160120.models.GetSecretValueRequest getSecretValueRequest = new com.aliyun.kms20160120.models.GetSecretValueRequest()
        .setSecretName("test****");
com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
try {
    client.getSecretValueWithOptions(getSecretValueRequest, runtime);
} catch (TeaException error) {
    System.out.println(error.getMessage());
    System.out.println(error.getData().get("Recommend"));
    com.aliyun.teautil.Common.assertAsString(error.message);
} catch (Exception _error) {
    TeaException error = new TeaException(_error.getMessage(), _error);
    System.out.println(error.getMessage());
    System.out.println(error.getData().get("Recommend"));
    com.aliyun.teautil.Common.assertAsString(error.message);
}
Note

The response contains the secret value and metadata. For the full list of response fields, see GetSecretValue.

Get a secret value through a dedicated gateway

Complete example

package com.aliyun.sample;

import com.aliyun.tea.*;

public class Sample {

    /**
     * Use your AccessKey ID and AccessKey Secret to initialize the client.
     * @return Client
     * @throws Exception
     */
    public static com.aliyun.kms20160120.Client createClient() throws Exception {
        // If the project code is leaked, the AccessKey pair may be leaked and resources in your account become insecure. The following code is for reference only.
        // We recommend that you use Security Token Service (STS) tokens, which provide higher security. For more information about authentication methods, see https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-access-credentials.
        com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
                // Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID environment variable is configured in the code runtime environment.
                .setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
                // Required. Make sure that the ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variable is configured in the code runtime environment.
                .setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
        // Dedicated gateway endpoint
        config.endpoint = "kst-hzz65f176a0ogplgq****.cryptoservice.kms.aliyuncs.com";
        // KMS instance CA certificate
        config.ca = "-----BEGIN CERTIFICATE-----MIIDuzCCAqOgAwIBAgIJALTKwWAjvbMiMA0GCS****";
        return new com.aliyun.kms20160120.Client(config);
    }

    public static void main(String[] args_) throws Exception {
        java.util.List<String> args = java.util.Arrays.asList(args_);
        com.aliyun.kms20160120.Client client = Sample.createClient();
        com.aliyun.kms20160120.models.GetSecretValueRequest getSecretValueRequest = new com.aliyun.kms20160120.models.GetSecretValueRequest()
                .setSecretName("test****");
        com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
        try {
            // If you copy and run the sample code, write your own code to display the response of the API operation if necessary.
            client.getSecretValueWithOptions(getSecretValueRequest, runtime);
        } catch (TeaException error) {
            // Handle exceptions with caution based on your actual business scenario and do not ignore exceptions in your project. The error messages displayed in this example are for reference only.
            // Print error messages
            System.out.println(error.getMessage());
            // Provide the URL that is used for troubleshooting.
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        } catch (Exception _error) {
            TeaException error = new TeaException(_error.getMessage(), _error);
            // Handle exceptions with caution based on your actual business scenario and do not ignore exceptions in your project. The error messages displayed in this example are for reference only.
            // Print error messages
            System.out.println(error.getMessage());
            // Provide the URL that is used for troubleshooting.
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        }
    }
}

Example analysis

Initialize the client

The dedicated gateway requires two additional fields: the KMS instance endpoint and the CA certificate.

// Dedicated gateway endpoint
config.endpoint = "kst-hzz65f176a0ogplgq****.cryptoservice.kms.aliyuncs.com";
// KMS instance CA certificate
config.ca = "-----BEGIN CERTIFICATE-----MIIDuzCCAqOgAwIBAgIJALTKwWAjvbMiMA0GCS****";

Replace kst-hzz65f176a0ogplgq**** with your KMS instance ID, and replace the CA certificate value with the CA certificate downloaded from your KMS instance.

Note

SDK V1.0 does not support CA certificates. Set HTTPSInsecure to true instead: client.SetHTTPSInsecure(true).

Call GetSecretValue

The request and exception-handling code is identical to the shared gateway example. Replace test**** with your actual SecretName.

com.aliyun.kms20160120.models.GetSecretValueRequest getSecretValueRequest = new com.aliyun.kms20160120.models.GetSecretValueRequest()
        .setSecretName("test****");
com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
try {
    client.getSecretValueWithOptions(getSecretValueRequest, runtime);
} catch (TeaException error) {
    System.out.println(error.getMessage());
    System.out.println(error.getData().get("Recommend"));
    com.aliyun.teautil.Common.assertAsString(error.message);
} catch (Exception _error) {
    TeaException error = new TeaException(_error.getMessage(), _error);
    System.out.println(error.getMessage());
    System.out.println(error.getData().get("Recommend"));
    com.aliyun.teautil.Common.assertAsString(error.message);
}