All Products
Search

This Product

    Key Management Service:Initialize client

    Document Center

    Key Management Service:Initialize client

    Last Updated:Mar 20, 2025

    To initiate an API request using the Key Management Service (KMS) instance SDK, you must first initialize the Go client. This topic describes the steps to do so.

    Procedure

    1. Create a client object.

      To instantiate a KMS SDK client object, use either the ClientKey content or the ClientKey file path. Select the method that meets your needs.

      import (
    dedicatedkmsopenapi "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/openapi"
    dedicatedkmssdk "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/sdk"
  "github.com/alibabacloud-go/tea/tea"
)

// Use ClientKey content to create a KMS instance SDK client object.
func getDkmsClientByClientKeyContent() *dedicatedkmssdk.Client {
	// Create KMS instance SDK client configuration.
	config := &dedicatedkmsopenapi.Config{
	        // Set the connection protocol to "https". The KMS instance service only allows access through the HTTPS protocol.
		Protocol: tea.String("https"),
		// Replace with the content of the ClientKey file.
		ClientKeyContent: tea.String("<CLIENT_KEY_CONTENT>"),
		// Replace with the encryption password entered when creating the ClientKey.
		Password: tea.String("<CLIENT_KEY_PASSWORD>"),
		// Set the endpoint to <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
		Endpoint: tea.String("<ENDPOINT>"),
	}
	// Create a KMS instance SDK client object.
	client, err := dedicatedkmssdk.NewClient(config)
	if err != nil {
		// Abnormal handling.
		panic(err)
	}
	return client
}

// Use ClientKey file path to create a KMS instance SDK client object.
func getDkmsClientByClientKeyFile() *dedicatedkmssdk.Client {
	// Create DKMS client configuration.
	config := &dedicatedkmsopenapi.Config{
		// Set the connection protocol to "https". The KMS instance service only allows access through the HTTPS protocol.
		Protocol: tea.String("https"),
		// Replace with the path of the ClientKey file.
		ClientKeyFile: tea.String("<CLIENT_KEY_FILE>"),
		// Replace with the encryption password entered when creating the ClientKey.
		Password: tea.String("<CLIENT_KEY_PASSWORD>"),
                 // Set the endpoint to <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
		Endpoint: tea.String("ENDPOINT"),
	}
	// Create a KMS instance SDK client object.
	client, err := dedicatedkmssdk.NewClient(config)
	if err != nil {
		// Abnormal handling.
		panic(err)
	}
	return client
}

    2. Configure the CA certificate for the KMS instance by setting runtime parameters (RuntimeOptions).

      Important

      Configuring the instance CA certificate is important for securing communications in a production environment by verifying the SSL/TLS certificate's authenticity. We recommend keeping this security measure enabled at all times. If you must disable SSL/TLS certificate verification, such as for offline testing, you can do so by setting the IgnoreSSL field in the RuntimeOptions parameter to true.

      Assign the CA certificate path of the KMS instance to the verify field in RuntimeOptions. Below is a code example:

      import (
    dedicatedkmsopenapiutil "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/openapi-util"
    "github.com/alibabacloud-go/tea/tea"
    "io/ioutil"
)

// Verify the server certificate.
ca, err := ioutil.ReadFile("path/to/caCert.pem")
if err != nil {
    panic(err)
}
runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
    Verify: tea.String(string(ca)),
}

    Parameter description

    Endpoint

    The Endpoint refers to a dedicated gateway endpoint, representing the domain address of the KMS instance.

    1. Navigate to the Instances page, click on either the Software Key Management or Hardware Key Management tab, then click the KMS instance you want.

    2. In the Basic Information section, find the endpoint in the Instance VPC Endpoint field.image

    ClientKeyFile

    The ClientKeyFilePath is where the application's identity credentials are stored. Upon creation of the ClientKey, it will be automatically downloaded by the browser, typically with a default filename like clientKey_****.json.

    Password

    The Password is the security token for the ClientKey. Similar to the ClientKey, it will be automatically downloaded by the browser upon creation, with a default filename such as clientKey_****_Password.txt.

    Verify

    The CA certificate refers to the one that is associated with the KMS instance.

    1. On the Instances page, select either Software Key Management or Hardware Key Management tab, then choose the target instance.

    2. Click the instance ID or Details in the Actions column. On the details page, click download next to the Instance CA Certificate.

      Save the certificate securely. The downloaded file will be named PrivateKmsCA_kst-******.pem by default.

      image