After you store a RAM user's AccessKey in Key Management Service (KMS) as a RAM secret, install the RAM secret plug-in to let any Alibaba Cloud SDK retrieve and rotate that AccessKey automatically. Your application references only the secret name — the plug-in handles cache management, credential refresh, and retry on failure, so you never hard-code or manually rotate credentials.
How it works
The plug-in fetches the RAM secret value from KMS by secret name and caches it in application memory. All outbound SDK calls use the AccessKey from that local cache.
When KMS rotates the secret, the cached AccessKey eventually becomes invalid. The plug-in detects this by watching for InvalidAccessKeyId or InvalidAccessKeyId.NotFound error codes in the API response, immediately fetches the new secret, updates the cache, and retries the failed call based on your configured retry behavior.
Credential refresh behavior by language:
| Language | Refresh trigger | Scheduled refresh interval |
|---|---|---|
| Java | InvalidAccessKeyId or InvalidAccessKeyId.NotFound error | — |
| Python | InvalidAccessKeyId or InvalidAccessKeyId.NotFound error | — |
| Go | Scheduled only — no automatic retry on InvalidAccessKeyId | Every 6 hours |
The Go RAM secret plug-in does not support automatic retry on InvalidAccessKeyId. Its scheduled refresh runs every 6 hours. See Go-specific behavior for workarounds.Supported SDKs
The RAM secret plug-in targets specific Alibaba Cloud SDKs. If none of the plug-ins listed below fits your use case, use the secrets client or a standard Alibaba Cloud SDK. See the SDK reference for the full list.
Java (Java 8 and later)
Python
| SDK | Plug-in module | Notes |
|---|---|---|
| Alibaba Cloud SDK for Python (V1.0) | aliyun-openapi-python-sdk-managed-credentials-provider | V1.0 only. For V2.0, use the secrets client or the Alibaba Cloud SDK. |
| OSS Python SDK | aliyun-oss-python-sdk-managed-credentials-provider | — |
Go
| SDK | Plug-in module | Notes |
|---|---|---|
| Alibaba Cloud SDK for Go (V1.0) | alibaba-cloud-sdk-go-managed-credentials-provider | V1.0 only. For V2.0, use the secrets client or the Alibaba Cloud SDK. |
| OSS Go SDK | aliyun-oss-go-sdk-managed-credentials-provider | — |
Prerequisites
Before you begin, make sure you have:
A RAM user whose AccessKey is managed in KMS as a RAM secret
An Alibaba Cloud SDK listed in Supported SDKs
Step 1: Create an access credential
Choose the access scenario that matches your network setup.
Scenario 1: Shared gateway (public or VPC endpoint)
Use this scenario if your application connects to KMS through a public endpoint or a VPC endpoint. Two credential types are supported: an ECS instance RAM role and a ClientKey.
ECS instance RAM role
An ECS instance RAM role grants the ECS instance temporary Security Token Service (STS) credentials, so your application can call KMS APIs without a static AccessKey.
Log on to the RAM console and create a RAM role with a trusted entity of type Elastic Compute Service.
Trusted Entity Type: Elastic Compute Service
Principal: Elastic Compute Service (ECS)
Grant the RAM role permission to access KMS. Two methods are available:
Method 1: Identity-based policy — Attach a built-in KMS system policy directly to the role. For more information, see System permission policies for Key Management Service. You can also create a custom policy.
Method 2: Resource-based policy — Configure access permissions at the individual key or secret level. For more information, see Key policies and Secret policies.
Log on to the ECS Management Console and attach the RAM role to the ECS instance.
For detailed instructions, see Instance RAM roles.
ClientKey
Create a ClientKey using the standard method described in Create an application access point.
When configuring the application access point (AAP):
Set Network Type to Public or VPC.
Set the permission rule scope to Shared KMS Gateway.
Scenario 2: Dedicated gateway (not recommended)
Use this scenario only if your application accesses KMS through a private network dedicated gateway. Only a ClientKey is supported.
Create a ClientKey using one of the following methods. For background information on ClientKeys and AAPs, see Overview of application access points.
Method 1: Quick creation
Quick creation is suitable for testing and development. The ClientKey grants access to all resources in the selected KMS instance.
Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose Application Access > Multi-Cloud Access (formerly AAP).
On the Application Access tab, click Create AAP and configure the following parameters in the Create AAP panel.
Parameter Description Mode Select Quick Creation. Scope (KMS Instance) Select the KMS instance your application needs to access. Application Access Point Name Enter a name for the AAP. Authentication Method Defaults to ClientKey and cannot be changed. Default Permission Policy Defaults to key/*andsecret/*, which grants access to all keys and secrets in the KMS instance. Cannot be changed.Click OK. Your browser automatically downloads the ClientKey files:
Credential (ClientKeyContent):
clientKey_****.jsonPassword (ClientKeyPassword):
clientKey_****_Password.txt
ImportantThe ClientKey file and password are paired and can only be downloaded at creation time. If you did not save them, create a new ClientKey.
Method 2: Standard creation
Standard creation lets you configure fine-grained access permissions. Follow the instructions in Create an application access point.
When configuring the AAP:
Set Network Type to Private.
Set the permission rule scope to the corresponding KMS instance ID.
Step 2: Configure runtime parameters
The plug-in reads its configuration from a file named managed_credentials_providers.properties in your application's runtime directory. Create the file with the content shown below for your credential type.
If your application cannot automatically locate the default configuration file, specify the file path in code. See the SDK examples for details.
ECS instance RAM role
credentials_type=ecs_ram_role
## The name of the ECS RAM role.
credentials_role_name=#credentials_role_name#
## The region of the associated KMS service.
cache_client_region_id=[{"regionId":"#regionId#"}]ClientKey (shared gateway)
## The type of the access credential.
credentials_type=client_key
## The password for the ClientKey.
## Provide one of the following — read from an environment variable or from a file.
client_key_password_from_env_variable=#your_client_key_private_key_password_environment_variable_name#
client_key_password_from_file_path=#your_client_key_private_key_password_file_path#
## The path to the ClientKey file (clientKey_******.json).
client_key_private_key_path=#your_client_key_private_key_file_path#
## The region of the associated KMS service.
cache_client_region_id=[{"regionId":"#regionId#"}]ClientKey (dedicated gateway)
Use the cache_client_dkms_config_info parameter, which accepts a JSON array. Listing multiple KMS instances improves availability and supports disaster recovery.
Method 1: Read the ClientKey password from an environment variable
cache_client_dkms_config_info=[{"regionId":"<your dkms regionId >","endpoint":"<your dkms endpoint>","passwordFromEnvVariable":"<YOUR_PASSWORD_ENV_VARIABLE>","clientKeyFile":"<your ClientKey file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]Example:
cache_client_dkms_config_info=[{"regionId":"cn-hangzhou","endpoint":"kst-hzz634e67d126u9p9****.cryptoservice.kms.aliyuncs.com","passwordFromEnvVariable":"passwordFromEnvVariable","clientKeyFile":"C:\RamSecretPlugin\src\main\resources\clientKey_KAAP.json","ignoreSslCerts":false,"caFilePath":"C:\RamSecretPlugin\src\main\resources\PrivateKmsCA_kst-hzz634e67d126u9p9****.pem"}]Method 2: Read the ClientKey password from a file
The default password filename is clientKey_****_Password.txt. If you renamed the file, update the path accordingly.
cache_client_dkms_config_info=[{"regionId":"<your dkms regionId >","endpoint":"<your dkms endpoint>","passwordFromFilePath":"< your password file path >","clientKeyFile":"<your Client Key file path>","ignoreSslCerts":false,"caFilePath":"<your CA certificate file path>"}]Example:
cache_client_dkms_config_info=[{"regionId":"cn-hangzhou","endpoint":"kst-hzz634e67d126u9p9****.cryptoservice.kms.aliyuncs.com","passwordFromFilePath":"C:\RamSecretPlugin\src\main\resources\clientKeyPassword.txt","clientKeyFile":"C:\RamSecretPlugin\src\main\resources\clientKey_KAAP.json","ignoreSslCerts":false,"caFilePath":"C:\RamSecretPlugin\src\main\resources\PrivateKmsCA_kst-hzz634e67d126u9p9****.pem"}]Configuration parameters
| Parameter | Description |
|---|---|
regionId | Region ID of the KMS instance. See Regions and zones. |
endpoint | Domain name of the KMS instance in the format {instance ID}.kms.aliyuncs.com. Find it on the Instances page under Instance VPC Endpoint. |
clientKeyFile | Absolute or relative path to the ClientKey JSON file (clientKey_******.json). |
passwordFromFilePath | Path to the file containing the ClientKeyPassword (clientKey_****_Password.txt by default). |
passwordFromEnvVariable | Name of the environment variable that contains the ClientKeyPassword. |
ignoreSslCerts | Whether to skip SSL certificate validation. Set to false in production. When true, caFilePath is not required. |
caFilePath | Absolute or relative path to the KMS instance CA certificate file. Download it from the Instances page under Instance CA Certificate > Download. |
The ClientKey file and its password have a one-to-one correspondence. Both are available only at ClientKey creation time. If you did not save them, create a new ClientKey in the AAP. See Create an application access point.
Step 3: Use the RAM secret plug-in
All examples follow the same pattern: create a proxy client using the secret name, then call cloud service APIs as normal. The plug-in manages credential retrieval and refresh transparently.
Java
Alibaba Cloud SDK for Java (V2.0)
Java 9+ compatibility
Installation
Add the plug-in to your pom.xml. Install the latest version — see the source repository for the current release.
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-tea-openapi-sdk-managed-credentials-provider</artifactId>
<version>[1.3.5,]</version>
</dependency>Usage example: call ECS DescribeInstances
Add the ECS SDK dependency:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>ecs20140526</artifactId>
<version>7.1.0</version>
</dependency>Then create a proxy client and call the API:
import com.aliyun.ecs20140526.Client;
import com.aliyun.ecs20140526.models.DescribeInstancesResponse;
import com.aliyun.kms.secretsmanager.plugin.tea.openapi.ProxyClientCreator;
import com.google.gson.Gson;
public class AliyunTeaOpenApiProviderSample {
public static void main(String[] args) throws Exception {
// The name of the RAM secret you created in KMS.
String secretName = "your-secret-name";
/*
If the application cannot read the default configuration file
(managed_credentials_providers.properties) from the classpath or the
executable JAR file, or if you need a custom file name, uncomment the
following line. The file is resolved in this order:
1. If "your-config-name" is an absolute path, that file is read.
2. If "your-config-name" is a filename only, the classpath is checked
first, then the executable JAR file.
*/
//ConfigLoader.setConfigName("your-config-name");
// Configure the OpenAPI client endpoint.
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config();
config.endpoint = "your-product-endpoint"; // Replace with the actual service endpoint.
// Create a proxy client backed by the RAM secret plug-in.
Client client = ProxyClientCreator.createClient(config, Client.class, secretName);
// Call the cloud service API.
com.aliyun.ecs20140526.models.DescribeInstancesRequest request =
new com.aliyun.ecs20140526.models.DescribeInstancesRequest();
request.setRegionId("cn-hangzhou");
DescribeInstancesResponse response = client.describeInstances(request);
System.out.println(new Gson().toJson(response.getBody()));
}
}Alibaba Cloud SDK for Java (V1.0)
Installation
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-core</artifactId>
<version>[4.3.2,5.0.0]</version>
</dependency>
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-core-managed-credentials-provider</artifactId>
<version>[1.3.1,]</version>
</dependency>Install the latest version. See the source repository for the current release.
Usage example: call ECS DescribeInstanceStatus
Add the ECS SDK dependency:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-ecs</artifactId>
<version>5.11.20</version>
</dependency>Then create a proxy client and call the API:
import com.aliyuncs.IAcsClient;
import com.aliyuncs.ecs.model.v20140526.DescribeInstanceStatusRequest;
import com.aliyuncs.ecs.model.v20140526.DescribeInstanceStatusResponse;
import com.aliyun.kms.secretsmanager.plugin.sdkcore.ProxyAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.exceptions.ServerException;
public class AliyunSdkProviderSample {
public static void main(String[] args) {
String secretName = "******";
/*
To use a custom configuration file name, uncomment the following line.
File resolution order:
1. Absolute path — read that file directly.
2. Filename only — check the classpath, then the executable JAR file.
*/
//ConfigLoader.setConfigName("your-config-name");
// Create a proxy ACS client backed by the RAM secret plug-in.
IAcsClient client = null;
try {
client = new ProxyAcsClient("<the regionId of ECS>", secretName);
} catch (ClientException e) {
e.printStackTrace();
}
// Call the ECS API.
DescribeInstanceStatusRequest request = new DescribeInstanceStatusRequest();
try {
DescribeInstanceStatusResponse response = client.getAcsResponse(request);
} catch (ServerException e) {
e.printStackTrace();
} catch (ClientException e) {
e.printStackTrace();
}
// Release plug-in resources.
client.shutdown();
}
}OSS SDK for Java
Installation
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-core</artifactId>
<version>4.5.17</version>
</dependency>
<dependency>
<groupId>com.aliyun.oss</groupId>
<artifactId>aliyun-sdk-oss</artifactId>
<version>[2.1.0,3.10.2]</version>
<exclusions>
<exclusion>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-kms</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-sdk-oss-managed-credentials-provider</artifactId>
<version>[1.3.1,]</version>
</dependency>Install the latest version. See the source repository for the current release.
Usage example: call OSS listBuckets
import com.aliyun.kms.secretsmanager.plugin.oss.ProxyOSSClientBuilder;
import com.aliyun.oss.OSS;
import com.aliyun.oss.model.Bucket;
import java.util.List;
public class OssProviderSample {
public static void main(String[] args) throws Exception {
String secretName = "******";
String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
/*
To use a custom configuration file name, uncomment the following line.
File resolution order:
1. Absolute path — read that file directly.
2. Filename only — check the classpath, then the executable JAR file.
*/
//ConfigLoader.setConfigName("your-config-name");
// Create a proxy OSS client backed by the RAM secret plug-in.
OSS ossClient = new ProxyOSSClientBuilder().build(endpoint, secretName);
// Call the OSS API.
List<Bucket> buckets = ossClient.listBuckets();
for (Bucket bucket : buckets) {
if (bucket != null) {
// Your business logic goes here.
}
}
// Release plug-in resources.
ossClient.shutdown();
}
}Python
Alibaba Cloud SDK for Python (V1.0)
Installation
pip install aliyun-openapi-python-sdk-managed-credentials-providerVersion 0.1.0 or later is required. See the source repository for the current release.
Usage example
from aliyun_sdk_secretsmanager_sdk_core_plugin.proxy_acs_client import ProxyAcsClient
region = "cn-hangzhou"
secretName = "******"
# Create a proxy ACS client backed by the RAM secret plug-in.
client = ProxyAcsClient(region_id=region, secret_name=secretName)
# Call Alibaba Cloud services using the client — no other code changes required.
...
# Release plug-in resources.
client.shutdown()OSS Python SDK
Installation
pip install aliyun-oss-python-sdk-managed-credentials-providerVersion 0.1.0 or later is required. See the source repository for the current release.
Usage example
from aliyun_sdk_secretsmanager_oss_plugin.proxy_bucket import ProxyBucket
from itertools import islice
endpoint = "******"
secret_name = "******"
bucket_name = "******"
bucket = ProxyBucket(secret_name=secret_name, endpoint=endpoint, bucket_name=bucket_name)
objects = bucket.list_objects()
for b in islice(objects.object_list, 10):
print(b.key)
bucket.shutdown()Go
Go-specific behavior
The Go RAM secret plug-in does not automatically retry when it detects an InvalidAccessKeyId error. Credential refresh relies on a scheduled mechanism that runs every 6 hours.
If you rotate secrets manually, set the rotation window to at least 12 hours to prevent task interruptions from expired credentials. For shorter rotation windows, use one of the workarounds in the FAQ.
Alibaba Cloud SDK for Go (V1.0)
Installation
This plug-in requires alibaba-cloud-sdk-go at a version below v1.63.0. Verify the version in the plug-in's go.mod file before installing.
Install the latest version from the source repository.
Method 1 — Add to go.mod:
require (
github.com/aliyun/aliyun-sdk-managed-credentials-providers-go/aliyun-sdk-managed-credentials-providers/alibaba-cloud-sdk-go-managed-credentials-provider vX.X.X
)Method 2 — Use go get:
go get -u github.com/aliyun/aliyun-sdk-managed-credentials-providers-go/aliyun-sdk-managed-credentials-providers/alibaba-cloud-sdk-go-managed-credentials-providerUsage example: call ECS DescribeInstances
package sample
import (
"fmt"
"github.com/aliyun/alibaba-cloud-sdk-go/services/ecs"
sdkcoreprovider "github.com/aliyun/aliyun-sdk-managed-credentials-providers-go/aliyun-sdk-managed-credentials-providers/alibaba-cloud-sdk-go-managed-credentials-provider/sdk"
)
func main() {
secretName := "********"
regionId := "cn-hangzhou"
// Create a proxy client backed by the RAM secret plug-in.
client, err := sdkcoreprovider.GetClient(&ecs.Client{}, regionId, secretName)
if err != nil {
fmt.Println(err)
return
}
ecsClient := client.(*ecs.Client)
request := ecs.CreateDescribeInstancesRequest()
instancesResponse, err := ecsClient.DescribeInstances(request)
if err != nil {
fmt.Println(err)
return
}
for _, instance := range instancesResponse.Instances.Instance {
// Your business logic goes here.
}
}OSS Go SDK
Installation
This plug-in requires alibaba-cloud-sdk-go at a version below v1.63.0. Verify the version in the plug-in's go.mod file before installing.
Install the latest version from the source repository.
Method 1 — Add to go.mod:
require (
github.com/aliyun/aliyun-sdk-managed-credentials-providers-go/aliyun-sdk-managed-credentials-providers/aliyun-oss-go-sdk-managed-credentials-provider vX.X.X
)Method 2 — Use go get:
go get -u github.com/aliyun/aliyun-sdk-managed-credentials-providers-go/aliyun-sdk-managed-credentials-providers/aliyun-oss-go-sdk-managed-credentials-providerUsage example
package sample
import (
"fmt"
ossprovider "aliyun-oss-go-sdk-managed-credentials-provider/sdk"
)
func main() {
secretName := "********"
endpoint := "https://oss-cn-hangzhou.aliyuncs.com"
// Create a proxy OSS client backed by the RAM secret plug-in.
client, err := ossprovider.New(endpoint, secretName)
if err != nil {
fmt.Println(err)
return
}
result, err := client.ListBuckets()
if err != nil {
fmt.Println(err)
return
}
for _, bucket := range result.Buckets {
// Your business logic goes here.
}
// Release plug-in resources.
client.Shutdown()
}FAQ
The Go RAM secret plug-in returns `InvalidAccessKeyId` after a credential expires. What do I do?
The Go plug-in does not automatically retry on InvalidAccessKeyId, so a manually rotated secret can expire before the 6-hour scheduled refresh catches up. Use one of the following approaches:
Wait for automatic refresh — For automatically rotated secrets, the plug-in's scheduled refresh mechanism (which runs every 6 hours) fetches the new secret automatically.
On-demand refresh — Catch the exception and call
sdk.RefreshSecretInfo(secretName)to fetch the latest secret immediately.Scheduled refresh — Set up a periodic task that calls
sdk.RefreshSecretInfo(secretName)at a frequency that matches your rotation window, so the new secret is always fetched before the current one expires.Adjust the rotation window — For manually rotated secrets, set the rotation window to at least 12 hours. This gives the 6-hour scheduled refresh enough lead time to update the cache before the old credential expires.