KMS provides three SDK types: Alibaba Cloud SDK, Credentials SDK, and KMS Instance SDK (not recommended). This topic compares their capabilities, authentication methods, supported APIs, and gateway types.
SDK integration flow
Alibaba Cloud SDK
The Alibaba Cloud SDK wraps Alibaba Cloud OpenAPIs, supporting both control-plane APIs (key, credential, and instance management) and data-plane APIs (cryptographic operations, credential retrieval). Available in Java, Python, C++, PHP, .NET (C# only), Go, TypeScript, and Swift. For more information, see Alibaba Cloud SDK.
Supported APIs
Call both control-plane and data-plane OpenAPIs through the Alibaba Cloud SDK. OpenAPIs supported by Alibaba Cloud SDK.
-
Control-plane operations: Manage default keys and KMS instances—create keys, credentials, or instances, and modify tags.
-
Data-plane operations:
-
Cryptographic operations: symmetric and asymmetric encryption/decryption, envelope encryption, data key generation, digital signing, and signature verification.
-
Credential retrieval: obtain the values of credentials stored in a KMS instance.
-
In production, implement error retry and credential caching to handle network fluctuations. For retry strategies, see Retry requests with exponential backoff.
Supported gateway types
The Alibaba Cloud SDK supports shared and dedicated gateways. Control-plane operations require shared gateways; data-plane operations support both.
|
Gateway Type |
Recommended Scenario |
Supported APIs |
|
Shared gateway |
All OpenAPIs |
|
|
Dedicated gateway |
|
Cryptographic operations and credential retrieval-OpenAPI |
Credentials SDK
The Credentials SDK provides in-application credential caching and automatic refresh for credential retrieval only. Three variants: Credential Client, Credential JDBC Client, and RAM Credential Plugin. Available in Java (8+), Python, and Go. For more information, see Credentials SDK.
Credentials SDK types
|
SDK Type |
Description |
|
Credential Client |
|
|
Credential JDBC Client |
|
|
RAM Credential Plugin |
|
Supported APIs
The Credentials SDK supports credential retrieval operations only. For credential management (control-plane), use the Alibaba Cloud SDK.
Supported gateway types
The Credentials SDK retrieves credentials through shared or dedicated gateways.
|
Gateway Type |
Recommended Scenario |
|
Shared gateway |
|
|
Dedicated gateway |
|
KMS instance SDK (not recommended)
The KMS Instance SDK accesses dedicated gateway endpoints for cryptographic operations and credential retrieval. Available in Java (8+), PHP, Go, Python, and .NET (C# only). For details, see KMS Instance SDK.
Endpoints for gateway types
KMS provides two endpoint formats:
-
Dedicated gateway endpoint (KMS instance endpoint): The address of a specific KMS instance, accessible only over private networks.
-
Format:
<kms-instance-id>.cryptoservice.kms.aliyuncs.com. -
Example:
kst-hzz65f176a0ogplgq****.cryptoservice.kms.aliyuncs.com.
-
Authentication and authorization
KMS supports RAM authentication and AAP (Application Access Point) authentication. Shared gateways support both; dedicated gateways support AAP only.
-
RAM authentication: Uses RAM roles, STS tokens, ECS RAM roles, AccessKeys, and other methods in Manage access credentials.
ImportantAccessing an instance through a dedicated gateway with RAM authentication requires a CA certificate.
-
AAP authentication (not recommended): Create an Application Access Point and download the ClientKey file, which contains the Credential (ClientKeyContent) and the credential password (ClientKeyPassword).
RAM Authentication
AccessKey
By default, an Alibaba Cloud account has administrator permissions for all resources, which cannot be modified. To ensure resource security, we recommend that you use a RAM user to create an AccessKey pair and grant it only the necessary permissions.
Log on to the RAM console. On the Users page, click the name of the target RAM user.
On the Authentication tab, in the AccessKey section, click Create AccessKey and follow the on-screen instructions.
Grant the RAM user permissions to access KMS.
Method 1: Configure an identity-based policy
In the Actions column of the RAM user, click Grant Permission to attach a built-in system permission policy for KMS to the RAM user. For more information about the system permission policies for KMS, see System policies for KMS.
NoteYou can also create custom permission policies. For more information, see Create a custom policy.
Method 2: Configure a resource-based policy
KMS supports resource-based policies that grant access permissions for individual keys and secrets. You can use these policies to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.
ECS RAM Role
An ECS instance RAM role allows you to obtain a temporary access credential (STS token) from within an ECS instance to call KMS API operations, without needing to configure an AccessKey pair.
For more information, see Instance RAM roles.
Log on to the RAM console and create a RAM role for a trusted Alibaba Cloud service.
Trusted Entity Type: Select Elastic Compute Service.
Trusted entity: Select Elastic Compute Service (ECS).
Grant the RAM role permissions to access KMS.
Method 1: Configure an identity-based policy
In the Actions column of the RAM role, click Grant Permission to attach a built-in system permission policy for KMS to the RAM role. For more information about the system permission policies for KMS, see System policies for KMS.
NoteYou can also create custom permission policies. For more information, see Create a custom policy.
Method 2: Configure a resource-based policy
KMS supports resource-based policies that grant access permissions for individual keys and secrets. You can use these policies to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.
Log on to the ECS console and attach the RAM role to an ECS instance.

AccessKey + RamRoleArn
RAM users or cloud services can assume a role to obtain temporary permissions (STS token) instead of using long-term keys, which reduces the risk of key leaks. For example, in a temporary data processing task, a RAM user or cloud service temporarily assumes a role with a specific RamRoleArn. After the task is complete, the role permissions are revoked, minimizing the risk of exposure.
Create a user AccessKey pair
Log on to the RAM console. In the left-side navigation pane, choose . On the Users page, click the name of the target RAM user.
Attach the
AliyunSTSAssumeRoleAccesssystem policy or a custom policy that includes thests:AssumeRoleaction to the RAM user.On the Authentication tab, in the AccessKey section, click Create AccessKey and follow the on-screen instructions.
Create and authorize a RAM role:
In the left-side navigation pane, choose . On the Roles page, click Create Role. For more information, see Create a RAM role.
Grant the RAM role permissions to access KMS.
Method 1: Configure an identity-based policy
In the Actions column of the RAM role, click Grant Permission to attach a built-in system permission policy for KMS to the RAM role. For more information about the system permission policies for KMS, see System policies for KMS.
NoteYou can also create custom permission policies. For more information, see Create a custom policy.
Method 2: Configure a resource-based policy
KMS supports resource-based policies that grant access permissions for individual keys and secrets. You can use these policies to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.
Obtain the RamRoleArn of the target RAM role. For more information, see View the information about a RAM role.
In the left-side navigation pane, choose . On the Roles page, click the name of the target role.
On the role details page, find the RamRoleArn in the ARN section.
NoteThe RamRoleArn is the Alibaba Cloud Resource Name (ARN) of the RAM role to assume. The format is
acs:ram::$accountID:role/$roleName, where$accountIDis the Alibaba Cloud account ID and$roleNameis the RAM role name.
STS Token
Security Token Service (STS) issues a temporary access credential, an STS token, to a RAM user or RAM role. This token allows access to KMS with specific permissions for a limited validity period. After the token expires, it automatically becomes invalid.
Log on to the RAM console to create a RAM user or a RAM role. For more information, see Create a RAM user and Create a RAM role.
Grant the
AliyunSTSAssumeRoleAccesspermission to the RAM user or RAM role. For more information, see Manage RAM user permissions and Grant permissions to a RAM role.Grant the RAM user or RAM role permissions to access KMS.
Method 1: Configure an identity-based policy
In the Actions column of the RAM role or user, click Grant Permission to attach a built-in system permission policy for KMS. For more information about the system permission policies for KMS, see System policies for KMS.
NoteYou can also create custom permission policies. For more information, see Create a custom policy.
Method 2: Configure a resource-based policy
KMS supports resource-based policies that grant access permissions for individual keys and secrets. You can use these policies to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.
Use the RAM user or RAM role to call the STS AssumeRole operation to obtain a temporary STS access credential. For more information, see AssumeRole.
OIDC Role ARN
Create an OIDC provider
Log on to the RAM console as a RAM administrator. On the SSO page, click the Role-based SSO tab.
On the OIDC tab, click Create IdP.
On the Create IdP page, configure the provider information. For more information, see Manage OIDC providers.
Obtain and save the OIDC identity information (ARN and Client ID)
Go to the SSO page, and on the IdP tab, click the name of the target OIDC provider.
On the IdP details page, you can view the ARN and Client ID.
Create and authorize a RAM role for the OIDC provider
Log on to the RAM console as a RAM administrator and go to the page.
Click Create Role. In the upper-right corner of the creation page, click Switch to Policy Editor.
In the policy editor, specify the OIDC provider. Select the visual editor and configure the parameters as described below.
NoteFor information about other modes, see Create a RAM role for an OIDC identity provider.
In the Select Trusted Entity section, select IdP.
In the Edit Trust Policy section, configure the following parameters.
IdP Type: Select OIDC.
IdP: Select the OIDC provider you created earlier.
Grant the OIDC RAM role permissions to access KMS
Method 1: Configure an identity-based policy
Return to the Identities > Roles list page and click Grant Permission in the Actions column of the target OIDC role to directly attach a KMS built-in system permission policy to the RAM role. For more information about KMS built-in system permission policies, see Key Management Service System Permission Policy Reference.
NoteCustom permission policies are also supported. For more information, see Create a custom policy.
Method 2: Configure a resource-based policy
KMS supports resource-based policies that grant access permissions for individual keys and secrets. You can use these policies to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.
Obtain the target OIDC Role ARN
On the page, click the name of the target role.
On the role details page, find the OIDC Role ARN in the ARN section.
NoteThe Role ARN is the ARN of the RAM role to be assumed. The format is
acs:ram::$accountID:role/$roleName, where$accountIDis the Alibaba Cloud account ID and$roleNameis the RAM role name.
Issue and save the OIDC token file
Alibaba Cloud does not support direct OIDC login from the console, but you can complete the OIDC SSO process programmatically. Obtaining an OIDC token involves an OAuth flow, commonly through a standard OAuth 2.0 process from the OIDC identity provider (IdP).
For example:when an application runs in an ACK cluster with RRSA enabled, the cluster automatically creates and mounts the corresponding service account OIDC token file for the application pod.
AAP authentication (not recommended)
Shared gateway configuration
Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
(Optional) Create a network rule.
NoteConfiguring a network rule to restrict access by source IP address is optional. However, we recommend configuring one for better security.
Click the Network Access Rules tab and then click Create Network Access Rule.
In the Create Network Access Rule panel, set Network Type to Public, enter the Allowed Source IP Addresses, and click OK.
Create a permission policy.
Click the Policies tab and then click Create Policy.
In the Create Policy panel, configure the parameters for the shared gateway as described below, and then click OK.
Scope: Shared KMS Gateway
Accessible Resources: Select the secrets you want to access.
(Optional) Network Access Rules: Select the network rule created in the previous step.
Create an application access point (AAP).
Click the Application Access tab and then click Create AAP.
In the Create AAP panel, set Mode to Standard Creation, and then configure the parameters as described below.
Parameter
Description
Authentication Method
Select ClientKey.
Encryption Password
Enter an 8- to 64-character string that contains digits, letters, and special characters:
~!@#$%^&*?_-.Validity Period
ImportantWe recommend setting the validity period to one year to reduce the risk of ClientKey leaks. Be sure to rotate the ClientKey before it expires to avoid service interruptions. For more information, see Rotate a ClientKey.
Policies
Select the permission policy that you created in the previous step.
Click OK. The browser automatically downloads the ClientKey. The ClientKey includes the following files:
Credential (ClientKeyContent): The default filename is
clientKey_****.json.Credential password (ClientKeyPassword): The default filename is
clientKey_****_Password.txt.
Dedicated gateway configuration
You can create a ClientKey by using either Quick Create or Standard Create mode. For more information about ClientKeys, see Application access points and Create an application access point.
Method 1: Quick Create
This method is convenient and efficient, making it suitable for rapid testing and development. The access credential created this way has full access to all resources in the KMS instance.
Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Application Access tab, click Create AAP. In the Create AAP panel, configure the parameters.
Parameter
Description
Mode
Select Quick Creation.
Scope (KMS Instance)
Select the KMS instance that your application needs to access.
Application Access Point Name
Enter a name for the application access point.
Authentication Method
This is set to ClientKey and cannot be changed.
Default Permission Policy
The value is
key/*secret/*and cannot be changed. This means the application can access all keys and secrets in the specified KMS instance.Click OK. The browser automatically downloads the ClientKey. The ClientKey includes the following files:
Credential (ClientKeyContent): The default filename is
clientKey_****.json.Credential password (ClientKeyPassword): The default filename is
clientKey_****_Password.txt.
Method 2: Standard Create
If you need to configure fine-grained access permissions for resources, we recommend that you use the Standard Create method.
Follow the Standard Create instructions in Create an application access point to create a ClientKey for accessing the dedicated gateway. The key parameters are described below:
When configuring network rules, select Private for the network type.
When you configure the scope of the permission rule, select the corresponding KMS Instance ID.
After creation, your browser automatically downloads the ClientKey, which includes:
Credential (ClientKeyContent): The file is named
clientKey_****.jsonby default.Credential password (ClientKeyPassword): The file is named
clientKey_****_Password.txtby default.