The Credentials SDK wraps KMS OpenAPI and instance APIs to cache and refresh credentials in your applications, improving stability and simplifying integration.
Integration overview
The Credentials SDK only supports retrieving credential values. It supports access through shared gateways and dedicated gateways.
Shared vs. dedicated gateways
The Credentials SDK retrieves credentials through shared or dedicated gateways. A shared gateway is the KMS global network, accessible over the Internet or VPC networks. A dedicated gateway serves a specific KMS instance and only supports access over private networks.
|
Difference |
Shared Gateway |
Dedicated Gateway |
|
Recommended scenarios |
|
|
|
Network |
Internet or VPC network. |
KMS private network. |
|
Performance |
Example: shared gateway encryption/decryption QPS is 1,000. |
Based on the computing performance specifications of the purchased instance, such as 1,000 or 2,000. For more information, see |
|
Client initialization configuration |
|
|
|
API availability |
OpenAPI-GetSecretValue , Instance API-GetSecretValue (not recommended) |
Authentication and Authorization
The Credentials SDK supports two authentication methods: RAM authentication and AAP authentication (not recommended).
|
Authentication Method |
Supported Credential Types |
|
RAM authentication |
RamRoleArn, ECS RAM role, STS token, AccessKey, Alibaba Cloud default credential chain, OIDC Role ARN, and more. Note
The RAM credentials plugin only supports ECS RAM roles. |
|
AAP authentication (not recommended) |
ClientKey (shared gateway configuration), ClientKey (dedicated gateway configuration) |
SDK types
The Credentials SDK includes three SDK types: credentials client, credentials JDBC client, and RAM credentials plugin. Each retrieves KMS credential values through shared or dedicated gateways. Supported authentication methods and APIs vary by type.
|
SDK Type |
Description |
Gateway and Authentication |
|
Shared gateway and dedicated gateway: RamRoleArn, ECS RAM role, STS token, AccessKey, Alibaba Cloud default credential chain, OIDC Role ARN, ClientKey, and more. Note
We recommend that you use credentials client V2 SDK. For more information about version differences, see Secrets Manager Client. |
|
|
Shared gateway:
Dedicated gateway (not recommended): AAP authentication: ClientKey (dedicated gateway configuration). |
|
|
Shared gateway:
Dedicated gateway (not recommended): AAP authentication: ClientKey (dedicated gateway configuration). |
Supported APIs
|
API |
Description |
Shared Gateway |
Dedicated Gateway |
|
GetSecretValue (OpenAPI) |
Retrieves a credential value. |
|
|
|
GetSecretValue (Instance API) |
Retrieves a credential value. |
|
|
Supported programming languages
Supported programming languages and SDK documentation for each type:
|
Credentials SDK |
Supported Language |
|
Java (Java 8 or later), Python, Go |
|
|
Java (Java 8 or later) |
|
|
Java (Java 8 or later), Python, Go |