How to control how applications use credentials by using an application access point - Key Management Service

This topic applies only to users of the old version of Key Management Service (KMS). If you use KMS 3.0, see SDK references.

An application access point (AAP) controls how an application authenticates with KMS and which secrets it can access. Each AAP combines an authentication method with one or more role-based access control (RBAC) permission policies.

Choose an authentication method

Before creating an AAP, decide which authentication method fits your deployment:

Method	When to use	What you configure
RAMRole	Your application runs on an Elastic Compute Service (ECS) instance, in a Container Service for Kubernetes (ACK) cluster, or in Function Compute — environments that support bound RAM roles	Trusted Role type and RAM role name
Client Key	Your application runs in an environment where binding a RAM role isn't possible	A client key you create and manage after the AAP is set up

RAMRole is the simpler option when your environment supports it. With Client Key, you generate a private key file that you must store and protect — KMS does not retain it.

Create an AAP

Prerequisites

Before you begin, ensure that you have:

Access to the KMS console
A RAM role (if using the RAMRole authentication method)

Steps

Log on to the KMS console.
In the top navigation bar, select the region where you want to create the AAP.
In the left-side navigation pane, click Applications.
Click Create Application Access Point.

In the Create Application Access Point dialog box, configure the basic information:

Enter a Name and an optional Description.
The AAP name must be unique within the selected region in your Alibaba Cloud account.

In the Authentication Method section, select an authentication method and fill in the required parameters:

For RAMRole:

Parameter	Description	Example
Trusted Role	The type of environment where your application runs. KMS uses this to verify the RAM role's delegated trust rules. Valid values: ECS Instance Role, ACK Worker Role, Function Compute Role	ECS Instance Role
Role Name	The name of the RAM role bound to your application's environment	ECSRole

For Client Key: No parameters are required at this stage. After the AAP is created, bind a client key by following Bind a client key to the AAP.

Click Next.

Configure permission policies. Each policy defines what operations the AAP can perform and on which resources.

The parameters work in sequence: Scope sets the KMS instance, RBAC Permissions sets the allowed operations, Accessible Resources sets the target resources, and Network Access Rules restricts which networks can call KMS.

Click the icon to the right of Policies.

In the RBAC Policy dialog box, configure the following parameters:

Parameter	Description	Example
Policy name	A name for this permission policy	RAMPolicy
Scope	The KMS instance this policy applies to. Select Shared KMS for the shared service, or select a dedicated KMS instance ID	Shared KMS
RBAC permissions	The permission template. SecretUser grants `GetSecretValue` calls on KMS. CryptoServiceKeyUser grants cryptographic operations on a dedicated KMS instance	SecretUser
Accessible resources	The secrets or keys this policy covers. In the Resources section, select existing resources and click , or click in the Selected Resources section, enter a resource, and click Add. Use the asterisk (`*`) wildcard as a suffix to match multiple resources	`secret/dataKey****`
Network access rules	The networks allowed to call KMS under this policy. Select an existing rule from Available Rules, or create one (see the following table)	—

To create a network access rule, click plus sign and configure the following parameters in the Create Network Access Rule dialog box:

Parameter	Description	Example
Name	A name for this rule	Network
Network type	The network path your application uses to reach KMS. Public: public endpoint. VPC: VPC address. Private: Dedicated KMS over VPC	VPC
Description	(Optional) A description for the rule	Access the specified VPC
Allowed IP addresses	The IP addresses permitted under this rule. For Public: public IP addresses. For VPC: VPC ID and IP addresses or CIDR blocks. For Private: private IP addresses or CIDR blocks. Separate multiple addresses with commas	192.168.0.0/16

Click Create, then select the rule and click to add it to the policy.

Click Create to save the RBAC policy.
Select the policy and click to attach it to the AAP.
Click Next.

Review the configuration and click Create.

Bind a client key to the AAP

If you selected the Client Key authentication method, complete this section after the AAP is created. The client key identifies your application to KMS.

Click the name of the AAP.
In the Client Key section, click Create Client Key.

In the Create Client Key dialog box, configure the following parameters:

Parameter	Description	Example
Encryption password	The password used to decrypt the private key file when your application connects to KMS. Store this password securely	Test****
Validity period	The date range during which the client key is valid	April 3, 2022 to March 4, 2027

Important: KMS displays the password and client key file only once, immediately after you click OK. KMS does not save the private key — it is stored in an encrypted PKCS#12 file that you can download only at this moment. If you close the dialog without saving both, you cannot recover them.
Click OK.
In the Created dialog box, save both credentials:
- Password: Click Copy next to Decryption Password to copy the password.
- Client key file: Click Download Client Key to download the PKCS#12 file.
The client key file contains a key ID and the encrypted private key data:
```
{
  "KeyId": "KAAP.71be72c8-73b9-44e0-bb75-81ee51b4****",
  "PrivateKeyData": "MIIJwwIBAz****ICNXX/pOw=="
}
```

What's next

To learn how your application uses the AAP to retrieve secrets at runtime, see SDK references.