Key Management Service:Manage Dynamic ECS Secrets

How it works

When you create a dynamic ECS secret, KMS uses a service-linked role to connect to your ECS instance. On each rotation, KMS generates a new credential and applies it directly to the instance, replacing the previous password or key pair. Applications that retrieve the secret from Secrets Manager always get the current, valid credential.

Prerequisites

Before you begin, make sure you have:

• An ECS instance. See Create an ECS instance.

• An Alibaba Cloud account, or a RAM user or RAM role with the required permissions. If you use a RAM user or RAM role, you must attach the AliyunKMSSecretAdminAccess policy to the RAM user or RAM role. This policy grants permissions to use Secrets Manager, query ECS instances, and create the service-linked role required for dynamic ECS secrets. See Grant permissions to a RAM user and Grant permissions to a RAM role.

Create a dynamic ECS secret

1. Log on to the KMS console.

2. In the top navigation bar, select the region where your ECS instance is located.

3. In the left-side navigation pane, click Secret.

4. Click Create Secret.

5. In the Create Secret dialog box, configure the following parameters and click Next.

   Parameter	Description
   Select Type	Select Managed ECS secret.
   Secret name	Enter a name for the secret.
   Managed instance	Select the ECS instance to manage.
   Managed User	Enter the name of an existing OS user on the instance, such as root (Linux) or Administrator (Windows).
   Initial secret value	Select Password or Key pair and enter the initial value. If the value is invalid, a valid credential is generated after the first rotation.
   Secret Description	Enter a description.

6. In the Configuration rotation dialog box, configure rotation settings and click Next.

   • To enable automatic rotation, select Turn on automatic rotation and set the Rotation Period.

   • To skip automatic rotation for now, select Turn off automatic rotation. Manual rotation is still available at any time.

7. In the Review and confirm dialog box, review the configuration and click OK.

The secret appears in the secret list with Secret Type set to Managed ECS secret.

Rotate a dynamic ECS secret

If a credential is exposed, rotate it immediately to replace the compromised value.

1. In the secret list, click the name of the ECS secret. On the secret details page, click Rotate Immediately in the upper-right corner.

2. In the Prompt dialog box, choose how to generate the new credential:

   • Use Custom Secret on: Enter a specific new secret value.

   • Use Custom Secret off: KMS automatically generates a 32-character random password or an RSA-2048 public-private key pair.

3. Click Confirm rotation.

4. In the Rotation triggered message, click Close.

Delete a dynamic ECS secret

To protect against accidental deletion, KMS supports a recovery window of 7 to 30 days before permanent removal.

1. In the secret list, find the secret and choose More > Plan Deletion Secret in the Actions column.

2. In the Delete Secret dialog box, select a deletion method and click OK.

   Method	Description
   Plan Deletion Secret	Set the Delete In (7-30 days) parameter. The secret is deleted after the specified number of days. During this period, you can restore the secret to cancel deletion.
   Delete Secret Immediately	Deletes the secret permanently.

Restore a dynamic ECS secret

If you scheduled a dynamic ECS secret for deletion, restore it before the recovery window expires to cancel deletion. After restoration, the secret works as normal.

1. In the secret list, find the secret and choose More > Restore Secret in the Actions column.

2. In the Restore Secret message, click OK.