Create, delete, and restore dynamic RAM secrets - Key Management Service - Alibaba Cloud - Key Management Service

A dynamic RAM secret stores the AccessKey pair of a Resource Access Management (RAM) user and rotates it automatically on a schedule. This reduces the risk of credential exposure from long-lived secrets.

This topic describes how to create, delete, and restore a dynamic RAM secret in the Key Management Service (KMS) console.

Prerequisites

Before you begin, ensure that you have:

An Alibaba Cloud account, or a RAM user or RAM role with permissions to manage dynamic RAM secrets. If using a RAM user or RAM role, attach the AliyunKMSSecretAdminAccess and AliyunRAMFullAccess system policies to it
Secrets Manager authorized to manage AccessKey pairs of RAM users via a RAM service role. See Authorize Secrets Manager to manage AccessKey pairs of RAM users
An AccessKey pair created for the RAM user you want to manage. See Create an AccessKey pair

Create a dynamic RAM secret

Log on to the KMS console.
In the top navigation bar, select the region where you want to create the secret.
In the left-side navigation pane, click Secret.
Click Create Secret.
In the Create Secret dialog box, configure the following parameters, then click Next:
- Select Type: Select Managed RAM secret.
- Select RAM User: Select the RAM user for which you want to create the secret. The RAM user must have at least one AccessKey pair.
- Set secret value: Enter the AccessKey secret for the displayed AccessKey ID.
  Note
  We recommend that you enter a valid AccessKey secret. If the secret is invalid, a new AccessKey ID and AccessKey secret are automatically generated after the first rotation.
- Secret Description: Enter a description for the secret.
In the Configuration rotation dialog box, select Turn on automatic rotation, set the Rotation Period, and click Next.
Note
To skip automatic rotation, select Turn off automatic rotation.
In the Review and confirm dialog box, verify the configuration and click OK.
In the Created successfully message, click Close.
To view the secret details immediately, click View secret details instead.

Delete a dynamic RAM secret

KMS uses a deletion window to protect against accidental deletion. You can schedule the deletion of a dynamic RAM secret or immediately delete it.

Important

Deleting a dynamic RAM secret does not delete the AccessKey pair of the associated RAM user. Before deleting, confirm that no application is actively using the secret.

In the left-side navigation pane, click Secrets.
Find the secret you want to delete and choose More > Plan Deletion Secret in the Actions column.
In the Delete Secret dialog box, select a deletion method and click OK:
- Plan Deletion Secret: Set the Delete In (7-30 days) parameter. The secret is permanently deleted after the specified number of days. To cancel the deletion, restore the secret before the window expires.
- Delete Secret Immediately: The secret is permanently deleted right away.

Restore a dynamic RAM secret

If you scheduled a secret for deletion, restore it at any time before the deletion window expires. After restoration, the secret returns to its normal state and can be used immediately.

In the left-side navigation pane, click Secrets.
Find the secret you want to restore and choose More > Restore Secret in the Actions column.
In the Restore Secret message, click OK.