Hardcoding an AccessKey pair in your application source code or configuration files creates a persistent security risk: anyone who can inspect the code or its artifacts can extract the credentials. Dynamic RAM secrets eliminate this risk by letting your application retrieve a valid AccessKey pair at runtime instead. KMS automatically rotates the AccessKey pair on a regular schedule, so credentials are always short-lived. If a secret is ever exposed, trigger an immediate rotation to replace the compromised AccessKey pair right away.
How it works
A RAM secret stores the AccessKey pair of a Resource Access Management (RAM) user. An AccessKey pair consists of an AccessKey key and an AccessKey secret, which authenticate the RAM user when calling Alibaba Cloud APIs.
When you configure an automatic rotation interval, KMS creates a new AccessKey pair for the associated RAM user and retires the old one. Your application calls the GetSecretValue operation to get the current valid AccessKey pair, then uses it to call Alibaba Cloud APIs.
To start using dynamic RAM secrets:
Use the dynamic RAM secret to access Alibaba Cloud services.
Usage notes
We recommend that you do not delete RAM users associated with dynamic RAM secrets. Deleting these users causes rotation to fail.
If a rotation is already in progress when you request an immediate rotation, the immediate rotation does not take effect.
Limits
KMS can manage AccessKey pairs of RAM users only. It cannot manage the AccessKey pairs of Alibaba Cloud accounts.