Migrate secrets across regions - Key Management Service - Alibaba Cloud Documentation Center

Key Management Service (KMS) secrets are region-specific resources. If you receive a migration notification for a region, migrate your secrets to the destination region as soon as possible to avoid service disruption. The migration approach depends on the secret type.

Secret type	Migration required	Approach
Generic secret (in a KMS instance)	Yes	Migrate using backup and restoration
Generic secret (outside a KMS instance)	Yes	Re-create the secret in the destination region using the API
RAM secret	Migration not supported — delete and re-create	Delete in the source region, then create in the destination region
ApsaraDB RDS secret	No	ApsaraDB RDS instances are region-specific; secrets follow automatically
ECS secret	No	Elastic Compute Service (ECS) instances are region-specific; secrets follow automatically

Generic secret

Constraints

During migration, do not perform operations on the secret in the source region until migration is complete and you have deleted the source secret. For example, do not modify the secret metadata or create a new secret version (for example, do not call PutSecretValue).
After migration, the creation timestamps of the secret and its versions will differ between the source and destination regions. This does not affect your services.

Migrate a generic secret in a KMS instance

If your generic secret was created inside a KMS instance, migrate it using backup and restoration. For details, see Backups.

Migrate a generic secret outside a KMS instance

In the old version of KMS, you can create a generic secret without purchasing a KMS instance. This type of secret is considered "outside a KMS instance." In KMS 3.0, you must purchase a KMS instance before creating a generic secret.

Use the following procedure to re-create the secret in the destination region via API calls.

Step 1: Query and save the secret details in the source region

Call the following APIs in the source region to retrieve all the information you need to re-create the secret:

API	Key parameter	Purpose
`DescribeSecret`	Set `FetchTags` to `true`	Get the secret metadata (name, type, tags, description, extended config)
`ListSecretVersionIds`	Set `IncludeDeprecated` to `true`	Get all secret versions, including deprecated ones
`GetSecretValue`	Call once per version	Get the secret value and value type for each version

Important

The VersionIds in the ListSecretVersionIds response are not sorted by creation time. Sort them locally before proceeding.

For example, if ListSecretVersionIds returns three versions, sort them by creation time:

Version	Created	Stage
v1	January 1, 2023	`001` (initial version)
v2	May 1, 2023	`ACSPrevious`
v3	November 1, 2023	`ACSCurrent`

Step 2: Migrate your application to the destination region

Move your application to the destination region.
Create a credential for the application in the destination region:
- If using an AccessKey pair of a Resource Access Management (RAM) user or RAM role: Create a RAM user or RAM role in the destination region and attach the AliyunKMSSecretAdminAccess policy. See Create a RAM user and grant permissions to the RAM user and Create a RAM role and attach the required policies to the role.
- If using a client key of an application access point (AAP): Purchase a KMS instance first, then create a client key in the destination region. See Create an AAP.
Update the endpoint and credential settings in your application.
KMS endpoints and KMS instance endpoints are different. Configure the endpoint based on the SDK you use. For details, see SDK references.

Step 3: Create the secret in the destination region

Purchase a KMS instance in the destination region. See Instance selection and Purchase and enable a KMS instance.
Create a key in the KMS instance to encrypt the secret. See Getting started with Key Management.

Call the following APIs to re-create the secret with identical metadata, versions, and values:

API	What to set
`CreateSecret`	Use the values from `DescribeSecret` for `secretName`, `secretType`, `Tags`, `Description`, and `ExtendedConfig`. For `VersionId`, use the initial version (v1 in this example). For `SecretData` and `SecretDataType`, use the values from `GetSecretValue` for the initial version.
`PutSecretValue`	Store each remaining version. In this example, call once for v2 and once for v3.
`UpdateSecretVersionStage`	Set the stage for each version. In this example: v1 → `001`, v2 → `ACSPrevious`, v3 → `ACSCurrent`.

Call DescribeSecret in both regions and confirm that the information about the secret is the same.

Step 4: Verify your application

Test your application in the destination region to confirm it can access the secret and runs as expected.

Step 5: Delete the secret in the source region

After confirming the application works correctly in the destination region, delete the secret in the source region. See Manage and use generic secrets.

Use ActionTrail to check recent API calls to a secret before deleting it. Secret-related events include GetSecretValue, DescribeSecret, ListSecretVersionIds, PutSecretValue, UpdateSecret, UpdateSecretVersionStage, UpdateSecretRotationPolicy, and RestoreSecret. See Use ActionTrail to query KMS events and Audit events of KMS.

RAM secret

Migration is not supported. A RAM user can have only one RAM secret in KMS. To move a RAM secret to a new region, delete it in the source region and create a new one in the destination region.

Warning

Before deleting a RAM secret from KMS, make sure it is no longer in use. Deleting the RAM secret from KMS does not delete the associated AccessKey pair.

ApsaraDB RDS secret

Migration is not required. ApsaraDB RDS instances are region-specific resources, so the associated secrets do not need to be migrated separately.

ECS secret

Migration is not required. Elastic Compute Service (ECS) instances are region-specific resources, so the associated secrets do not need to be migrated separately.