If Key Management Service (KMS) releases a new image version and you want to use the new features of the image version for your KMS instance, you must manually upgrade the image version. This topic describes how to upgrade the image version of a KMS instance.
Impacts
The upgrade requires approximately 30 minutes to complete. Your services may be interrupted during the upgrade. After the upgrade is complete, your services are restored to normal. We recommend that you upgrade the image version during off-peak hours.
Upgrade the image version
Only instances of the software key management whose image version is later than dkms-1.3.0 are supported.
Only the owner of the KMS instance can upgrade the image version.
The image can be upgraded only to the latest version. The image cannot be upgraded to a specific version.
Check whether the image version of the KMS instance needs to be upgraded.
Log on to the KMS console. In the left-side navigation pane, click Instances. On the Software Key Management tab, find the KMS instance that you want to manage and click Details in the Actions column.
In the Basic Information section of the page, view the information about the Image Version parameter. If Upgrade is displayed, the image version of the KMS instance needs to be upgraded. If The latest version is displayed, no upgrade is required.
Make preparations before the upgrade.
View the features that are supported by the image of the latest version. For more information, see Release notes.
We recommend that you back up the keys and secrets of your KMS instance before the upgrade. For more information, see Backups.
NoteThe backup feature is supported only for instances of the software key management type. You cannot perform backup for other types of instances.
Upgrade the image version.
Click Upgrade. In the panel that appears, select one of the following upgrade methods:
Automatic Upgrade: You must specify a point in time at which you want the image version to be automatically upgraded. You can set the time to any point in time within 30 days. You can also modify the upgrade time before the upgrade.
Manual Upgrade: After you click OK, the image version is immediately upgraded.
Wait for approximately 30 minutes and check whether the upgrade is successful.
If Status is Succeeded, the upgrade is successful. If Upgrade Status is Failed, contact Alibaba Cloud technical support.
Check whether your services run as expected after the upgrade.
Check whether the KMS instance is in the Enabled state.
Test critical features to ensure that cryptographic operations can be performed and secrets can be obtained.
On the Overview page, you can check whether 4xx error requests or 5xx error requests persist within 1 hour. If no errors occur, your services run as expected.
Roll back the image version
If service failures occur after you upgrade the image to the latest version, you can roll back the upgrade within one week after the upgrade.
Log on to the KMS console. In the left-side navigation pane, click Instances. On the Software Key Management tab, find the KMS instance that you want to manage and click Details in the Actions column. Then, click Roll Back Now. If the rollback fails, contact Alibaba Cloud technical support.
References
For more information about how to view the events of the image version upgrade, see Use ActionTrail to query KMS events.
For more information about how to handle 4xx and 5xx error requests, see Common error codes.