All Products
Document Center

Key Management Service:Manage AAPs

Last Updated:Dec 15, 2023

You can create an application access point (AAP) to control how an application uses secrets.


This topic applies only to users of the old version of Key Management Service (KMS). If you use KMS 3.0, see SDK references.

Create an AAP

  1. Log on to the KMS console.

  2. In the top navigation bar, select the region where you want to create an AAP.

  3. In the left-side navigation pane, click Applications.

  4. Click Create Application Access Point.

  5. In the Create Application Access Point dialog box, configure the basic AAP information.

    1. Configure Name and Description.


      The name of the AAP must be unique in the selected region within your Alibaba Cloud account.

    2. In the Authentication Method section, specify an authentication method.

      Authentication method




      If you bind a RAM role to the environment in which your application runs, you can use the RAMRole authentication method. Your application can run on an Elastic Compute Service (ECS) instance, in a Container Service for Kubernetes (ACK) cluster, or in Function Compute. In this case, you must configure the following parameters:

      • Trusted Role: KMS verifies the delegated trust rules of the RAM role to authenticate your application. You can configure this parameter to specify the type of the RAM role. Then, the system automatically configures the delegated trust rules based on the type of the RAM role.

        Valid values:

        • ECS Instance Role: If your application is deployed on an ECS instance, select this value.

        • ACK Worker Role: If your application is deployed in an ACK cluster, select this value.

        • Function Compute Role: If your application is deployed in Function Compute, select this value.

      • Role Name: You must enter the name of the RAM role.

      • Trusted Role: ECS Instance Role

      • Role Name: ECSRole

      Client Key

      You can use the ClientKey authentication method and bind a client key to the AAP. KMS uses the client key to authenticate your application.

      If you use this method, you must bind a client key to the AAP after you create the AAP. For more information, see Bind a client key to the AAP.


    3. Click Next.

  6. Configure permission policies.

    1. Click the 加号 icon to the right of Policies.

    2. In the RBAC Policy dialog box, configure the parameters and click Create.




      Policy Name

      The name of the permission policy.



      The scope of the permission policy.

      Valid values:

      • Shared KMS: The permission policy applies to KMS.

      • ID of a dedicated KMS instance: The permission policy applies to a specified dedicated KMS instance.

      Shared KMS

      RBAC Permissions

      The permission management template. The template specifies the operation that can be performed on specific resources.

      Valid values:

      • SecretUser: performs secret-related operations on KMS. You can call the GetSecretValue operation.

      • CryptoServiceKeyUser: performs cryptographic operations on a dedicated KMS instance.


      Accessible Resources

      The resources on which the permission policy takes effect. You can use one of the following methods to configure resources:

      • Method 1: In the Resources section, select existing resources and click the 箭头 icon.

      • Method 2: In the Selected Resources section, click the 加号 icon, enter resources, and then click Add.


        You can use the asterisk (*) wildcard character as a suffix.


      Network Access Rules

      The network type and IP address that can access KMS based on the permission policy.

      In the Available Rules section, select existing rules or perform the following steps to create a rule.

      1. Click the 加号 icon.

      2. In the Create Network Access Rule dialog box, configure the following parameters:

        • Name: Specify the name of the network access rule.

        • Network Type: Select the type of network that you want to use to access KMS.

          Valid values:

          • Public: If your application accesses the KMS instance by using a public endpoint, select this value.

          • VPC: If your application accesses the KMS instance by using a virtual private cloud (VPC) address, select this value.

          • Private: If your application accesses Dedicated KMS over a VPC, select this value.

        • Description: Enter a description for the network access rule.

        • Allowed IP addresses: Enter the addresses that can access KMS.

          Valid values:

          • If you set Network Type to Public, enter public IP addresses.

          • If you set Network Type to VPC, enter the ID of a VPC and the IP addresses or CIDR blocks of the VPC.

          • If you set Network Type to Private, enter private IP addresses or CIDR blocks.


          Separate multiple IP addresses with commas (,).

      3. Click Create.

      4. Select the rule and click the 箭头 icon.

      • Name: Network

      • Network Type: VPC

      • Description: Access the specified VPC

      • VPC ID: vpc-bp1drih00fwsrgz2p****

      • Allowed IP addresses:

    3. Select the permission policy and click the 箭头 icon.

    4. Click Next.

  7. Check the information and click Create.

Bind a client key to the AAP

After you create a client key-based AAP, you must bind a client key to the AAP. The client key is used to identify the AAP.

  1. Click the name of the AAP.

  2. In the Client Key section, click Create Client Key.

  3. In the Create Client Key dialog box, configure the parameters.




    Encryption Password

    The password that is used to decrypt the private key file of the client key when the client key is used to access KMS. Keep the password confidential.


    Validity Period

    The validity period of the client key.

    April 3, 2022 to March 4, 2027

  4. Click OK.

  5. In the Created dialog box, obtain the content of Password and Client Key.

    • Password: Click Copy to the right of Decryption Password to obtain the password.

    • Client Key: Click Download Client Key to obtain the content of the client key.

      The client key consists of the key ID (keyID) of the private key (PrivateKeyData). Example:

        "KeyId": "KAAP.71be72c8-73b9-44e0-bb75-81ee51b4****",
        "PrivateKeyData": "MIIJwwIBAz****ICNXX/pOw=="

      KMS does not save the private key of the client key. The private key is stored in an encrypted PKCS#12 file. You can obtain the file only when you create the client key. Keep the file confidential.