All Products
Document Center

Key Management Service:Overview

Last Updated:Apr 19, 2024

A Resource Access Management (RAM) secret stores an AccessKey pair of a RAM user. An AccessKey pair consists of an AccessKey key and an AccessKey secret. The secret is used to authenticate the RAM user when the RAM user calls Alibaba Cloud APIs. KMS rotates a RAM secret on a regular basis to provide a dynamic RAM secret. This reduces the risks of RAM secret leaks. KMS also allows you to immediately rotate a RAM secret to change the AccessKey pair in use. This is useful when a RAM secret is leaked.

Use dynamic RAM secrets

If you use a dynamic RAM secret in your application, you do not need to configure AccessKey pairs in the application. If you create a dynamic RAM secret in KMS and configure an automatic rotation interval, your application can call the GetSecretValue operation to obtain a valid AccessKey pair. Then, your application can use the AccessKey pair to call Alibaba Cloud APIs.

After a RAM secret is rotated, the AccessKey pair of the RAM user that is associated with the secret is synchronously updated. We recommend that you do not delete RAM users that are associated with dynamic RAM secrets. If you delete RAM users that are associated with dynamic RAM secrets, the secrets fail to be rotated.


You can use a dynamic RAM secret in the following process:

  1. Authorize KMS to manage AccessKey pairs of RAM users.

  2. Create a dynamic RAM secret.

  3. Connect an application to KMS.

  4. Use the dynamic RAM secret to access Alibaba Cloud services.

Usage notes

If your RAM secret is being rotated and you initiate an immediate rotation request, the immediate rotation does not take effect.


KMS can manage only the AccessKey pairs of RAM users. KMS cannot manage the AccessKey pairs of Alibaba Cloud accounts.