All Products
Document Center

Key Management Service:Change a client key

Last Updated:Jan 24, 2024

A client key is valid for one year to five years. We recommend that you change client keys on a yearly basis. If your client key is about to expire, you must change the client key at the earliest opportunity. If your client key expires, your application cannot use the client key to access Key Management Service (KMS). This topic describes how to change a client key.

Step 1: Create a client key

  1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Applications.

  2. Click the Application Access tab. Then, search for the required application access point (AAP) by Instance ID or AAP name.

  3. Click the name of the AAP. On the details page, click the Client Key tab and then click Create Client Key.

  4. In the Create Client Key panel, configure the Encryption Password and Validity Period parameters.

    • Encryption Password: The password must be 8 to 64 characters in length and can contain digits, letters, and the following special characters: ~ ! @ # $ % ^ & * ? _ -.

    • Validity Period: The default value is five years. We recommend that you set the validity period to one year to reduce the risks of client key leaks.

  5. Click OK. The browser automatically downloads the client key that is created.

    The client key contains Application Access Secret(ClientKeyContent) and Password. By default, Application Access Secret(ClientKeyContent) is saved in a file whose name is in the clientKey_****.json format. By default, Password is saved in a file whose name is in the clientKey_****_Password.txt format.

Step 2: Change the client key of a self-managed application

In this example, KMS Instance SDK for Java is used. When you create a client, you must replace clientKeyPass with your new password and replace clientKeyFilePath or clientKey with your new credential.

Step 3: Check whether the old client key is still in use

You can check whether your old client key is still in use to check whether the change is complete for all applications. After you confirm that the old client key is no longer in use, delete the client key.

  1. Obtain the ID of the old client key.image.png

  2. In the left-side navigation pane, choose Security Operations > Simple Log Service for KMS. Then, select the ID of your instance.

  3. Enter the ID of the client key in the search box below kms_audit_log to check whether the client key is still in use.image.png

    If the client key is still in use, the change is not complete for all applications. You can identify the applications for which the client key is not changed based on fields such as client_ip and useragent.

Step 4: Delete the old client key


The deletion of a client key immediately takes effect. Before you delete a client key, make sure that the client key is no longer in use. Otherwise, your applications may fail to access the required KMS instance.

  1. Find the old client key on the Client Key tab and click Delete in the Actions column.

  2. In the Delete Client Key message, click OK.

  3. Complete security verification. Then, KMS deletes the client key.