Manage and use ECS secrets - Key Management Service - Alibaba Cloud Documentation Center

Elastic Compute Service (ECS) secrets store the passwords and SSH key pairs that are used for authentication when you log on to ECS instances. Secrets Manager supports periodic rotation and immediate rotation of secrets that are managed in Secrets Manager. This helps reduce the risk of secret leaks. This topic describes how to manage and use ECS secrets.

Overview

To use an ECS secret, you must grant Secrets Manager the permissions to manage the passwords and SSH key pairs of ECS instances. When you log on to the ECS instances, you can retrieve the required secrets from Secrets Manager.

When the periodic rotation and immediate rotation of an ECS secret is triggered, Secrets Manager sends a secret rotation command to Cloud Assistant. Then, Cloud Assistant calls the secret plug-in installed on the ECS instance for which the ECS secret is created to complete the secret rotation. After the ECS secret is rotated, you can use the new secret to log on to the ECS instance.

Important

After an ECS secret is rotated, the password or SSH key pair of the ECS instance for which the secret is created is also updated. If you delete an ECS instance that is associated with a secret, the secret rotation may fail. We recommend that you do not delete the ECS instance that is associated with a secret.

Limits

Linux-based ECS instances support the rotation of passwords and SSH key pairs, whereas Windows-based ECS instances support the rotation of only passwords.

Prerequisites

A KMS instance is created and enabled. For more information, see Purchase and enable a KMS instance.
A key is created. For more information, see Getting started with Key Management.
An ECS instance is created. For more information, see Create an ECS instance.
If you use a RAM user or a RAM role to manage ECS secrets, the AliyunKMSSecretAdminAccess system policy is attached to the RAM user or the RAM role. For more information, see Grant permissions to RAM users or Grant permissions to a RAM role.

Step 1: Create an ECS secret

When you create a secret, you can configure periodic rotation for the secret. This helps reduce the risk of secret leaks.

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.

Click the ECS Secrets tab, select the required instance ID from the Instance ID drop-down list, and then click Create Secret. Then, configure the parameters and click OK.

Parameter	Description
Secret Name	The name of the secret.
Managed Instance	The existing ECS instance that you want to manage within your Alibaba Cloud account.
Managed User	The name of an existing user on the ECS instance, such as the root user for Linux operating systems or the Administrator user for Windows operating systems.
Initial Secret Value	Password: the password of the user that is used to log on to the ECS instance. Key Pair: the SSH key pair of the user that is used to log on to the ECS instance. Note Enter a valid secret value. If you enter an invalid secret value, the password or key pair that you retrieve from KMS cannot be used to log on to the ECS instance before the first time the ECS secret is rotated.
CMK	The key that is used to encrypt the secret. Important Your key and secret must belong to the same KMS instance. The key must be a symmetric key. For more information about the symmetric keys supported by KMS, see Key types and specifications.
Tag	The tag that you want to add to the secret. You can use tags to classify and manage secrets. A tag consists of a key-value pair. Note A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@). A tag key cannot start with aliyun or acs:. You can configure up to 20 key-value pairs for each secret.
Automatic Rotation	Specifies whether to enable automatic secret rotation.
Rotation Period	The period of automatic secret rotation. This setting is required only when you select Enable Automatic Rotation. The value ranges from 1 hour to 365 days. Secrets Manager periodically updates the secret based on the value of this parameter.
Description	The description of the secret.

Note

When you create an ECS secret, the system automatically creates the AliyunServiceRoleForKMSSecretsManagerForECS service-linked role and attaches the AliyunServiceRolePolicyForKMSSecretsManagerForECS policy to the role. Secrets Manager assumes the role to manage dynamic ECS secrets, such as rotating passwords or SSH key pairs of ECS instances.

You can log on to the RAM console to view the details of service-linked roles and policies. For more information, see View the information about a RAM role and View the basic information about a policy.

Step 2: Install Secrets Manager Client in your application

Secrets Manager Client encapsulates secret cache, best practices, and design patterns based on the Secrets Manager API. This way, you can easily integrate the capabilities of Secrets Manager into business systems. For more information, see Secrets Manager Client.

What to do next

Rotate an ECS secret

You can configure periodic secret rotation to reduce the risk of secret leaks. If a secret is leaked, you can immediately rotate the secret in the KMS console to eliminate intrusion risks.

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.
Click the ECS Secrets tab, select the required instance ID from the Instance ID drop-down list, find the secret that you want to rotate, and then click Details in the Actions column.
Configure a secret rotation policy.
- Periodic rotation: In the upper-right corner of the page, click Configure Rotation Policy, enable or disable Automatic Rotation, and then click OK.
- Immediate rotation: In the upper-right corner of the page, click Rotate Now. In the Configure Rotation Policy dialog box, turn on or off Use Custom Secrets and then click OK.
  - If you turn on the switch, you must specify a new secret value.
  - If you turn off the switch, Key Management Service (KMS) automatically creates a 32-character random password or a RSA-2048 SSH key pair.

Delete an ECS secret

Before you delete a secret, make sure that you no longer require the secret. You can immediately delete a secret or create a scheduled task to delete a secret.

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.
Click the ECS Secrets tab, select the required instance ID from the Instance ID drop-down list, find the secret that you want to delete, and then click Schedule Deletion in the Actions column.
In the Schedule Deletion dialog box, select a method to delete the secret and click OK.
- If you select Schedule Deletion, configure Retention Period (7 to 30 Days). When the scheduled deletion period ends, KMS deletes the secret.
- If you select Delete Immediately, the system immediately deletes the secret.
During the scheduled deletion period, you can click Restore Secret in the Actions column to cancel the deletion.

Add tags to secrets

You can use tags to classify and manage secrets. A tag consists of a key-value pair.

Note

A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each secret.

Add tags for a secret

Method	Description
Method 1: Add tags on the Secrets page	Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets. Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, find the secret to which you want to add tags, and then click the icon in the Tag column. Click Add. In the Edit Tag dialog box, enter multiple Tag Key and Tag Value, and then click OK. In the message that appears, click Close. In the Edit Tag dialog box, you can change the tag values and remove multiple tags at a time.
Method 2: Add tags on the Secret Details page	Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets. Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, find the secret to which you want to add tags, and then click Details in the Actions column. On the secret details page, click the icon next to Tag. In the Edit Tag dialog box, enter multiple Tag Key and Tag Value and then click OK. In the message that appears, click Close. In the Edit Tag dialog box, you can change the tag values and remove multiple tags at a time.

Configure tags for multiple secrets at a time

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.
Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, and then select the secrets that you want to manage in the secret list.
- Add tags: In the lower part of the secret list, click Add Tag. In the Add Tag dialog box, enter multiple Tag Key and Tag Value, and then click OK. In the message that appears, click Close.
- Remove tags: In the lower part of the secret list, click Remove Tag. In the Batch Remove dialog box, select the tags that you want to remove and click Remove. In the message that appears, click Close.

FAQ

When I configure a secret rotation policy or immediately rotate a secret, the system prompts the error message "Your secret is being rotated. Try again later." What is the reason?