Create access credentials

更新时间:
复制 MD 格式

KMS supports RAM-based authentication for OpenAPI access through both shared and dedicated gateways. This topic covers four credential types: AccessKey, Security Token Service (STS) token, RamRoleArn, and ECS instance RAM role.

Important

Prefer temporary credentials — STS tokens, RamRoleArn, or ECS instance RAM roles — over long-term AccessKey pairs. Temporary credentials expire automatically and reduce the risk of key leakage.

Choose a credential type

Credential typeWho it's forLifetimeRecommended?
AccessKeyRAM users that need long-term programmatic accessPermanent (until rotated or deleted)Use only when temporary credentials aren't feasible
STS tokenApplications that need scoped, time-limited accessMinutes to hours, then auto-expiresYes
RamRoleArnRAM users or cloud services assuming a role for a taskTemporary, expires on role releaseYes
ECS instance RAM roleApplications running on ECS that call KMSTemporary STS tokens, auto-rotatedYes, for ECS workloads

AccessKey

An AccessKey pair grants long-term programmatic access. Because Alibaba Cloud account permissions can't be restricted, never create an AccessKey for your Alibaba Cloud account — if the key is compromised, the entire account is at risk. Instead, create a RAM user with API access mode enabled, generate an AccessKey pair for that RAM user, and grant only the permissions required for KMS operations.

For background, see Create an AccessKey pair.

  1. Log on to the RAM console using an Alibaba Cloud account, a RAM administrator with the AliyunRAMFullAccess policy, or a RAM user authorized to manage AccessKey pairs.

  2. In the left-side navigation pane, choose Identities > Users, and click the target RAM user.

  3. On the Authentication tab, click Create AccessKey and follow the prompts.

    image

  4. Grant the RAM user access to KMS. See Grant KMS access below.

STS token

Security Token Service (STS) issues temporary access credentials to RAM users or RAM roles. The credentials carry only the permissions specified in the policy and automatically expire after the validity period.

  1. Log on to the RAM console using an Alibaba Cloud account or a RAM user with administrative rights.

  2. Create a RAM user (for user-based access) or create a RAM role (for role-based access).

  3. Grant AliyunSTSAssumeRoleAccess permission: grant it to the RAM user or grant it to the RAM role.

    image

  4. Grant the RAM user or RAM role access to KMS. See Grant KMS access below.

  5. Use the RAM user or RAM role to call the AssumeRole API of STS to obtain temporary access credentials.

RamRoleArn

RamRoleArn lets a RAM user or cloud service assume a RAM role to get temporary permissions without using a long-term AccessKey pair. When the task completes, the role's permissions are automatically revoked.

RamRoleArn is the ARN of the RAM role, in the format acs:ram::$accountID:role/$roleName.

  1. Log on to the RAM console using an Alibaba Cloud account or a RAM user with administrative rights.

  2. Create a RAM role.

  3. Grant the RAM role access to KMS. See Grant KMS access below.

  4. View the RamRoleArn of the RAM role.

    image

ECS instance RAM role

An ECS instance RAM role is a service role attached to an ECS instance, with ECS as the trusted entity. Applications on the instance can retrieve temporary STS tokens without storing an AccessKey pair, then use those tokens to call KMS OpenAPI operations.

  1. Log on to the RAM console and create an instance RAM role with the following settings:

    • Principal Type: Cloud Service

    • Principal Name: Elastic Compute Service / ECS

  2. Grant the instance RAM role access to KMS. See Grant KMS access below.

  3. Log on to the ECS console and attach the instance RAM role to the target ECS instance.

    image

Grant KMS access

For all credential types, grant KMS access using one of the following methods:

  • Identity-based policies: Attach a KMS system policy or a custom policy to the RAM user or RAM role. For available system policies, see System policies for KMS.

  • Resource-based policies: Set access permissions directly on KMS keys or secrets to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use them. For details, see Key policies for key-level access control and Secret policies for secret-level access control.

What's next

For additional credential types and advanced configuration options, see Manage Access Credentials.