The following is a runnable Go program that initializes the client and retrieves a secret value.
package main
import (
"fmt"
"io/ioutil"
"github.com/alibabacloud-go/tea/tea"
dedicatedkmsopenapi "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/openapi"
dedicatedkmsopenapiutil "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/openapi-util"
dedicatedkmssdk "github.com/aliyun/alibabacloud-dkms-gcs-go-sdk/sdk"
)
func main() {
secretName := "<DKMS_SECRET_NAME>"
// Initialize the client using ClientKey content.
// Alternatively, use getDkmsClientByClientKeyFile() to load the ClientKey from a file path.
client := getDkmsClientByClientKeyContent()
request := &dedicatedkmssdk.GetSecretValueRequest{
SecretName: tea.String(secretName),
}
// Verify the server CA certificate.
ca, err := ioutil.ReadFile("path/to/caCert.pem")
if err != nil {
panic(err)
}
runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
Verify: tea.String(string(ca)),
}
// To skip certificate verification (not recommended for production), use:
// runtimeOptions := &dedicatedkmsopenapiutil.RuntimeOptions{
// IgnoreSSL: tea.Bool(true),
// }
response, err := client.GetSecretValueWithOptions(request, runtimeOptions)
if err != nil {
// For a list of errors returned by GetSecretValue, see the API reference:
// https://www.alibabacloud.com/help/en/kms/key-management-service/developer-reference/getsecretvalue-2
panic(err)
}
secretName = tea.StringValue(response.SecretName)
// Do not print the secret value in production. Use it directly in your application logic.
_ = tea.StringValue(response.SecretData)
requestID := tea.StringValue(response.RequestId)
fmt.Println("SecretName:", secretName)
fmt.Println("RequestId:", requestID)
}
// getDkmsClientByClientKeyContent creates a KMS instance SDK client using ClientKey content.
func getDkmsClientByClientKeyContent() *dedicatedkmssdk.Client {
config := &dedicatedkmsopenapi.Config{
// KMS instance service only allows HTTPS.
Protocol: tea.String("https"),
// Replace with the content of your ClientKey file.
ClientKeyContent: tea.String("<CLIENT_KEY_CONTENT>"),
// Replace with the encryption password set when creating the ClientKey.
Password: tea.String("<CLIENT_KEY_PASSWORD>"),
// Replace with your KMS instance endpoint.
Endpoint: tea.String("<ENDPOINT>"),
}
client, err := dedicatedkmssdk.NewClient(config)
if err != nil {
panic(err)
}
return client
}
// getDkmsClientByClientKeyFile creates a KMS instance SDK client using a ClientKey file path.
func getDkmsClientByClientKeyFile() *dedicatedkmssdk.Client {
config := &dedicatedkmsopenapi.Config{
// KMS instance service only allows HTTPS.
Protocol: tea.String("https"),
// Replace with the path to your ClientKey file.
ClientKeyFile: tea.String("<CLIENT_KEY_FILE>"),
// Replace with the encryption password set when creating the ClientKey.
Password: tea.String("<CLIENT_KEY_PASSWORD>"),
// Replace with your KMS instance endpoint.
Endpoint: tea.String("<ENDPOINT>"),
}
client, err := dedicatedkmssdk.NewClient(config)
if err != nil {
panic(err)
}
return client
}
Replace the following placeholders before running the code:
| Placeholder | Description | Example |
|---|
<DKMS_SECRET_NAME> | Name of the secret stored in your KMS instance | my-db-password |
<CLIENT_KEY_CONTENT> | Content of the ClientKey file | (paste the file content) |
<CLIENT_KEY_FILE> | Path to the ClientKey file | /etc/kms/clientKey.json |
<CLIENT_KEY_PASSWORD> | Encryption password set when creating the ClientKey | (your password) |
<ENDPOINT> | KMS instance endpoint | kst-xxxx.cryptoservice.kms.aliyuncs.com |
Expected output
A successful call prints the secret name and request ID:
SecretName: my-db-password
RequestId: a1b2c3d4-xxxx-xxxx-xxxx-xxxxxxxxxxxx
The secret value (SecretData) is retrieved but intentionally not printed. Use it directly in your application logic to avoid exposing sensitive data in logs.