Use the Alibaba Cloud SDK to connect your application to Key Management Service (KMS). The initialization differs by gateway type: a shared gateway requires only an endpoint, while a dedicated gateway also requires a CA certificate to authenticate the KMS instance's SSL/TLS connection.
Prerequisites
Before you begin, make sure you have:
An Alibaba Cloud account with KMS enabled
AccessKey credentials stored as environment variables (
ALIBABA_CLOUD_ACCESS_KEY_IDandALIBABA_CLOUD_ACCESS_KEY_SECRET)(Dedicated gateway only) A KMS instance. See Manage access credentials for supported authentication methods
Both shared and dedicated gateways support the same RAM-based authentication methods: AccessKey (AK), Security Token Service (STS) Token, RamRoleArn, and ECS instance RAM role. For production workloads, use STS tokens instead of long-lived AccessKey credentials. The examples below use AccessKey for simplicity.
Gateway comparison
| Shared gateway | Dedicated gateway | |
|---|---|---|
| Endpoint format | kms.<REGION_ID>.aliyuncs.com (public network) or kms-vpc.<REGION_ID>.aliyuncs.com (VPC) | <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com |
| CA certificate | Not required | Required for SDK V2.0; SDK V1.0 must set HTTPSInsecure to true instead |
Initialize the client through a shared gateway
public static com.aliyun.kms20160120.Client createClient() throws Exception {
// Avoid hardcoding credentials. Use STS tokens for higher security:
// https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-access-credentials
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
// Required. Set ALIBABA_CLOUD_ACCESS_KEY_ID in your runtime environment.
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
// Required. Set ALIBABA_CLOUD_ACCESS_KEY_SECRET in your runtime environment.
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
// Shared gateway endpoint format: kms.<REGION_ID>.aliyuncs.com
// For VPC access: kms-vpc.<REGION_ID>.aliyuncs.com
// Example uses Singapore (ap-southeast-1).
config.endpoint = "kms.ap-southeast-1.aliyuncs.com";
return new com.aliyun.kms20160120.Client(config);
}Endpoint
Set config.endpoint to one of the shared gateway endpoint formats:
Public network:
kms.<REGION_ID>.aliyuncs.comVPC:
kms-vpc.<REGION_ID>.aliyuncs.com
Replace <REGION_ID> with the region where your KMS resources are located, for example cn-hangzhou or ap-southeast-1.
Initialize the client through a dedicated gateway
public static com.aliyun.kms20160120.Client createClient() throws Exception {
// Avoid hardcoding credentials. Use STS tokens for higher security:
// https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-access-credentials
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
// Required. Set ALIBABA_CLOUD_ACCESS_KEY_ID in your runtime environment.
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
// Required. Set ALIBABA_CLOUD_ACCESS_KEY_SECRET in your runtime environment.
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
// Dedicated gateway endpoint format: <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com
// Find your instance ID on the Instances page (see "Endpoint" below).
config.endpoint = "kst-hzz65f176a0ogplgq****.cryptoservice.kms.aliyuncs.com";
// CA certificate content for the KMS instance.
// Download it from the instance details page (see "CA certificate" below).
config.ca = "<INSTANCE_CA_CERTIFICATE>";
return new com.aliyun.kms20160120.Client(config);
}Endpoint
The dedicated gateway endpoint follows the format <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com. To find your instance's endpoint:
Go to the Instances page and click either the Software Key Management or Hardware Key Management tab.
Click the target KMS instance.
In the Basic Information section, copy the value from the Instance VPC Endpoint field.

CA certificate
The CA certificate authenticates the KMS instance's SSL/TLS connection and is required for production environments. To download it:
On the Instances page, click either the Software Key Management or Hardware Key Management tab, then click the target instance.
Click the instance ID or Details in the Actions column.
On the details page, click download next to Instance CA Certificate.
The downloaded file is named PrivateKmsCA_kst-******.pem by default.

The ca parameter is supported only by Alibaba Cloud SDK V2.0. If you use SDK V1.0, skip the config.ca line and set HTTPSInsecure to true on the client instead: client.SetHTTPSInsecure(true). To skip SSL/TLS verification in non-production environments (such as offline testing), also use client.SetHTTPSInsecure(true).