Initialize the client

更新时间:
复制 MD 格式

Use the Alibaba Cloud SDK to connect your application to Key Management Service (KMS). The initialization differs by gateway type: a shared gateway requires only an endpoint, while a dedicated gateway also requires a CA certificate to authenticate the KMS instance's SSL/TLS connection.

Prerequisites

Before you begin, make sure you have:

  • An Alibaba Cloud account with KMS enabled

  • AccessKey credentials stored as environment variables (ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET)

  • (Dedicated gateway only) A KMS instance. See Manage access credentials for supported authentication methods

Note

Both shared and dedicated gateways support the same RAM-based authentication methods: AccessKey (AK), Security Token Service (STS) Token, RamRoleArn, and ECS instance RAM role. For production workloads, use STS tokens instead of long-lived AccessKey credentials. The examples below use AccessKey for simplicity.

Gateway comparison

Shared gatewayDedicated gateway
Endpoint formatkms.<REGION_ID>.aliyuncs.com (public network) or kms-vpc.<REGION_ID>.aliyuncs.com (VPC)<KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com
CA certificateNot requiredRequired for SDK V2.0; SDK V1.0 must set HTTPSInsecure to true instead

Initialize the client through a shared gateway

public static com.aliyun.kms20160120.Client createClient() throws Exception {
    // Avoid hardcoding credentials. Use STS tokens for higher security:
    // https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-access-credentials
    com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
            // Required. Set ALIBABA_CLOUD_ACCESS_KEY_ID in your runtime environment.
            .setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
            // Required. Set ALIBABA_CLOUD_ACCESS_KEY_SECRET in your runtime environment.
            .setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
    // Shared gateway endpoint format: kms.<REGION_ID>.aliyuncs.com
    // For VPC access: kms-vpc.<REGION_ID>.aliyuncs.com
    // Example uses Singapore (ap-southeast-1).
    config.endpoint = "kms.ap-southeast-1.aliyuncs.com";
    return new com.aliyun.kms20160120.Client(config);
}

Endpoint

Set config.endpoint to one of the shared gateway endpoint formats:

  • Public network: kms.<REGION_ID>.aliyuncs.com

  • VPC: kms-vpc.<REGION_ID>.aliyuncs.com

Replace <REGION_ID> with the region where your KMS resources are located, for example cn-hangzhou or ap-southeast-1.

Initialize the client through a dedicated gateway

public static com.aliyun.kms20160120.Client createClient() throws Exception {
    // Avoid hardcoding credentials. Use STS tokens for higher security:
    // https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-access-credentials
    com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
            // Required. Set ALIBABA_CLOUD_ACCESS_KEY_ID in your runtime environment.
            .setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
            // Required. Set ALIBABA_CLOUD_ACCESS_KEY_SECRET in your runtime environment.
            .setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
    // Dedicated gateway endpoint format: <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com
    // Find your instance ID on the Instances page (see "Endpoint" below).
    config.endpoint = "kst-hzz65f176a0ogplgq****.cryptoservice.kms.aliyuncs.com";
    // CA certificate content for the KMS instance.
    // Download it from the instance details page (see "CA certificate" below).
    config.ca = "<INSTANCE_CA_CERTIFICATE>";
    return new com.aliyun.kms20160120.Client(config);
}

Endpoint

The dedicated gateway endpoint follows the format <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com. To find your instance's endpoint:

  1. Go to the Instances page and click either the Software Key Management or Hardware Key Management tab.

  2. Click the target KMS instance.

  3. In the Basic Information section, copy the value from the Instance VPC Endpoint field.

image

CA certificate

The CA certificate authenticates the KMS instance's SSL/TLS connection and is required for production environments. To download it:

  1. On the Instances page, click either the Software Key Management or Hardware Key Management tab, then click the target instance.

  2. Click the instance ID or Details in the Actions column.

  3. On the details page, click download next to Instance CA Certificate.

The downloaded file is named PrivateKmsCA_kst-******.pem by default.

image
Important

The ca parameter is supported only by Alibaba Cloud SDK V2.0. If you use SDK V1.0, skip the config.ca line and set HTTPSInsecure to true on the client instead: client.SetHTTPSInsecure(true). To skip SSL/TLS verification in non-production environments (such as offline testing), also use client.SetHTTPSInsecure(true).