DocsICP FilingConsole
官方文档
首页

Rotate a client key

更新时间:
复制 MD 格式
产品详情
我的收藏

A client key has a validity period of 1 to 5 years. As a security best practice, we recommend rotating client keys annually. If a client key is about to expire, you must replace it promptly to prevent your applications from losing access to Key Management Service (KMS). This topic describes how to rotate a client key.

Step 1: Create a new client key

  1. Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose Application Access > Multi-Cloud Access (formerly AAP).

  2. Click the Application Access tab. Find the target application access point (AAP) by filtering by its Instance ID or name.

  3. Click the name of the AAP. On the details page, click the Client Key tab, and then click Create Client Key.

  4. In the Create Client Key dialog box, set the Encryption Password and Validity Period.

    • Encryption Password: Must be 8 to 64 characters in length and contain digits, uppercase and lowercase letters, and the following special characters: ~!@#$%^&*?_-.

    • Validity Period: The default is 5 years. We recommend setting it to 1 year to reduce the risk of compromise.

  5. Click OK. The browser automatically downloads the ClientKey. The ClientKey includes the following files:

    • Credential (ClientKeyContent): The default filename is clientKey_****.json.

    • Credential password (ClientKeyPassword): The default filename is clientKey_****_Password.txt.

Step 2: Update your application

For example, if you use the KMS instance SDK for Java, update the client initialization by replacing the value of clientKeyPass with the new password and the value of clientKeyFilePath or clientKey with the new Application Access Secret.

Step 3: Verify old key usage

You can determine whether the rotation is complete by checking if the old client key is still in use. After you confirm that the old key is no longer in use, delete it promptly.

  1. Obtain the Key ID of the old client key. On the Client Key tab, find the old client key in the list and record its Key ID. You will use this Key ID to query call records in Log Service.

  2. In the left-side navigation pane, choose Security Operations > Simple Log Service for KMS, and then select your instance ID.

  3. In the search box for the kms_audit_log Logstore, enter the old Key ID, such as KAAP.8834xxx, and click Query/Analysis. If the search returns 0 log entries, the old client key is no longer in use.

    If the search returns log entries, the key is still in use by one or more applications. Use the information in fields such as client_ip and useragent to identify which applications have not been updated.

Step 4: Delete the old client key

Warning

Deletion takes effect immediately. Before you delete a client key, ensure it is no longer in use. Otherwise, dependent applications will fail to access KMS.

  1. Find the old client key and click Delete in the Actions column.

  2. In the Delete Client Key dialog box, confirm the information and click OK.

  3. After you complete the security verification, KMS deletes the client key.

Previous:Manage application access pointsNext:Integrating KMS keys with Alibaba Cloud services