Use keys and secrets through an application access point-Key Management Service(KMS)-阿里云帮助中心

When you integrate a custom application with the KMS instance SDK or the secrets SDK, you must use a ClientKey from an application access point for identity and permission verification. This topic describes how to create an application access point.

Notes

As a security best practice, create a separate application access point for each application that integrates with KMS. This ensures that access permissions are isolated.
By default, a ClientKey is valid for five years. You can specify a validity period when you create the ClientKey. We recommend that you set the validity period to one year. You must rotate the ClientKey before it expires to avoid service disruptions. For more information, see Rotate a ClientKey.

Prerequisites

You have purchased and enabled a KMS instance. For more information, see Purchase and enable a KMS instance.
You have created a key or a secret. For more information, see Get started with Key Management and Get started with Secrets Manager.

Create an application access point in the console

You can use quick creation or standard creation. If you need to quickly integrate your application with an SDK, you can use quick creation. Compared with standard creation, quick creation has the following limitations:

With quick creation, you can access keys and secrets only through a KMS instance endpoint. Standard creation also allows you to access secrets through a KMS service endpoint.
The validity period of the ClientKey is fixed at five years and cannot be customized. We recommend rotating the ClientKey after one year of use. For more information, see Rotate a ClientKey.
In the permission policy of the application access point, the Accessible Resources parameter defaults to all keys and secrets in the specified KMS instance. You can modify the permission policy after creating the application access point. For more information, see Manage an application access point.

Method 1: Quick creation

Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose Application Access > Multi-Cloud Access (formerly AAP).

On the Application Access tab, click Create AAP. In the Create AAP panel, configure the parameters.

Parameter	Description
Mode	Select Quick Creation.
Scope (KMS Instance)	Select the KMS instance that your application needs to access.
Application Access Point Name	Enter a name for the application access point.
Authentication Method	This is set to ClientKey and cannot be changed.
Default Permission Policy	The value is `key/` `secret/` and cannot be changed. This means the application can access all keys and secrets in the specified KMS instance.

Click OK. The browser automatically downloads the ClientKey. The ClientKey includes the following files:
- Credential (ClientKeyContent): The default filename is clientKey_****.json.
- Credential password (ClientKeyPassword): The default filename is clientKey_****_Password.txt.

Method 2: Standard creation

Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose Application Access > Multi-Cloud Access (formerly AAP).

Create a network access rule.

Note

If you do not need to restrict access based on source IP addresses, you do not need to create a network access rule. However, for better security, we recommend configuring one.

Click the Network Access Rules tab, and then click Create Network Access Rule.

In the Create Network Access Rule panel, configure the parameters and click OK.

Parameter	Description
Rule Name	Enter a name for the network access rule.
Network Type	Private: The application uses a KMS instance endpoint to access keys and secrets. Public: The application uses a KMS service endpoint (public endpoint) to access secrets. VPC: The application uses a KMS service endpoint (VPC endpoint) to access secrets. This option is available only in the China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Zhangjiakou) regions. Note Cryptographic operations: Supported only when you use the KMS instance SDK to access KMS through a KMS instance endpoint. This requires a network access rule with the Network Type set to Private. Retrieving secret values: You can use the KMS instance SDK or the secrets SDK. We recommend using the secrets SDK with a network access rule whose Network Type is set to Private to achieve higher QPS and better security. KMS instance SDK: The network type must be Private. The source IP address must be an IP address in the VPC associated with the KMS instance. Secrets SDK: The network type can be Private, Public, or VPC.
Allowed Source IP Addresses	In most cases, enter the IP address of your application server. The IP address must correspond to the selected network type. If the network type is Private, enter an IP address from the VPC associated with the KMS instance. If the network type is Public, enter a public IP address. If the network type is VPC, enter a VPC ID and a VPC IP address.
Description	Enter a description for the rule.

Create a permission policy.

Click the Policies tab, and then click Create Policy.

In the Create Policy panel, configure the parameters and click OK.

Parameter	Description
Policy Name	Enter a name for the permission policy.
Scope	If you select Private for Network Type when you create a network access rule, select a specific KMS instance. If you select Public or VPC for Network Type, select Shared KMS Gateway.
RBAC Permissions	If you select a specific KMS instance for Scope: CryptoServiceKeyUser: Allows the use of keys in the KMS instance. This permission supports the cryptographic operations of the instance API. For more information, see Key-related operations. CryptoServiceSecretUser: Allows the use of secrets in the KMS instance. This permission supports the secret-related operations of the instance API. For more information, see Secret-related operations. If you select Scope for Shared KMS Gateway: SecretUser: Allows the use of all secrets under the current account. This permission supports the GetSecretValue OpenAPI operation.
Accessible Resources	Select the keys and secrets that the application needs to access. Important If you select multiple secrets and the total length of the secret names exceeds the limit, you receive an "invalid parameter" error. In this case, use a wildcard to specify the accessible secrets. For example, if you set this parameter to `secret/rds-ibm*`, the application can access all secrets whose names have the prefix `rds-ibm`.
Network Access Rules	Select the network access rule that you created. Note If you do not need to restrict access based on source IP addresses, you do not need to select a network access rule. However, for better security, we recommend configuring one.
Description	Enter a description for the policy.

Create the application access point.

Click the Application Access tab, and then click Create AAP.

In the Create AAP panel, configure the parameters.

Parameter	Description
Mode	Select Standard Creation.
Application Access Point Name	Enter a name for the application access point.
Authentication Method	Supported methods: ClientKey and RAMRole. This topic uses ClientKey as an example.
Encryption Password	A password to encrypt the ClientKey. The password must be 8 to 64 characters in length and include characters from at least two of the following types: digits, uppercase and lowercase letters, and special characters `~!@#$%^&*?_-`.
Validity Period	The validity period of the ClientKey. Important We recommend that you set the validity period to one year to reduce the risk of ClientKey leakage. You must rotate the ClientKey before it expires to avoid service disruptions. For more information, see Rotate a ClientKey.
Policies	Select the permission policy that you created.
Description	Enter a description for the application access point.

Click OK. The browser automatically downloads the ClientKey. The ClientKey includes the following files:
- Credential (ClientKeyContent): The default filename is clientKey_****.json.
- Credential password (ClientKeyPassword): The default filename is clientKey_****_Password.txt.

Create an application access point using OpenAPI

Call the CreateNetworkRule operation to set the private IP addresses or CIDR blocks that are allowed to access KMS.
Call the CreatePolicy operation to specify the keys and secrets that the application can access and bind the network access rule.
Call the CreateApplicationAccessPoint operation to set the authentication method and bind the permission policy.
Call the CreateClientKey operation to set the encryption password and validity period for the ClientKey, and bind the application access point.

Create an application access point using Terraform

For more information, see Create an application access point by using Terraform.

Related operations

If an application access point is scoped to a KMS instance, you must configure the instance CA certificate and the KMS instance endpoint during SDK integration. This is not required if the scope is Shared KMS Gateway.

Obtain the KMS instance CA certificate

KMS instances have built-in SSL/TLS certificates and use the HTTPS protocol for authentication and encrypted communication. You use the instance CA certificate to verify the validity of the instance's SSL/TLS certificate. This verification checks if the certificate was issued by the correct CA, is within its validity period, and corresponds to the KMS instance endpoint.