When your applications on ECS need to securely access credentials without managing AccessKeys in code, you can use Quick access from ECS — a cloud-native solution provided by KMS. By installing the KMS Agent on your ECS instances, applications retrieve credentials through local HTTP requests with a guided three-step setup wizard.
Overview
Quick access from ECS provides a guided wizard for Agent installation and configuration, consolidating what would otherwise be multiple manual steps — creating a RAM role, configuring permission policies, installing the Agent — into a streamlined three-step wizard.
How it works: When an application on an ECS instance sends an HTTP request, the local KMS Agent receives it, authenticates through a RAM role or instance identity, and forwards the request to the KMS service. After the KMS service verifies permissions and returns the credential, the Agent delivers it back to the application. The Agent caches credentials locally to reduce redundant requests and improve retrieval efficiency.
Authentication methods:
Instance Identity (ECS) (recommended): Uses ECS instance identity for authentication. The Agent automatically retrieves instance identity from the metadata service — no RAM role creation required, making this the simplest setup with the fewest configuration steps.
RAMRole: Requires manual creation of a RAM role and binding it to the ECS instance. More flexible but involves additional configuration steps. Suitable for scenarios where you need to reuse an existing RAM role setup.
Prerequisites and limitations
Operating system: Only Linux operating systems are supported on ECS instances.
Instance state: The ECS instance must be in the Running state. Stopped or released instances cannot have the Agent installed.
Network and security group: The ECS security group must allow inbound traffic on the HTTP port that the KMS Agent listens on (port 2025 by default). Otherwise, applications cannot connect to the Agent.
Storage space: The system disk must have sufficient free storage space. Insufficient disk space may cause Agent installation to fail.
Cloud Assistant client: The ECS instance must have the Cloud Assistant client installed and running. KMS relies on Cloud Assistant to remotely distribute the Agent installation task.
Instance Identity (ECS) access limitations:
Instance gateway: Requires instance gateway version 4.0.0 or later.
Shared gateway: No specific instance version requirements.
Billing
The Quick access from ECS feature itself is free of charge. Credentials accessed through the Agent are billed according to the standard pricing for KMS credential management API operations.
Configure access
Step 1: Configure permissions
Log on to the KMS console. In the left-side navigation pane, choose .
In the ECS list within the Elastic Computing section, find the target ECS instance and click the More icon in the Actions column. Then select Configure ECS Access.
In the configuration panel that appears, select one of the following Authentication Method to complete the permission configuration.
Instance Identity (ECS) (recommended)
Uses ECS instance identity for authentication without requiring additional credential configuration. The Agent retrieves instance identity directly from the metadata service. Authentication flow: ECS → Identity Doc → KMS → Short-term credentials.
Parameter
Description
Scope
Select how you want to access KMS. Valid values:
Specified KMS instance: Access keys and credentials in a specified KMS instance through the KMS instance endpoint.
Shared KMS Gateway: Access credentials through the KMS service endpoint.
Application Access Point Name
A custom name for the application access point (access credential) to help you identify and manage it later.
Policy Name
A custom name for the RAM permission policy. You can create the permission policy in this step — no need to pre-create it in the RAM console.
RBAC Permissions
Select the role-based access control (RBAC) permission level, which determines what operations your application can perform on credentials.
When scope is set to Specified KMS instance:
CryptoServiceKeyUser: Allows the use of keys in the KMS instance for credential encryption. Supports cryptographic operation APIs in the instance API. For more information, see Key API reference.
CryptoServiceSecretUser: Allows the use of credentials in the KMS instance. Supports credential APIs in the instance API. For more information, see Credential API reference.
When scope is set to Shared KMS Gateway: You can select only SecretUser, which allows the use of all credentials under the current account.
Accessible Resources
Select the credentials and keys (used for credential encryption and decryption) that the application needs to access.
ImportantIf you select multiple credentials and the total length of credential names exceeds the limit, an "Invalid parameter" error is returned. In this case, use a wildcard to configure which credentials are allowed. For example, setting
secret/rds-ibm*allows access to all credentials with the prefixrds-ibm.Description
Optional. A detailed description of the application access point. Maximum length: 8,192 characters.
RAMRole
When an application on an ECS instance uses the KMS Agent to access sensitive credentials, you must bind a RAM role to the ECS instance. Make sure the RAM role's permission policy grants access to KMS credentials.
Configure the corresponding RAM Role.
Create a new RAM role:
Click Create RAM Role to go to the Roles page in the RAM console. Then click Create Role.
On the creation page, configure the following parameters and click OK.
Trusted entity type: Select Elastic Compute Service.
Trusted entity name: Select ECS.
Create or modify a permission policy:
Create: On the Policies tab, click Create Policy and select Script Edit.
Modify: Go to the details page of the existing policy. On the Policy Document tab, click Modify Policy.
Refer to the following example:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "kms:GetSecretValue", "Resource": "acs:kms:${region}:${account}:secret/example-secret" }, { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "acs:kms:${region}:${account}:key/keyId-example" } ] }On the policy list page, select the policy you created or modified in the previous step. Click Grant Permission in the Actions column to attach the policy to the newly created RAM role.
Select an existing RAM role: If a suitable role already exists, select it from the drop-down list.
ImportantIf the role is not attached to any permission policy, attach the relevant policies by following the instructions for creating a RAM role above.
Log on to the ECS console and attach the RAM role to an ECS instance.
Bind the RAM role to the target ECS instance. For detailed steps, see the linked topic above.
After completing the configuration, click OK to proceed to the next step.
Step 2: Install the Agent
On the Agent installation tab, based on the Authentication Method selected in Step 1, select the corresponding tab: Instance Identity (ECS) or RAMRole.
Configure the following basic parameters:
Parameter
Description
AapArn
Required only for Instance Identity (ECS). Select the application access point created in Step 1.
Local HTTP Port
The HTTP service port that the KMS Agent listens on. Default value: 2025. The default listening address is 127.0.0.1:2025.
ImportantMake sure to allow this port in the ECS security group. For more information, see Security group configuration.
Max Concurrent Connections
The maximum number of concurrent requests that the Agent can process from applications. Default value: 800. Maximum value: 1000.
KMS Region
The region where the KMS instance is located, for example, cn-hangzhou. This can be the same as or different from the ECS instance region.
If the regions are different: Ensure network connectivity between the ECS instance and the KMS instance. For more information, see Connect an on-premises data center to a VPC, Connect an on-premises data center to a VPC by using a VPN gateway, or Connect an on-premises data center to a VPC by using a Cloud Enterprise Network instance.
If the regions are the same but the ECS instance and KMS instance belong to different VPCs: Bind the VPC of the ECS instance to the KMS instance to enable network connectivity. For more information, see Bind a VPC to a KMS instance.
KMS Endpoint
The access URL for the KMS service.
If Scope is set to Shared KMS Gateway:
VPC access: Enter the VPC access endpoint, for example,
kms-vpc.cn-hangzhou.aliyuncs.com.Public network access: Enter the public access endpoint, for example,
kms.cn-hangzhou.aliyuncs.com.
If Scope is set to Specified KMS instance: Enter the KMS private network address in the format
<YOUR_KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.
Memory Limit
The maximum number of credentials that the KMS Agent can cache. Default value: 1000. Maximum value: 1000.
TTL (Seconds)
The time-to-live (TTL) for the Agent cache. We recommend setting this value based on the rotation interval of your credentials. Default value: 300 seconds.
Advanced Settings (optional): Expand Advanced Settings to display the following configuration items. In most cases, the default values are sufficient.
Parameter
Description
SSRF Request Headers
The SSRF request headers that the application sends to the Agent. Default value:
["X-KMS-Token","X-Vault-Token"].SSRF Token Environment Variable
The Agent uses the files in these environment variables to validate SSRF requests. Default value:
["KMS_TOKEN","KMS_SESSION_TOKEN","KMS_CONTAINER_AUTHORIZATION_TOKEN"].Log Level
The log level. Default value: debug. Valid values: debug, info, warn, error. We recommend using the default value debug for easier troubleshooting.
Log Path
The log file storage path. Default value:
./logs/.Log File Size (MB)
The maximum size of a single log file. Default value: 100 MiB.
Log Backup Files
The number of log files to retain. Default value: 2.
After the configuration is complete, click OK. KMS uses Cloud Assistant to automatically install the Agent on the target ECS instance — no need to manually log on to the server.
Step 3: Verify the installation
The installation verification page is the final page in the configuration wizard. On this page, you can view the installation status and retrieve application integration code samples.
Click the Refresh button, and view the installation status in the Recent Operation Result column. A status of Running indicates that the Agent has been successfully installed.
After closing the configuration panel, you can view the Agent status on the Quick access from ECS list page.
Log on to the ECS instance and run the following curl command to verify that the Agent is working properly:
curl -v -H "X-KMS-Token:$(cat /var/run/kmstoken)" 'http://localhost:2025/secretsmanager/get?secretId=test'An HTTP 200 response indicates that the Agent is working correctly. If you receive a different status code, refer to the Troubleshooting section to resolve the issue.
Application integration
After the Agent is running, applications can access KMS through the local proxy without AccessKey configuration. The following examples demonstrate how to call KMS APIs in your code. Replace agent-test in the examples with your actual credential name.
The KMS Agent only listens on 127.0.0.1, which means only applications or processes on the same machine can communicate with it. External network devices cannot connect to the Agent. The access address supports only localhost or 127.0.0.1 — the local IP of the application is not supported. The following examples use localhost.
In addition to the KMS Agent, KMS also supports access through SDKs. For more information, see SDK access guide.
curl examples
To retrieve credentials from the local Agent, you can either read the token from a file or provide it directly:
# Read token from file
curl -v -H "X-KMS-Token:$(</var/run/kmstoken)" 'http://localhost:2025/secretsmanager/get?secretId=agent-test'
# Provide token directly
curl -v -H "X-KMS-Token:<token>" 'http://localhost:2025/secretsmanager/get?secretId=agent-test'
Go example
package main
import (
"fmt"
"io"
"net/http"
"os"
)
func main() {
// You can specify either versionStage or versionId to retrieve a specific credential value.
// The following example retrieves the credential value for a specified versionId.
url := fmt.Sprintf("http://localhost:2025/secretsmanager/get?secretId=%s", "agent-test")
token, err := os.ReadFile("/var/run/kmstoken")
if err != nil {
fmt.Printf("error reading token file: %v\n", err)
return
}
req, err := http.NewRequest("GET", url, nil)
if err != nil {
fmt.Printf("error creating request: %v\n", err)
return
}
req.Header.Add("X-KMS-Token", string(token))
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
fmt.Printf("error sending request: %v\n", err)
return
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
fmt.Printf("error reading response body: %v\n", err)
return
}
fmt.Printf("status code %d - %s\n", resp.StatusCode, string(body))
}
Agent status descriptions
Status | Description |
Running | The Agent is installed and running properly. |
Not installed | The KMS Agent is not installed on this ECS instance. |
Not running | The Agent is installed but not currently running. |
Unknown | Unable to retrieve the Agent status. Check the instance network configuration. |
Troubleshooting
If you encounter issues while installing or using the KMS Agent, refer to the following table for troubleshooting guidance:
Error | Solution |
Agent installation failed | Check that the ECS instance is in the Running state and verify that your account has the required KMS permissions. |
Network unreachable or timed out | Verify that the Local HTTP Port is configured correctly and that the ECS security group allows traffic on this port. If you are accessing KMS through a VPC, ensure network connectivity between the ECS instance and the KMS instance. |
Insufficient permissions | If you are using the RAMRole method, verify that the ECS instance is bound to the correct RAM role and that the role's permission policy includes the |
Port conflict | If the default local HTTP port (2025) is occupied by another process, specify a different unused port number during Agent installation. |
Agent not started | Log on to the ECS instance via SSH and check if the Agent process is running. If not, reconfigure the ECS access following the setup steps. |