If your self-managed applications are distributed across multiple virtual private clouds (VPCs) in the same region, you can purchase a Key Management Service (KMS) instance in one of the VPCs and associate other VPCs with the KMS instance. This way, the applications in different VPCs can access the same KMS instance. This topic describes how to configure applications in multiple VPCs in the same region to access a KMS instance.
Feature
After the configuration is complete, applications in VPCs can access the keys or secrets in a KMS instance by using the endpoint of the KMS instance.
Usage notes
The VPC and the KMS instance that you want to associate must reside in the same region.
The VPC and the KMS instance that you want to associate can belong to the same Alibaba Cloud account or different Alibaba Cloud accounts.
If the VPC and the KMS instance belong to different Alibaba Cloud accounts, you must first configure resource sharing to share a vSwitch in the VPC with the Alibaba Cloud account to which the KMS instance belongs. This enables network connectivity between the VPC and the KMS instance.
When you associate a VPC with a KMS instance, you must specify a vSwitch in the VPC. Make sure that the vSwitch has at least one available IP address.
In this case, the endpoint of the KMS instance is resolved to the IP address.
Each time you associate a VPC with a KMS instance, the quota specified by Access Management Quota is deducted by one. For more information about how to increase the quota, see Upgrade a KMS instance.
NoteThe quota specified by Access Management Quota includes the number of VPCs that can be associated with your KMS instance and the number of principals with which you can share your KMS instance. For example, if you want to associate your KMS instance with three VPCs and share the instance with two principals, specify a value of at least 5 to meet your business requirements.
Prerequisites
A KMS instance is purchased and enabled. For more information, see Purchase and enable a KMS instance.
If the VPC and the KMS instance that you want to associate belong to different Alibaba Cloud accounts, make sure that a vSwitch in the VPC is shared with the Alibaba Cloud account to which the KMS instance belongs. For more information, see Enable VPC sharing.
Procedure
Use the KMS console
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
On the Instances page, click the tab of the instance type based on your business requirements.
On the Instances page, find the KMS instance that you want to manage and click Details in the Actions column. On the page that appears, click the VPCs tab.
Click Configure VPC. In the Configure VPC panel, select the VPCs in the Available VPCs section and click the icon.
In the Select vSwitch to Associate with VPC dialog box, select a vSwitch for each VPC and click OK.
ImportantYou can select a vSwitch regardless of whether the vSwitch is associated with your application. Make sure that the vSwitch has at least one available IP address.
In the Configure VPC panel, click OK.
Call API operations
Call the UpdateKmsInstanceBindVpc operation.
Use Terraform
For more information, see Purchase and enable a KMS instance of the software key management type.
What to do next
Create an application access point (AAP) in the KMS instance and create a client key for the AAP. Your application uses the client key to access the KMS instance. For more information, see Create an AAP.
NoteWe recommend that you create an AAP for each application to ensure the independence of the access permissions for the applications.
Enable your application to call an SDK to use the keys or secrets of the KMS instance.
Use keys: KMS provides only KMS SDK.
Use secrets: KMS provides KMS SDK, Secret client, Secret JDBC client, and the RAM secret plug-in. For more information about how to select an appropriate SDK, see SDK references.