Manage and use generic secrets

0.0.201

important

This topic contains important information on necessary precautions. We recommend that you read this topic carefully before proceeding.

Generic secrets are basic secrets that are supported by Key Management Service (KMS). You can store sensitive data such as account passwords, AccessKey pairs, OAuth secrets, and tokens as generic secrets. A generic secret can have multiple versions so that you can update the secret. This prevents sensitive data leaks that are caused by hardcoded secrets. This topic describes how to manage and use generic secrets.

Generic secret rotation

You cannot enable automatic rotation on a custom schedule for generic secrets in KMS. However, you can use Function Compute to fulfill this purpose. For more information, see Use Function Compute to rotate generic secrets. If you want an instant secret rotation, you can store the secret value of a new version by using the KMS console or calling the PutSecretValue API operation.

Warning

Each generic secret can have up to 10 versions. If a generic secret has more than 10 versions, KMS automatically deletes the earliest version in a rolling manner.

Prerequisites

A KMS instance is created and enabled. For more information, see Purchase and enable a KMS instance.
A symmetric key for encrypting secrets is created in a KMS instance. For more information, see Create a key.

Step 1: Create a generic secret

When you create a generic secret, KMS sets the secret to the default ACSCurrent stage.

Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.

Click the Generic Secrets tab, select the required instance ID from the Instance ID drop-down list, and then click Create Secret. In the panel that appears, configure parameters based on your business requirements and click OK.

Parameter	Description

Parameter	Description
Secret Name	The name of the secret. The secret name is unique within the current region.
Secret Value	The type of sensitive data that you want to manage. Valid values: Secret Key/Value and Plain Text. The value cannot exceed 30,720 bytes in length, which is equivalent to 30 KB in size.
Initial Version	The initial version of the secret. Default value: v1. You can also specify a custom version number.
CMK	The key that is used to encrypt the current value of the secret. Important Your key and secret must belong to the same KMS instance. The key must be a symmetric key. For more information about the symmetric keys supported by KMS, see Key types and specifications. If you are a RAM user or a RAM role, you must have the permissions to call the GenerateDataKey operation by using a key.
Tag	The tag that you want to add to the secret. You can use tags to classify and manage secrets. A tag consists of a key-value pair. Note A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), at signs (@), and spaces. A tag key cannot start with aliyun or acs:. You can configure up to 20 key-value pairs for each secret.
Description	The description of the secret.
Policy Settings	The policy settings of the secret. For more information, see Overview. You can use the default policy and then modify the policy based on your business requirements after you create the secret.

Step 2: Integrate applications with generic secrets

KMS offers Secret Client, Alibaba Cloud SDK, KMS Agent, and KMS instance SDK to call the GetSecretValue (OpenAPI) or GetSecretValue (KMS Instance API) (not recommended) operation to retrieve a generic secret's value.

Note

To enhance service reliability, we recommend that you implement a robust error retry mechanism in your application.
KMS provides multiple authentication methods. For enhanced security, we recommend prioritizing the use of either an ECS instance RAM role or a standard RAM role.
Endpoints:
- Shared gateway endpoint: see Endpoint.
- Dedicated gateway endpoint: {INSTANCE_ID}.cryptoservice.kms.aliyuncs.com.

Method	Applicable scenario	Supported gateways

Method	Applicable scenario	Supported gateways
Secret Client	The application is developed in Java 8 or later, Go, or Python.	Shared gateway Dedicated gateway
Alibaba Cloud SDK	The application supports Java 8 or later (Java 6 or later with Alibaba Cloud SDK V1.0), PHP, Go, Python, .NET (C# only), C++, TypeScript, and Swift.	Dedicated gateway (recommended) Shared gateway
KMS Agent	Ideal for multi-application deployments where many applications access KMS. It offers standardized HTTP APIs, supporting applications written in any language.	Dedicated gateway (recommended) Shared gateway
KMS Instance SDK (not recommended)	The application is developed in Java 8 or later, PHP, Go, Python, or .NET (C# only).	Dedicated gateway

Related operations

Rotate a generic secret

You cannot configure rotation information when you create generic secrets. If you want an instant rotation, you must store a new secret version by using the KMS console or calling the PutSecretValue API operation.

Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.
Click the Generic Secrets tab, select the required instance ID from the Instance ID drop-down list, find the desired secret, and then click Details in the Actions column.
In the Versions section, click Store Secret Value.
In the Store Secret Value dialog box, configure the Version and Secret Value parameters and click OK.
Important
After you add a new secret version to the generic secret, the generic secret is immediately rotated. By default, the operation that is used to obtain the secret value in KMS returns the secret value of the new version.

Delete a generic secret

Before you delete a generic secret, make sure that the generic secret is no longer used. You can schedule deletion of a generic secret or immediately delete a generic secret.

Warning

Before you delete a generic secret, make sure that the generic secret is no longer in use. If you delete a generic secret that is in use, service failures may occur.

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.
Click the Generic Secrets tab, select the required instance ID from the Instance ID drop-down list, find the desired secret, and then click Schedule Deletion in the Actions column.
In the Schedule Deletion dialog box, select a method to delete the secret and click OK.
- If you select Schedule Deletion, configure Retention Period (7 to 30 Days). When the scheduled deletion period ends, KMS deletes the secret.
- If you select Delete Immediately, the system immediately deletes the secret.
During the scheduled deletion period, you can click OK in the Actions column to cancel the deletion.

Add tags for secrets

You can use tags to classify and manage secrets. A tag consists of a key-value pair.

Note

A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), at signs (@), and spaces.
A tag key cannot start with aliyun or acs:.
You can configure up to 20 key-value pairs for each secret.

Add tags for a secret

Solution	Description

Solution	Description
Method 1: Add tags on the Secrets page	Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets. Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, find the desired secret, and then click the icon in the Tag column. Click Add. In the Edit Tag dialog box, enter multiple Tag Key and Tag Value, and click OK. In the message that appears, click Close. In the Edit Tag dialog box, you can modify the tag values and remove multiple tags at a time.
Method 2: Add tags on the Secret Details page	Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets. Click a tab based on the type of your secret. Select the required instance ID from the Instance ID drop-down list, find the desired secret, and then click Details in the Actions column. On the Secret Details page, click the icon next to Tag. In the Edit Tag dialog box, enter multiple Tag Key and Tag Value and click OK. In the message that appears, click Close. In the Edit Tag dialog box, you can modify the tag values and remove multiple tags at a time.

Configure tags for multiple secrets at a time

Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Secrets.
Click a tab based on the type of your secret, select the required instance ID from the Instance ID drop-down list, and then select the desired secrets from the secret list.
- Add tags: In the lower part of the secret list, click Add Tag. In the Add Tag dialog box, enter multiple Tag Key and Tag Value, and click OK. In the message that appears, click Close.
- Remove tags: In the lower part of the secret list, click Remove Tag. In the Batch Remove dialog box, select the tags that you want to remove and click Remove. In the message that appears, click Close.