All Products
Search
Document Center

Key Management Service:Secret management FAQ

Last Updated:Nov 28, 2024

This topic provides answers to some frequently asked questions about secrets.

Questions

How does KMS ensure the security of secrets?

When you create a secret in an instance, you must specify a symmetric key in the instance for secret encryption. Key Management Service (KMS) uses the symmetric key to generate a data key, uses the data key to encrypt the secret, and then stores the secret in your dedicated storage. This encryption mechanism is referred to as envelope encryption.

Note

KMS does not encrypt secret metadata, such as the secret name, version number, and stage label of the version.

When your application requests a secret, KMS performs identity authentication and a permission check on the application by using Resource Access Management (RAM) or an application access point (AAP). After your application passes the authentication and permission check, KMS decrypts the secret and returns the plaintext of the secret to your application over TLS 1.2.

How is a secret encrypted?

KMS encrypts a secret by using envelope encryption. The key used in envelope encryption is the key that you specify when you create the secret. For more information about envelope encryption, see Use envelope encryption.

When you configure a rotation policy or immediately rotate a secret, the error message "Your secret is being rotated. Try again later." appears. Why?

Secret type

Possible cause

Resource Access Management (RAM) secret

The RAM secret is being rotated.

The rotation period for automatic rotation is approximately 48 hours. The rotation period for immediate rotation is the rotation window that you specified.

If the rotation is not complete in the rotation window, check whether the RAM user still exists in RAM.

ApsaraDB RDS secret

In most cases, the rotation of an ApsaraDB RDS secret is immediately complete. If the rotation is not complete for more than 2 minutes, check whether the required RDS instance and the required ApsaraDB RDS account work as expected.

Elastic Compute Service (ECS) secret

In most cases, the rotation of an ECS secret is immediately complete. If the rotation is not complete for more than 2 minutes, check whether the required ECS instance and the required ECS account work as expected.

What do I do if a secret is unavailable or if "Rejected.Unavailable" is returned when I call a secret-related API operation?

The KMS instance to which the secret belongs has expired.

Renew the KMS instance within 15 calendar days after expiration. Otherwise, the KMS instance is released. For more information, see Renewal.

If you do not want to use the KMS instance now but may require the keys or secrets in the instance later, we recommend that you back up the instance in advance. For more information, see Backups.

I cannot find the created secret in the KMS console of the new version. What is the reason?

Note

The KMS console of the new version displays only the secrets that are managed in KMS instances.

If you use the old version of KMS, you can create a secret without purchasing a KMS instance. However, you cannot view the created secret in the KMS console of the new version. To view such secret, go to the KMS console of the old version.

image.png

The account check on my ApsaraDB RDS secret fails. Why?

In most cases, this is because the ApsaraDB RDS account or ApsaraDB RDS instance that is associated with the RDS secret is deleted. We recommend that you check whether the ApsaraDB RDS account or ApsaraDB RDS instance exists in ApsaraDB RDS.

What do I do if the message "Cloud resource access authorization failed" appears when authorizing KMS to access AccessKey pairs while creating RAM secrets?

This issue arises because your currently logged-on RAM account does not have permissions to access cloud resources. Send the Cloud Resource Access Authorization link to the RAM administrators or the Alibaba Cloud account owner. When authorization is complete, you can return to the RAM secrets creation page and click the refresh button. After that, you can create RAM secrets. For information on how to create RAM secrets, see Step 3: Create a RAM secret.

image