This topic provides answers to some frequently asked questions about secrets.
Questions
How does KMS ensure the security of secrets?
When you create a secret in an instance, you must specify a symmetric key in the instance for secret encryption. Key Management Service (KMS) uses the symmetric key to generate a data key, uses the data key to encrypt the secret, and then stores the secret in your dedicated storage. This encryption mechanism is referred to as envelope encryption.
KMS does not encrypt secret metadata, such as the secret name, version number, and stage label of the version.
When your application requests a secret, KMS performs identity authentication and a permission check on the application by using Resource Access Management (RAM) or an application access point (AAP). After your application passes the authentication and permission check, KMS decrypts the secret and returns the plaintext of the secret to your application over TLS 1.2.
How is a secret encrypted?
KMS encrypts a secret by using envelope encryption. The key used in envelope encryption is the key that you specify when you create the secret. For more information about envelope encryption, see Use envelope encryption.
When you configure a rotation policy or immediately rotate a secret, the error message "Your secret is being rotated. Try again later." appears. Why?
Secret type | Possible cause |
Resource Access Management (RAM) secret | The RAM secret is being rotated. The rotation period for automatic rotation is approximately 48 hours. The rotation period for immediate rotation is the rotation window that you specified. If the rotation is not complete in the rotation window, check whether the RAM user still exists in RAM. |
ApsaraDB RDS secret | In most cases, the rotation of an ApsaraDB RDS secret is immediately complete. If the rotation is not complete for more than 2 minutes, check whether the required RDS instance and the required ApsaraDB RDS account work as expected. |
Elastic Compute Service (ECS) secret | In most cases, the rotation of an ECS secret is immediately complete. If the rotation is not complete for more than 2 minutes, check whether the required ECS instance and the required ECS account work as expected. |
What do I do if a secret is unavailable or if Rejected.Unavailable is returned when I call a secret-related API operation?
The KMS instance to which the secret belongs has expired.
Renew the KMS instance within 15 calendar days after expiration. Otherwise, the KMS instance is released. For more information, see Renewal.
If you do not want to use the KMS instance now but may require the keys or secrets in the instance later, we recommend that you back up the instance in advance. For more information, see Backups.
I cannot find the created secret in the KMS console of the new version. What is the reason?
The KMS console of the new version displays only the secrets that are managed in KMS instances.
If you use the old version of KMS, you can create a secret without purchasing a KMS instance. However, you cannot view the created secret in the KMS console of the new version. To view such secret, go to the KMS console of the old version.
The account check on my ApsaraDB RDS secret fails. Why?
In most cases, this is because the ApsaraDB RDS account or ApsaraDB RDS instance that is associated with the RDS secret is deleted. We recommend that you check whether the ApsaraDB RDS account or ApsaraDB RDS instance exists in ApsaraDB RDS.