A client key is valid for one year to five years. We recommend that you change client keys on a yearly basis. If your client key is about to expire, you must change the client key at the earliest opportunity. If your client key expires, your application cannot use the client key to access Key Management Service (KMS). This topic describes how to change a client key.
Step 1: Create a client key
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Applications.
Click the Application Access tab. Then, search for the required application access point (AAP) by Instance ID or AAP name.
Click the name of the AAP. On the details page, click the Client Key tab and then click Create Client Key.
In the Create Client Key panel, configure the Encryption Password and Validity Period parameters.
Encryption Password: The password must be 8 to 64 characters in length and can contain digits, letters, and the following special characters:
~ ! @ # $ % ^ & * ? _ -
.Validity Period: The default value is five years. We recommend that you set the validity period to one year to reduce the risks of client key leaks.
Click OK. The browser automatically downloads the client key that is created.
The client key contains Application Access Secret(ClientKeyContent) and Password. By default, Application Access Secret(ClientKeyContent) is saved in a file whose name is in the
clientKey_****.json
format. By default, Password is saved in a file whose name is in theclientKey_****_Password.txt
format.
Step 2: Change the client key of a self-managed application
In this example, KMS Instance SDK for Java is used. When you create a client, you must replace clientKeyPass
with your new password and replace clientKeyFilePath
or clientKey
with your new credential.
Step 3: Check whether the old client key is still in use
You can check whether your old client key is still in use to check whether the change is complete for all applications. After you confirm that the old client key is no longer in use, delete the client key.
Obtain the ID of the old client key.
In the left-side navigation pane, choose
. Then, select the ID of your instance.Enter the ID of the client key in the search box below kms_audit_log to check whether the client key is still in use.
If the client key is still in use, the change is not complete for all applications. You can identify the applications for which the client key is not changed based on fields such as
client_ip
anduseragent
.
Step 4: Delete the old client key
The deletion of a client key immediately takes effect. Before you delete a client key, make sure that the client key is no longer in use. Otherwise, your applications may fail to access the required KMS instance.
Find the old client key on the Client Key tab and click Delete in the Actions column.
In the Delete Client Key message, click OK.
Complete security verification. Then, KMS deletes the client key.