How to Manage Application Secrets Using Alibaba Cloud Key Management Service

How to Manage Application Secrets Using Alibaba Cloud Key Management Service

Easily protect, manage, use, and audit your cryptographic keys on Alibaba Cloud

Play this article

What Is Key Management Service?

Alibaba Cloud Key Management Service (KMS) is a cloud-managed service that allows you to create, manage, and store keys, certificates, and secrets. KMS enables you to maintain control over who can access your secrets and keys by letting you assign permissions. You can also manage the lifecycle of each secret by setting the rotation period. Auditing can be set up by integrating with Alibaba Cloud Services like ActionTrail or CloudMonitor to provide usage logs informing you who is accessing the secrets.

KMS Components

KMS consists of four components:

  • Key Service

  • Secrets Manager

  • Certificates Manager

  • Dedicated KMS

This article will focus on the secrets manager component of KMS.

Secrets Manager

Secrets Manager provides secret encryption, secret hosting, regular rotation (referring to the secret's periodic updating, which leads to a new version of the secret), secure distribution, and centralized management features. Secrets Manager reduces the security risks caused by static secrets configured in traditional IT facilities. You can use secrets to store sensitive data like passwords.

A secret consists of three components: the metadata, versions, and stage labels that mark the secret versions.


The metadata of a secret contains the following parts:

  • The secret's name is used to specify the secret when you call an API operation of Secrets Manager

  • The identifier of the encryption key is used to specify your user-managed customer master key (CMK)

  • Other data, such as description and resource tags

Secret Versions

Each secret value you write into a secret is stored as a secret version. The secret value is sensitive data. You can read the secret value of a secret version based on the secret name and version number. Each secret version identified by the version number can only be written into a secret once and cannot be modified.

Stage Labels

Secret versions are marked with stage labels and can be referenced using stage labels. Secrets Manager has two built-in stage labels: ACSCurrent and ACSPrevious. You can call the PutSecretValue operation to mark the newly stored secret version with ACSCurrent by default. Then, you can call the GetSecretValue operation to read the secret version marked with ACSCurrent. You can also customize stage labels.

Benefits of Using Secrets Manager in KMS

  • Simplified Application Access: KMS provides multiple methods to help you use dynamic secrets, such as KMS SDKs, Secrets Manager Client, and the Kubernetes plug-in.

  • Centralized and Large-Scale Management: KMS can be automatically activated and supports services, such as ROS and Terraform. KMS allows you to implement the automatic orchestration of Alibaba Cloud resources, such as databases, OSS buckets, and automated secrets management. The secrets are fully managed in Secrets Manager. This achieves centralized management.

Did you find this article valuable?

Support Aditya Katira by becoming a sponsor. Any amount is appreciated!