Alibaba Cloud KMS Secret Management
This Skill provides core functionality for Alibaba Cloud Key Management Service (KMS) secret management, supporting CRUD operations on secrets.
Scenario Description
KMS Secret Management service is used to securely store, manage, and access sensitive information, such as:
- - Database connection credentials
- API keys
- OAuth tokens
- Certificate private keys
- Other sensitive data requiring secure storage
Architecture: Alibaba Cloud KMS Service + Secret Management (Secrets Manager)
CODEBLOCK0�
Environment Setup
Dependency: Aliyun CLI. If command not found error occurs, refer to references/cli-installation-guide.md for installation.
Timeout Configuration
Set appropriate timeouts for CLI commands to avoid hanging:
CODEBLOCK1
Or use command-line flags:
�CODEBLOCK2
Recommended timeout values:
- - Connection timeout: 30 seconds
- Read timeout: 30 seconds
Security Rules
- - Prohibited: Reading, printing, or displaying AK/SK values
- Prohibited: Requiring users to directly input AK/SK in conversation
- Sensitive Data Masking: Secret values returned by GetSecretValue are masked by default (e.g.,
***), only output in plaintext when user explicitly requests
RAM Permission Requirements
Ensure the executing user has the following KMS permissions. For detailed policies, see references/ram-policies.md.
Minimum Permissions (Read-Only):
�CODEBLOCK3
Full Permissions (Read-Write):
kms:CreateSecret, kms:DeleteSecret, kms:UpdateSecret, kms:DescribeSecret,
kms:ListSecrets, kms:GetSecretValue, kms:PutSecretValue, kms:ListSecretVersionIds,
kms:UpdateSecretVersionStage, kms:UpdateSecretRotationPolicy, kms:RotateSecret,
kms:RestoreSecret, kms:SetSecretPolicy, kms:GetSecretPolicy,
kms:ListKmsInstances, kms:ListKeys, kms:CreateKey
Core Workflows
1. Create Secret
Creating a secret requires obtaining the KMS instance ID and encryption key ID first, then executing the creation.
CODEBLOCK5�
2. List Secrets
CODEBLOCK6�
3. Get Secret Value
Security Policy:
- - If user does NOT explicitly request the secret value: Only provide the CLI command or Python code script. DO NOT execute.
- If user explicitly requests to get/retrieve/show the secret value: Provide the command/script first, then execute after user confirms.
CLI Command:
�CODEBLOCK7
Python SDK Example:
�CODEBLOCK8
Note:
- - Only execute the retrieval after user explicitly confirms
- The secret value contains sensitive information that should be handled with care
- Always remind user to execute in a secure environment (private terminal, no screen sharing, no logging)
4. Delete Secret
Pre-check before deletion (Safety Requirement):
Before force deleting a secret, always verify its existence and check if it's still in use:
CODEBLOCK9
If DescribeSecret returns error (secret not found):
- - Stop and inform user: "Secret does not exist, no deletion needed"
If DescribeSecret succeeds:
- - Review the secret metadata
- Confirm with user before proceeding with force deletion
CODEBLOCK10
Idempotency: If Forbidden.ResourceNotFound error is returned, it means the secret does not exist, treat as deletion successful and continue with subsequent operations.
5. Update Secret Value
CODEBLOCK11�
6. Describe Secret
CODEBLOCK12�
7. List Secret Versions
CODEBLOCK13�
8. Configure Rotation Policy
CODEBLOCK14�
9. Restore Deleted Secret
CODEBLOCK15
Idempotency: If Rejected.ResourceInUse error is returned, it means the secret has been restored or was not deleted, treat as restore successful and continue with subsequent operations.
Advanced Features
For managed credentials and other advanced features, see references/managed-credentials.md.
Reference Links
RAM permission policies |
|
references/managed-credentials.md | Managed credentials guide |
Alibaba Cloud KMS 密钥管理
该技能提供阿里云密钥管理服务(KMS)的密钥管理核心功能,支持对密钥进行增删改查操作。
场景描述
KMS 密钥管理服务用于安全存储、管理和访问敏感信息,例如:
- - 数据库连接凭证
- API 密钥
- OAuth 令牌
- 证书私钥
- 其他需要安全存储的敏感数据
架构: 阿里云 KMS 服务 + 密钥管理(Secrets Manager)
mermaid
graph TB
User[应用程序/用户] --> KMS[KMS 密钥管理]
KMS --> Secret[通用密钥]
Secret --> V1[版本 1]
Secret --> V2[版本 2]
Secret --> VN[版本 N]
KMS --> Rotation[轮转密钥]
Rotation --> RDS[RDS 托管密钥]
Rotation --> RAM[RAM 托管密钥]
Rotation --> ECS[ECS 托管密钥]
Rotation --> Redis[Redis 托管密钥]
Rotation --> PolarDB[PolarDB 托管密钥]
环境设置
依赖项:阿里云 CLI。如果出现 command not found 错误,请参考 references/cli-installation-guide.md 进行安装。
超时配置
为 CLI 命令设置合适的超时时间,避免挂起:
bash
设置超时环境变量(单位:秒)
export ALIBABA
CLOUDCONNECT_TIMEOUT=30
export ALIBABA
CLOUDREAD_TIMEOUT=30
或使用命令行参数:
bash
aliyun kms --connect-timeout 30 --read-timeout 30 ...
推荐超时值:
安全规则
- - 禁止:读取、打印或显示 AK/SK 值
- 禁止:要求用户在对话中直接输入 AK/SK
- 敏感数据脱敏:GetSecretValue 返回的密钥值默认脱敏显示(如 *),仅在用户明确请求时以明文输出
RAM 权限要求
确保执行用户拥有以下 KMS 权限。详细策略请参见 references/ram-policies.md。
最小权限(只读):
kms:DescribeSecret, kms:ListSecrets, kms:GetSecretValue, kms:ListSecretVersionIds, kms:GetSecretPolicy
完整权限(读写):
kms:CreateSecret, kms:DeleteSecret, kms:UpdateSecret, kms:DescribeSecret,
kms:ListSecrets, kms:GetSecretValue, kms:PutSecretValue, kms:ListSecretVersionIds,
kms:UpdateSecretVersionStage, kms:UpdateSecretRotationPolicy, kms:RotateSecret,
kms:RestoreSecret, kms:SetSecretPolicy, kms:GetSecretPolicy,
kms:ListKmsInstances, kms:ListKeys, kms:CreateKey
核心工作流
1. 创建密钥
创建密钥需要先获取 KMS 实例 ID 和加密密钥 ID,然后执行创建操作。
bash
步骤 1:获取 KMS 实例 ID
aliyun kms ListKmsInstances --PageNumber 1 --PageSize 10 --region
--user-agent AlibabaCloud-Agent-Skills
→ 提取 KmsInstances.KmsInstance[0].KmsInstanceId
步骤 2:获取加密密钥 ID
aliyun kms ListKeys --Filters [{Key:KeySpec,Values:[AliyunAES256]},{Key:DKMSInstanceId,Values:[]}] --PageNumber 1 --PageSize 10 --region --user-agent AlibabaCloud-Agent-Skills
→ 提取 Keys.Key[0].KeyId
步骤 3:创建密钥(需要 DKMSInstanceId 和 EncryptionKeyId)
aliyun kms CreateSecret --SecretName --SecretData --VersionId --EncryptionKeyId --DKMSInstanceId --region --user-agent AlibabaCloud-Agent-Skills
2. 列出密钥
bash
aliyun kms ListSecrets --region --user-agent AlibabaCloud-Agent-Skills
3. 获取密钥值
安全策略:
- - 如果用户未明确请求密钥值:仅提供 CLI 命令或 Python 代码脚本。请勿执行。
- 如果用户明确请求获取/检索/显示密钥值:先提供命令/脚本,待用户确认后再执行。
CLI 命令:
bash
aliyun kms GetSecretValue --SecretName --region --user-agent AlibabaCloud-Agent-Skills
Python SDK 示例:
python
from alibabacloudteaopenapi.client import Client as OpenApiClient
from alibabacloudteaopenapi import models as openapimodels
from alibabacloud_credentials.client import Client as CredentialClient
from alibabacloudteautil import models as util_models
credential = CredentialClient()
config = openapimodels.Config(credential=credential)
config.endpoint = kms..aliyuncs.com
client = OpenApiClient(config)
params = openapimodels.Params(
action=GetSecretValue,
version=2016-01-20,
protocol=HTTPS,
method=POST,
auth_type=AK,
style=RPC,
pathname=/,
reqbodytype=json,
body_type=json
)
body = {SecretName: }
runtime = util_models.RuntimeOptions()
request = openapimodels.OpenApiRequest(body=body)
response = client.call_api(params, request, runtime)
print(response.body)
注意:
- - 仅在用户明确确认后执行检索操作
- 密钥值包含敏感信息,应谨慎处理
- 始终提醒用户在安全环境中执行(私有终端、无屏幕共享、无日志记录)
4. 删除密钥
删除前预检查(安全要求):
在强制删除密钥前,务必验证其存在性并检查是否仍在使用:
bash
步骤 1:描述密钥以验证存在性并检查元数据
aliyun kms DescribeSecret --SecretName --region --user-agent AlibabaCloud-Agent-Skills
→ 检查 SecretName、CreateTime 等元数据,确认这是正确的密钥
如果 DescribeSecret 返回错误(密钥不存在):
如果 DescribeSecret 成功:
bash
步骤 2:强制删除(立即删除,不可恢复)
aliyun kms DeleteSecret --SecretName --ForceDeleteWithoutRecovery true --region --user-agent AlibabaCloud-Agent-Skills
幂等性:如果返回 Forbidden.ResourceNotFound 错误,表示密钥不存在,视为删除成功并继续后续操作。
5. 更新密钥值
bash
aliyun kms PutSecretValue --SecretName --SecretData --VersionId --region --user-agent AlibabaCloud-Agent-Skills
6. 描述密钥
bash
aliyun kms DescribeSecret --SecretName --region --user-agent AlibabaCloud-Agent-Skills
7. 列出密钥版本
bash
aliyun kms ListSecretVersionIds --SecretName --IncludeDeprecated true --region --user-agent AlibabaCloud-Agent-Skills
8. 配置轮转策略
bash
aliyun kms UpdateSecretRotationPolicy --SecretName --EnableAutomaticRotation true --RotationInterval 7d --region --user-agent AlibabaCloud-Agent-Skills
9. 恢复已删除密钥
bash
aliyun kms RestoreSecret --SecretName --region --user-agent AlibabaCloud-Agent-Skills
幂等性:如果返回 Rejected.ResourceInUse 错误,表示密钥已恢复或未被删除,视为恢复成功并继续后续操作。
高级功能
有关托管凭证和其他高级功能,请参见 [references
