Skip to content

KMS Encryption with instance default CA cert #1262

New issue
New issue
Open
Open
KMS Encryption with instance default CA cert#1262
@rifandyzv

Description

@rifandyzv
rifandyzv
opened on Sep 10, 2025

  • Type of Demand:
    Feature Enhancement — Add support for KMS Encryption using instance default CA certificate in aliyun-cli.

  • Detailed Description:
    Currently, aliyun-cli does not support KMS encryption when connecting via a dedicated gateway endpoint that requires the instance’s default CA certificate. This limitation makes it difficult or impossible to perform encrypted operations through dedicated endpoints in compliance with enterprise security policies. Users must be able to specify or auto-load the default CA cert associated with their KMS instance when initializing KMS client connections via CLI. This aligns with functionality already available in Classic KMS SDKs (see: https://www.alibabacloud.com/help/en/kms/key-management-service/developer-reference/classic-kms-sdkclassic-kms-sdk).

  • Design:
    Add INSTANCE_CA_CERTIFICATE input param, and pass it into this sample SDK method

    public static com.aliyun.kms20160120.Client createClient() throws Exception {
        // If the project code is leaked, the AccessKey pair may be leaked and the security of all resources within your account may be compromised. The following sample code is for reference only.
        // We recommend that you use Security Token Service (STS) tokens to enhance security. For more information about authentication methods, visit https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-access-credentials?spm=a2c63.p38356.help-menu-262060.d_1_4_1_2.1ad47c23arIlrq.
        com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
                // Required. Make sure that the environment variable ALIBABA_CLOUD_ACCESS_KEY_ID is configured.
                .setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
                // Required. Make sure that the environment variable ALIBABA_CLOUD_ACCESS_KEY_SECRET is configured.
                .setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
        // Enter the VPC endpoint of the instance. Example: kst-hzz65f176a0ogplgq****.cryptoservice.kms.aliyuncs.com.
        config.endpoint = "<INSTANCE_VPC_ENDPOINT>";
        // Enter the content of the CA certificate of the instance.
        config.ca = "<INSTANCE_CA_CERTIFICATE>";
        return new com.aliyun.kms20160120.Client(config);
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions