该技能提供阿里云密钥管理服务(KMS)密钥管理的核心功能,支持密钥的CRUD操作。
场景描述
KMS密钥管理服务用于安全存储、管理和访问敏感信息,例如:
- 数据库连接凭证
- API密钥
- OAuth令牌
- 证书私钥
- 其他需要安全存储的敏感数据
架构: 阿里云KMS服务 + 密钥管理(密钥管家)
graph TB
User[应用/用户] --> KMS[KMS密钥管理]
KMS --> Secret[通用密钥]
Secret --> V1[版本1]
Secret --> V2[版本2]
Secret --> VN[版本N]
KMS --> Rotation[轮换密钥]
Rotation --> RDS[RDS托管密钥]
Rotation --> RAM[RAM托管密钥]
Rotation --> ECS[ECS托管密钥]
Rotation --> Redis[Redis托管密钥]
Rotation --> PolarDB[PolarDB托管密钥]
环境配置
依赖项:阿里云CLI。如果出现"command not found"错误,请参阅references/cli-installation-guide.md进行安装。
超时配置
为CLI命令设置适当的超时以避免挂起:
# 设置超时环境变量(秒)
export ALIBABA_CLOUD_CONNECT_TIMEOUT=30
export ALIBABA_CLOUD_READ_TIMEOUT=30
或使用命令行标志:
aliyun kms --connect-timeout 30 --read-timeout 30 ...
推荐超时值:
安全规则
- 禁止:读取、打印或显示AK/SK值
- 禁止:要求用户直接在对话中输入AK/SK
- 敏感数据掩码:GetSecretValue返回的密钥值默认被掩码(例如
RAM权限要求
确保执行用户具有以下KMS权限。详细策略请参阅references/ram-policies.md。
最小权限(只读):
kms:DescribeSecret, kms:ListSecrets, kms:GetSecretValue, kms:ListSecretVersionIds, kms:GetSecretPolicy
完整权限(读写):
kms:CreateSecret, kms:DeleteSecret, kms:UpdateSecret, kms:DescribeSecret, kms:ListSecrets, kms:GetSecretValue, kms:PutSecretValue, kms:ListSecretVersionIds, kms:UpdateSecretVersionStage, kms:UpdateSecretRotationPolicy, kms:RotateSecret, kms:RestoreSecret, kms:SetSecretPolicy, kms:GetSecretPolicy, kms:ListKmsInstances, kms:ListKeys, kms:CreateKey
核心工作流
1. 创建密钥
创建密钥需要先获取KMS实例ID和加密密钥ID,然后执行创建。
# 步骤1:获取KMS实例ID
aliyun kms ListKmsInstances --PageNumber 1 --PageSize 10 --region --user-agent AlibabaCloud-Agent-Skills
# → 提取 KmsInstances.KmsInstance[0].KmsInstanceId# 步骤2:获取加密密钥ID
aliyun kms ListKeys --Filters '[{"Key":"KeySpec","Values":["Aliyun_AES_256"]},{"Key":"DKMSInstanceId","Values":[""]}]' --PageNumber 1 --PageSize 10 --region --user-agent AlibabaCloud-Agent-Skills
# → 提取 Keys.Key[0].KeyId
# 步骤3:创建密钥(需要DKMSInstanceId和EncryptionKeyId)
aliyun kms CreateSecret --SecretName "" --SecretData "" --VersionId "" --EncryptionKeyId "" --DKMSInstanceId "" --region --user-agent AlibabaCloud-Agent-Skills
2. 列出密钥
aliyun kms ListSecrets --region --user-agent AlibabaCloud-Agent-Skills
3. 获取密钥值
安全策略:
- 如果用户未明确请求密钥值:仅提供CLI命令或Python代码脚本。不要执行。
- 如果用户明确请求获取/检索/显示密钥值:先提供命令/脚本,然后在用户确认后执行。
CLI命令:
aliyun kms GetSecretValue --SecretName "" --region --user-agent AlibabaCloud-Agent-Skills
Python SDK示例:
from alibabacloud_tea_openapi.client import Client as OpenApiClient
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_credentials.client import Client as CredentialClient
from alibabacloud_tea_util import models as util_modelscredential = CredentialClient()
config = open_api_models.Config(credential=credential)
config.endpoint = 'kms..aliyuncs.com'
client = OpenApiClient(config)
params = open_api_models.Params(
action='GetSecretValue',
version='2016-01-20',
protocol='HTTPS',
method='POST',
auth_type='AK',
style='RPC',
pathname='/',
req_body_type='json',
body_type='json'
)
body = {'SecretName': ''}
runtime = util_models.RuntimeOptions()
request = open_api_models.OpenApiRequest(body=body)
response = client.call_api(params, request, runtime)
print(response.body)
注意:
- 仅在用户明确确认后执行检索
- 密钥值包含敏感信息,应谨慎处理
- 始终提醒用户在安全环境中执行(私密终端、无屏幕共享、无日志记录)
4. 删除密钥
删除前的预检查(安全要求):
在强制删除密钥之前,始终验证其是否存在并检查是否仍在使用中:
# 步骤1:描述密钥以验证存在并检查元数据
aliyun kms DescribeSecret --SecretName "" --region --user-agent AlibabaCloud-Agent-Skills
# → 检查SecretName、CreateTime和其他元数据以确认这是正确的密钥
如果DescribeSecret返回错误(密钥不存在):
如果DescribeSecret成功:
# 步骤2:强制删除(立即删除,无法恢复)
aliyun kms DeleteSecret --SecretName "" --ForceDeleteWithoutRecovery true --region --user-agent AlibabaCloud-Agent-Skills
幂等性:如果返回Forbidden.ResourceNotFound错误,表示密钥不存在,视为删除成功并继续后续操作。
5. 更新密钥值
aliyun kms PutSecretValue --SecretName "" --SecretData "" --VersionId "" --region --user-agent AlibabaCloud-Agent-Skills
6. 描述密钥
aliyun kms DescribeSecret --SecretName "" --region --user-agent AlibabaCloud-Agent-Skills
7. 列出密钥版本
aliyun kms ListSecretVersionIds --SecretName "" --IncludeDeprecated true --region --user-agent AlibabaCloud-Agent-Skills
8. 配置轮换策略
aliyun kms UpdateSecretRotationPolicy --SecretName "" --EnableAutomaticRotation true --RotationInterval 7d --region --user-agent AlibabaCloud-Agent-Skills
9. 恢复已删除的密钥
aliyun kms RestoreSecret --SecretName "" --region --user-agent AlibabaCloud-Agent-Skills
幂等性*:如果返回Rejected.ResourceInUse错误,表示密钥已恢复或未被删除,视为恢复成功并继续后续操作。
高级功能
有关托管凭证和其他高级功能,请参阅references/managed-credentials.md。
参考链接
This Skill provides core functionality for Alibaba Cloud Key Management Service (KMS) secret management, supporting CRUD operations on secrets.
Scenario Description
KMS Secret Management service is used to securely store, manage, and access sensitive information, such as:
- Database connection credentials
- API keys
- OAuth tokens
- Certificate private keys
- Other sensitive data requiring secure storage
Architecture: Alibaba Cloud KMS Service + Secret Management (Secrets Manager)
graph TB
User[Application/User] --> KMS[KMS Secret Management]
KMS --> Secret[Generic Secret]
Secret --> V1[Version 1]
Secret --> V2[Version 2]
Secret --> VN[Version N]
KMS --> Rotation[Rotation Secret]
Rotation --> RDS[RDS Managed Secret]
Rotation --> RAM[RAM Managed Secret]
Rotation --> ECS[ECS Managed Secret]
Rotation --> Redis[Redis Managed Secret]
Rotation --> PolarDB[PolarDB Managed Secret]
Environment Setup
Dependency: Aliyun CLI. If command not found error occurs, refer to references/cli-installation-guide.md for installation.
Timeout Configuration
Set appropriate timeouts for CLI commands to avoid hanging:
# Set timeout environment variables (in seconds)
export ALIBABA_CLOUD_CONNECT_TIMEOUT=30
export ALIBABA_CLOUD_READ_TIMEOUT=30
Or use command-line flags:
aliyun kms --connect-timeout 30 --read-timeout 30 ...
Recommended timeout values:
- Connection timeout: 30 seconds
- Read timeout: 30 seconds
Security Rules
- Prohibited: Reading, printing, or displaying AK/SK values
- Prohibited: Requiring users to directly input AK/SK in conversation
- Sensitive Data Masking: Secret values returned by GetSecretValue are masked by default (e.g.,
RAM Permission Requirements
Ensure the executing user has the following KMS permissions. For detailed policies, see references/ram-policies.md.
Minimum Permissions (Read-Only):
kms:DescribeSecret, kms:ListSecrets, kms:GetSecretValue, kms:ListSecretVersionIds, kms:GetSecretPolicy
Full Permissions (Read-Write):
kms:CreateSecret, kms:DeleteSecret, kms:UpdateSecret, kms:DescribeSecret,
kms:ListSecrets, kms:GetSecretValue, kms:PutSecretValue, kms:ListSecretVersionIds,
kms:UpdateSecretVersionStage, kms:UpdateSecretRotationPolicy, kms:RotateSecret,
kms:RestoreSecret, kms:SetSecretPolicy, kms:GetSecretPolicy,
kms:ListKmsInstances, kms:ListKeys, kms:CreateKey
Core Workflows
1. Create Secret
Creating a secret requires obtaining the KMS instance ID and encryption key ID first, then executing the creation.
# Step 1: Get KMS Instance ID
aliyun kms ListKmsInstances --PageNumber 1 --PageSize 10 --region --user-agent AlibabaCloud-Agent-Skills
# → Extract KmsInstances.KmsInstance[0].KmsInstanceId
# Step 2: Get Encryption Key ID
aliyun kms ListKeys --Filters '[{"Key":"KeySpec","Values":["Aliyun_AES_256"]},{"Key":"DKMSInstanceId","Values":[""]}]' --PageNumber 1 --PageSize 10 --region --user-agent AlibabaCloud-Agent-Skills
# → Extract Keys.Key[0].KeyId
# Step 3: Create Secret (requires DKMSInstanceId and EncryptionKeyId)
aliyun kms CreateSecret --SecretName "" --SecretData "" --VersionId "" --EncryptionKeyId "" --DKMSInstanceId "" --region --user-agent AlibabaCloud-Agent-Skills
2. List Secrets
aliyun kms ListSecrets --region --user-agent AlibabaCloud-Agent-Skills
3. Get Secret Value
Security Policy:
- If user does NOT explicitly request the secret value: Only provide the CLI command or Python code script. DO NOT execute.
- If user explicitly requests to get/retrieve/show the secret value: Provide the command/script first, then execute after user confirms.
CLI Command:
aliyun kms GetSecretValue --SecretName "" --region --user-agent AlibabaCloud-Agent-Skills
Python SDK Example:
from alibabacloud_tea_openapi.client import Client as OpenApiClient
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_credentials.client import Client as CredentialClient
from alibabacloud_tea_util import models as util_models
credential = CredentialClient()
config = open_api_models.Config(credential=credential)
config.endpoint = 'kms..aliyuncs.com'
client = OpenApiClient(config)
params = open_api_models.Params(
action='GetSecretValue',
version='2016-01-20',
protocol='HTTPS',
method='POST',
auth_type='AK',
style='RPC',
pathname='/',
req_body_type='json',
body_type='json'
)
body = {'SecretName': ''}
runtime = util_models.RuntimeOptions()
request = open_api_models.OpenApiRequest(body=body)
response = client.call_api(params, request, runtime)
print(response.body)
Note:
- Only execute the retrieval after user explicitly confirms
- The secret value contains sensitive information that should be handled with care
- Always remind user to execute in a secure environment (private terminal, no screen sharing, no logging)
4. Delete Secret
Pre-check before deletion (Safety Requirement):
Before force deleting a secret, always verify its existence and check if it's still in use:
# Step 1: Describe the secret to verify existence and check metadata
aliyun kms DescribeSecret --SecretName "" --region --user-agent AlibabaCloud-Agent-Skills
# → Check SecretName, CreateTime, and other metadata to confirm this is the correct secret
If DescribeSecret returns error (secret not found):
- Stop and inform user: "Secret does not exist, no deletion needed"
If DescribeSecret succeeds:
- Review the secret metadata
- Confirm with user before proceeding with force deletion
# Step 2: Force delete (immediate deletion, cannot be recovered)
aliyun kms DeleteSecret --SecretName "" --ForceDeleteWithoutRecovery true --region --user-agent AlibabaCloud-Agent-Skills
Idempotency: If Forbidden.ResourceNotFound error is returned, it means the secret does not exist, treat as deletion successful and continue with subsequent operations.
5. Update Secret Value
aliyun kms PutSecretValue --SecretName "" --SecretData "" --VersionId "" --region --user-agent AlibabaCloud-Agent-Skills
6. Describe Secret
aliyun kms DescribeSecret --SecretName "" --region --user-agent AlibabaCloud-Agent-Skills
7. List Secret Versions
aliyun kms ListSecretVersionIds --SecretName "" --IncludeDeprecated true --region --user-agent AlibabaCloud-Agent-Skills
8. Configure Rotation Policy
aliyun kms UpdateSecretRotationPolicy --SecretName "" --EnableAutomaticRotation true --RotationInterval 7d --region --user-agent AlibabaCloud-Agent-Skills
9. Restore Deleted Secret
aliyun kms RestoreSecret --SecretName "" --region --user-agent AlibabaCloud-Agent-Skills
Idempotency*: If Rejected.ResourceInUse error is returned, it means the secret has been restored or was not deleted, treat as restore successful and continue with subsequent operations.
Advanced Features
For managed credentials and other advanced features, see references/managed-credentials.md.
Reference Links
by