After the subscription-based KMS is activated, you need to access the API of KMS to perform password operation, and it supports business scenarios such as data encryption and decryption, signature and integrity verification.
To access KMS through the private network channel in an intranet, you need to create an application access point, and KMS will establish the network channel through the application access point.
Application access point provides an access control mechanism. Identity credentials are created for callers who use the application access point, and identity verification is performed based on the identity credentials for calling the KMS.
Note: 1. If your self-managed applications are distributed across multiple virtual private clouds (VPCs) in the same region, you need to create an application access point for each service that needs to be integrated with KMS, and establish network channels between applications in multiple VPCs and the KMS. 2. If multiple self-managed applications are deployed in the same VPC, you can create an independent access point for each application to realize independent access control. 3. Currently, KMS provides three free application access points. |
Establish a Network Channel
You need to create an application access point and establish a network channel between the VPC where the application is located and the KMS server.
You need to specify the VPC where the application is located when creating an application access point.
After the application access point is created, KMS generates an endpoint address for you to access the KMS service.
Note: KMS is a region-level service and allows applications in the VPC in the same region to access KMS through application access points, but does not support cross-region access. |
Access Control
The application access point provides an access control mechanism. When your self-managed application needs to access the subscription-based KMS, authentication is required, and you need to create an access certificate (AK/SK) for the caller.
Identity credentials are used for identity authentication and behavior authentication of visitors to KMS.
KMS supports authentication through AccessKey (AK)/SecretKey (SK).
You can rapidly integrate with KMS through the SDK provided by KMS, and import the AK/SK when initializing the SDK.
Note: 1. After the access credential (AK/SK) is generated, you need to copy or download files in the pop-up window immediately, and you cannot download the files after the window is closed. If you fail to save AK/SK successfully, you can delete and create it again. 2. If the AK/SK is leaked, data leakage may occur, and it is recommended to keep it properly. |