# Managed Credentials Guide This document details the creation and management of KMS managed credentials. ## Managed Credentials Overview Managed credentials can automatically manage cloud product credential rotation, supporting the following types: | Type | Description | Supported Cloud Products | |------|-------------|-------------------------| | Rds | RDS Managed Credentials | ApsaraDB RDS | | RAMCredentials | RAM Managed Credentials | RAM User AccessKey | | ECS | ECS Managed Credentials | ECS Instance Login Credentials | | Redis | Redis Managed Credentials | Redis Instances | | PolarDB | PolarDB Managed Credentials | PolarDB Databases | --- ## RDS Managed Credentials ### Create RDS Managed Credential ```bash aliyun kms CreateSecret \ --SecretName "" \ --SecretType Rds \ --SecretData '{"Accounts":[{"AccountName":"","AccountPassword":""}]}' \ --VersionId "v1" \ --ExtendedConfig '{"SecretSubType":"SingleUser","DBInstanceId":""}' \ --EnableAutomaticRotation true \ --RotationInterval 7d \ --region \ --user-agent AlibabaCloud-Agent-Skills ``` ### SecretData Format ```json { "Accounts": [ { "AccountName": "dbuser", "AccountPassword": "" } ] } ``` ### ExtendedConfig Format | Field | Type | Required | Description | |-------|------|----------|-------------| | SecretSubType | String | Yes | Fixed value: SingleUser or DualUser | | DBInstanceId | String | Yes | RDS Instance ID | | CustomData | Object | No | Custom data | ```json { "SecretSubType": "SingleUser", "DBInstanceId": "rm-xxxxxxxx", "CustomData": {} } ``` ### Rotation Mode Description - **SingleUser**: Single account mode, directly modifies account password during rotation - **DualUser**: Dual account mode, switches between two accounts during rotation, no business interruption --- ## RAM Managed Credentials ### Create RAM Managed Credential ```bash aliyun kms CreateSecret \ --SecretName "" \ --SecretType RAMCredentials \ --SecretData '{"AccessKeys":[{"AccessKeyId":"","AccessKeySecret":""}]}' \ --VersionId "v1" \ --ExtendedConfig '{"SecretSubType":"RamUserAccessKey","UserName":""}' \ --EnableAutomaticRotation true \ --RotationInterval 30d \ --region \ --user-agent AlibabaCloud-Agent-Skills ``` ### SecretData Format ```json { "AccessKeys": [ { "AccessKeyId": "", "AccessKeySecret": "" } ] } ``` ### ExtendedConfig Format ```json { "SecretSubType": "RamUserAccessKey", "UserName": "ram-user-name", "CustomData": {} } ``` --- ## ECS Managed Credentials ### Create ECS Managed Credential (Password Mode) ```bash aliyun kms CreateSecret \ --SecretName "" \ --SecretType ECS \ --SecretData '{"UserName":"root","Password":""}' \ --VersionId "v1" \ --ExtendedConfig '{"SecretSubType":"Password","RegionId":"","InstanceId":""}' \ --EnableAutomaticRotation true \ --RotationInterval 30d \ --region \ --user-agent AlibabaCloud-Agent-Skills ``` ### Password Mode SecretData Format ```json { "UserName": "root", "Password": "" } ``` ### SSH Key Mode SecretData Format ```json { "UserName": "root", "PublicKey": "", "PrivateKey": "" } ``` ### ExtendedConfig Format ```json { "SecretSubType": "Password", "RegionId": "cn-hangzhou", "InstanceId": "i-xxxxxxxx", "CustomData": {} } ``` --- ## Secret Policy (KMS Instance Only) > **Limitation**: `SetSecretPolicy` and `GetSecretPolicy` APIs **only apply to secrets in KMS instances**, not supported in shared KMS. ### Set Secret Policy ```bash aliyun kms SetSecretPolicy \ --SecretName "" \ --Policy '' \ --region \ --user-agent AlibabaCloud-Agent-Skills ``` ### Policy Format Example ```json { "Version": "1", "Statement": [ { "Effect": "Allow", "Principal": { "RAM": ["acs:ram::*:user/app-user"] }, "Action": ["kms:GetSecretValue"], "Resource": ["*"] } ] } ``` ### Query Secret Policy ```bash aliyun kms GetSecretPolicy \ --SecretName "" \ --region \ --user-agent AlibabaCloud-Agent-Skills ``` --- ## Additional RAM Permissions Required for Managed Credentials When using managed credentials, in addition to KMS permissions, you need to grant permissions for the corresponding cloud products. ### RDS Managed Credential Permissions ```json { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "rds:ResetAccountPassword", "rds:DescribeAccounts", "rds:DescribeDBInstanceAttribute" ], "Resource": "*" } ] } ``` ### RAM Managed Credential Permissions ```json { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateAccessKey", "ram:DeleteAccessKey", "ram:ListAccessKeys", "ram:GetUser" ], "Resource": "*" } ] } ``` ### ECS Managed Credential Permissions ```json { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyInstanceAttribute", "ecs:DescribeInstances" ], "Resource": "*" } ] } ``` --- ## Rotation Policy Configuration ### Enable Automatic Rotation ```bash aliyun kms UpdateSecretRotationPolicy \ --SecretName "" \ --EnableAutomaticRotation true \ --RotationInterval 7d \ --region \ --user-agent AlibabaCloud-Agent-Skills ``` ### Rotation Interval Description | Format | Example | Description | |--------|---------|-------------| | Days | 7d | Rotate every 7 days | | Hours | 168h | Rotate every 168 hours | **Valid Range**: 6 hours ~ 365 days ### Disable Automatic Rotation ```bash aliyun kms UpdateSecretRotationPolicy \ --SecretName "" \ --EnableAutomaticRotation false \ --region \ --user-agent AlibabaCloud-Agent-Skills ``` ### Manual Rotation ```bash aliyun kms RotateSecret \ --SecretName "" \ --VersionId "" \ --region \ --user-agent AlibabaCloud-Agent-Skills ``` --- ## Best Practices 1. **Choose appropriate rotation period**: 7-30 days recommended for production 2. **Use dual account mode (RDS)**: Avoid business interruption during rotation 3. **Monitor rotation events**: Monitor rotation results via ActionTrail 4. **Test rotation process**: Verify in test environment before applying to production 5. **Configure alerts**: Set up CloudMonitor alerts for rotation failure events