← Back to Skills Marketplace
Alibabacloud Kms Secret Manage
by
alibabacloud-skills-team
· GitHub ↗
· v0.0.2
· MIT-0
99
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install alibabacloud-kms-secret-manage
Description
Alibaba Cloud KMS Secret Management Skill. Used for managing secrets in KMS, supporting create, delete, update, query operations, version management, and rot...
README (SKILL.md)
Alibaba Cloud KMS Secret Management
This Skill provides core functionality for Alibaba Cloud Key Management Service (KMS) secret management, supporting CRUD operations on secrets.
Scenario Description
KMS Secret Management service is used to securely store, manage, and access sensitive information, such as:
- Database connection credentials
- API keys
- OAuth tokens
- Certificate private keys
- Other sensitive data requiring secure storage
Architecture: Alibaba Cloud KMS Service + Secret Management (Secrets Manager)
graph TB
User[Application/User] --> KMS[KMS Secret Management]
KMS --> Secret[Generic Secret]
Secret --> V1[Version 1]
Secret --> V2[Version 2]
Secret --> VN[Version N]
KMS --> Rotation[Rotation Secret]
Rotation --> RDS[RDS Managed Secret]
Rotation --> RAM[RAM Managed Secret]
Rotation --> ECS[ECS Managed Secret]
Rotation --> Redis[Redis Managed Secret]
Rotation --> PolarDB[PolarDB Managed Secret]
Environment Setup
Dependency: Aliyun CLI. If
command not founderror occurs, refer to references/cli-installation-guide.md for installation.
Timeout Configuration
Set appropriate timeouts for CLI commands to avoid hanging:
# Set timeout environment variables (in seconds)
export ALIBABA_CLOUD_CONNECT_TIMEOUT=30
export ALIBABA_CLOUD_READ_TIMEOUT=30
Or use command-line flags:
aliyun kms \x3Caction> --connect-timeout 30 --read-timeout 30 ...
Recommended timeout values:
- Connection timeout: 30 seconds
- Read timeout: 30 seconds
Security Rules
- Prohibited: Reading, printing, or displaying AK/SK values
- Prohibited: Requiring users to directly input AK/SK in conversation
- Sensitive Data Masking: Secret values returned by GetSecretValue are masked by default (e.g.,
***), only output in plaintext when user explicitly requests
RAM Permission Requirements
Ensure the executing user has the following KMS permissions. For detailed policies, see references/ram-policies.md.
Minimum Permissions (Read-Only):
kms:DescribeSecret, kms:ListSecrets, kms:GetSecretValue, kms:ListSecretVersionIds, kms:GetSecretPolicy
Full Permissions (Read-Write):
kms:CreateSecret, kms:DeleteSecret, kms:UpdateSecret, kms:DescribeSecret,
kms:ListSecrets, kms:GetSecretValue, kms:PutSecretValue, kms:ListSecretVersionIds,
kms:UpdateSecretVersionStage, kms:UpdateSecretRotationPolicy, kms:RotateSecret,
kms:RestoreSecret, kms:SetSecretPolicy, kms:GetSecretPolicy,
kms:ListKmsInstances, kms:ListKeys, kms:CreateKey
Core Workflows
1. Create Secret
Creating a secret requires obtaining the KMS instance ID and encryption key ID first, then executing the creation.
# Step 1: Get KMS Instance ID
aliyun kms ListKmsInstances --PageNumber 1 --PageSize 10 --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
# → Extract KmsInstances.KmsInstance[0].KmsInstanceId
# Step 2: Get Encryption Key ID
aliyun kms ListKeys --Filters '[{"Key":"KeySpec","Values":["Aliyun_AES_256"]},{"Key":"DKMSInstanceId","Values":["\x3Cinstance-id>"]}]' --PageNumber 1 --PageSize 10 --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
# → Extract Keys.Key[0].KeyId
# Step 3: Create Secret (requires DKMSInstanceId and EncryptionKeyId)
aliyun kms CreateSecret --SecretName "\x3Csecret-name>" --SecretData "\x3Csecret-value>" --VersionId "\x3Cversion-id>" --EncryptionKeyId "\x3Ckey-id>" --DKMSInstanceId "\x3Cinstance-id>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
2. List Secrets
aliyun kms ListSecrets --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
3. Get Secret Value
Security Policy:
- If user does NOT explicitly request the secret value: Only provide the CLI command or Python code script. DO NOT execute.
- If user explicitly requests to get/retrieve/show the secret value: Provide the command/script first, then execute after user confirms.
CLI Command:
aliyun kms GetSecretValue --SecretName "\x3Csecret-name>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
Python SDK Example:
from alibabacloud_tea_openapi.client import Client as OpenApiClient
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_credentials.client import Client as CredentialClient
from alibabacloud_tea_util import models as util_models
credential = CredentialClient()
config = open_api_models.Config(credential=credential)
config.endpoint = 'kms.\x3Cregion-id>.aliyuncs.com'
client = OpenApiClient(config)
params = open_api_models.Params(
action='GetSecretValue',
version='2016-01-20',
protocol='HTTPS',
method='POST',
auth_type='AK',
style='RPC',
pathname='/',
req_body_type='json',
body_type='json'
)
body = {'SecretName': '\x3Csecret-name>'}
runtime = util_models.RuntimeOptions()
request = open_api_models.OpenApiRequest(body=body)
response = client.call_api(params, request, runtime)
print(response.body)
Note:
- Only execute the retrieval after user explicitly confirms
- The secret value contains sensitive information that should be handled with care
- Always remind user to execute in a secure environment (private terminal, no screen sharing, no logging)
4. Delete Secret
Pre-check before deletion (Safety Requirement):
Before force deleting a secret, always verify its existence and check if it's still in use:
# Step 1: Describe the secret to verify existence and check metadata
aliyun kms DescribeSecret --SecretName "\x3Csecret-name>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
# → Check SecretName, CreateTime, and other metadata to confirm this is the correct secret
If DescribeSecret returns error (secret not found):
- Stop and inform user: "Secret does not exist, no deletion needed"
If DescribeSecret succeeds:
- Review the secret metadata
- Confirm with user before proceeding with force deletion
# Step 2: Force delete (immediate deletion, cannot be recovered)
aliyun kms DeleteSecret --SecretName "\x3Csecret-name>" --ForceDeleteWithoutRecovery true --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
Idempotency: If
Forbidden.ResourceNotFounderror is returned, it means the secret does not exist, treat as deletion successful and continue with subsequent operations.
5. Update Secret Value
aliyun kms PutSecretValue --SecretName "\x3Csecret-name>" --SecretData "\x3Cnew-secret-value>" --VersionId "\x3Cnew-version-id>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
6. Describe Secret
aliyun kms DescribeSecret --SecretName "\x3Csecret-name>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
7. List Secret Versions
aliyun kms ListSecretVersionIds --SecretName "\x3Csecret-name>" --IncludeDeprecated true --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
8. Configure Rotation Policy
aliyun kms UpdateSecretRotationPolicy --SecretName "\x3Csecret-name>" --EnableAutomaticRotation true --RotationInterval 7d --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
9. Restore Deleted Secret
aliyun kms RestoreSecret --SecretName "\x3Csecret-name>" --region \x3Cregion-id> --user-agent AlibabaCloud-Agent-Skills
Idempotency: If
Rejected.ResourceInUseerror is returned, it means the secret has been restored or was not deleted, treat as restore successful and continue with subsequent operations.
Advanced Features
For managed credentials and other advanced features, see references/managed-credentials.md.
Reference Links
| Document | Description |
|---|---|
| references/related-apis.md | API detailed description |
| references/ram-policies.md | RAM permission policies |
| references/managed-credentials.md | Managed credentials guide |
Usage Guidance
This skill appears to be a genuine Alibaba Cloud KMS secret-management guide, but it omits an explicit declaration of how credentials will be provided. Before installing or invoking it: 1) Confirm how your agent/runtime will supply Alibaba Cloud credentials (environment vars, ~/.aliyun/config.json, ECS RAM role, or explicit user input). 2) Never paste AK/SK into a conversational prompt; prefer ECS RAM roles or short-lived STS tokens. 3) Be cautious with commands that retrieve secret values — the skill documents a good safety rule (only retrieve after explicit confirmation); keep that workflow and run sensitive commands in a private, audited terminal. 4) If you do not want the agent to ever access secrets autonomously, disable autonomous invocation or require manual confirmation for all sensitive operations. 5) For least privilege, grant only the specific KMS permissions required (e.g., GetSecretValue for runtime retrieval) rather than broad wildcards. If you want higher confidence, ask the publisher to update the skill metadata to declare required credential sources (primaryEnv) and to explicitly forbid reading host credential/config files without user consent.
Capability Analysis
Type: OpenClaw Skill
Name: alibabacloud-kms-secret-manage
Version: 0.0.2
The skill bundle provides a legitimate and well-documented interface for managing Alibaba Cloud KMS secrets via the Aliyun CLI and Python SDK. The instructions in SKILL.md include explicit security safeguards, such as prohibiting the display of Access Keys, requiring user confirmation before retrieving secret values, and implementing safety checks before deletion. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found across the provided files (SKILL.md, related-apis.md, ram-policies.md).
Capability Assessment
Purpose & Capability
Name/description and the CLI/SDK examples align with an Alibaba Cloud KMS secret-management skill. However, the skill does not declare any primary credential or required env vars even though every actionable CLI/SDK call requires Alibaba Cloud credentials (AK/SK, STS token, or an ECS RAM role). This omission is an inconsistency: a KMS management skill legitimately needs cloud credentials and should declare them (or document expected credential sources) explicitly.
Instruction Scope
SKILL.md contains concrete CLI commands, SDK examples, and safety rules (e.g., do not print AK/SK, only execute GetSecretValue after explicit user confirmation). That scope is appropriate for secret management. Minor concerns: the documentation and examples show how to configure credentials (including command-line flags with AK/SK) and reference config files (~/.aliyun/config.json) and several environment variables (ALIBABA_CLOUD_*). Those references grant the agent implicit discretion to use credentials/config stored on the host unless the platform restricts that — the skill should explicitly state how credentials will be obtained and handled at runtime.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest installation risk. CLI install docs reference official Alibaba download hosts (aliyuncli.alicdn.com) which are expected for Aliyun CLI installation; no third-party or opaque downloads are present.
Credentials
The skill lists no required environment variables or primary credential, but the content explicitly references and relies on environment variables and credential configuration (ALIBABA_CLOUD_ACCESS_KEY_ID/SECRET, ALIBABA_CLOUD_REGION_ID, ALIBABA_CLOUD_* timeouts, and ~/.aliyun/config.json). That is a proportionality mismatch: the skill should declare the credentials it needs. Also the docs include command examples for setting AK/SK via CLI flags, which can encourage insecure handling of secrets if followed without caution.
Persistence & Privilege
always is false and there is no install-time persistence. The skill can be invoked autonomously (platform default), which is normal for skills; that combined with credential access is worth user attention but is not flagged by itself.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install alibabacloud-kms-secret-manage - After installation, invoke the skill by name or use
/alibabacloud-kms-secret-manage - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.2
alibabacloud-kms-secret-manage v0.0.2
- Added detailed usage and workflow instructions for all Alibaba Cloud KMS secret management operations (create, delete, update, query, versioning, rotation, restore).
- Introduced explicit security rules, including sensitive data masking, user confirmation for secret retrieval, and AK/SK handling prohibitions.
- Documented minimal and full RAM permission requirements for skill operation.
- Provided practical CLI and Python SDK examples for interacting with Alibaba Cloud KMS secrets.
- Outlined dependency and timeout setup for stable CLI usage.
- Included safety checks and confirmations for destructive actions such as secret deletion.
Metadata
Frequently Asked Questions
What is Alibabacloud Kms Secret Manage?
Alibaba Cloud KMS Secret Management Skill. Used for managing secrets in KMS, supporting create, delete, update, query operations, version management, and rot... It is an AI Agent Skill for Claude Code / OpenClaw, with 99 downloads so far.
How do I install Alibabacloud Kms Secret Manage?
Run "/install alibabacloud-kms-secret-manage" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Alibabacloud Kms Secret Manage free?
Yes, Alibabacloud Kms Secret Manage is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Alibabacloud Kms Secret Manage support?
Alibabacloud Kms Secret Manage is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Alibabacloud Kms Secret Manage?
It is built and maintained by alibabacloud-skills-team (@sdk-team); the current version is v0.0.2.
More Skills