---
layout: docs
page_title: AliCloud KMS - KMSs - Configuration
sidebar_title: AliCloud KMS
description: >-
  The AliCloud KMS configures Boundary to use AliCloud KMS for key management.
---

# `alicloudkms` KMS

The AliCloud KMS configures Boundary to use AliCloud KMS for key management.
The AliCloud KMS is activated by one of the following:

- The presence of a `kms "alicloudkms"` block in Boundary's configuration file.

## `alicloudkms` Example

This example shows configuring AliCloud KMS through the Boundary configuration file
by providing all the required values:

```hcl
kms "alicloudkms" {
  region     = "us-east-1"
  access_key = "0wNEpMMlzy7szvai"
  secret_key = "PupkTg8jdmau1cXxYacgE736PJj4cA"
  kms_key_id = "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73"
}
```

## `alicloudkms` Parameters

These parameters apply to the `kms` stanza in the Boundary configuration file:

- `region` `(string: <required> "us-east-1")`: The AliCloud region where the encryption key
  lives. May also be specified by the `ALICLOUD_REGION`
  environment variable.

- `domain` `(string: "kms.us-east-1.aliyuncs.com")`: If set, overrides the endpoint
  AliCloud would normally use for KMS for a particular region. May also be specified
  by the `ALICLOUD_DOMAIN` environment variable.

- `access_key` `(string: <required>)`: The AliCloud access key ID to use. May also be
  specified by the `ALICLOUD_ACCESS_KEY` environment variable or as part of the
  AliCloud profile from the AliCloud CLI or instance profile.

- `secret_key` `(string: <required>)`: The AliCloud secret access key to use. May
  also be specified by the `ALICLOUD_SECRET_KEY` environment variable or as
  part of the AliCloud profile from the AliCloud CLI or instance profile.

- `kms_key_id` `(string: <required>)`: The AliCloud KMS key ID to use for encryption
  and decryption. May also be specified by the `VAULT_ALICLOUDKMS_SEAL_KEY_ID`
  environment variable.

## Authentication

Authentication-related values must be provided, either as environment
variables or as configuration parameters.

~> **Note:** Although the configuration file allows you to pass in
`ALICLOUD_ACCESS_KEY` and `ALICLOUD_SECRET_KEY` as part of the 's parameters, it
is _strongly_ recommended to set these values via environment variables.

```text
AliCloud authentication values:

* `ALICLOUD_REGION`
* `ALICLOUD_ACCESS_KEY`
* `ALICLOUD_SECRET_KEY`
```

Note: The client uses the official AliCloud SDK and will use environment credentials,
the specified credentials, or RAM role credentials in that order.