https://www.alibabacloud.com/help/en/kms/getting-started/getting-started-with-key-management
https://www.alibabacloud.com/help/en/kms/developer-reference/api-createkey
-- 前提
(1) KMS instance作成済、有効化済
Billing Method: Pay-as-you-go 3.0
Instance Type: Software Key Management
(2) コンソールよりkmsアクセス権限をロールに付与済み
Role:
AliyunECSDiskEncryptionDefaultRole
Description:
By default, ECS uses this role to access KMS.
Permission Description:
The role has the permissions required to use the disk encryption feature, including the permissions to access KMS.
-- 1. Create a software-protected key
aliyun kms ListKmsInstances
aliyun kms GetKmsInstance \
--KmsInstanceId kst-111111111111111111111
aliyun kms CreateKey \
--Description key01 \
--KeyUsage ENCRYPT/DECRYPT \
--Origin Aliyun_KMS \
--ProtectionLevel SOFTWARE \
--EnableAutomaticRotation false \
--KeySpec Aliyun_AES_256 \
--DKMSInstanceId kst-111111111111111111111
aliyun kms ListKeys
aliyun kms DescribeKey \
--KeyId key-111111111111111111111
-- 2. Use the software-protected key
aliyun ecs DescribeInstances
aliyun ecs CreateInstance \
--InstanceType ecs.t5-lc2m1.nano \
--CreditSpecification Standard \
--DeletionProtection false \
--Description instance01 \
--ImageId aliyun_2_1903_x64_20G_alibase_20231221.vhd \
--InstanceChargeType PostPaid \
--InstanceName instance01 \
--KeyPairName alibabakey01 \
--SecurityGroupId sg-11111111111111111111 \
--SystemDisk.Category cloud_ssd \
--SystemDisk.Size 20 \
--VSwitchId vsw-111111111111111111111 \
--ZoneId ap-northeast-1a \
--DataDisk.1.Category cloud_ssd \
--DataDisk.1.DeleteWithInstance true \
--DataDisk.1.Encrypted true \
--DataDisk.1.KMSKeyId key-111111111111111111111 \
--DataDisk.1.Size 20
aliyun ecs DescribeDisks \
--InstanceId i-11111111111111111111 \
-- 3. クリーンアップ
aliyun ecs DeleteInstance \
--InstanceId i-11111111111111111111 \
--Force true
aliyun kms ScheduleKeyDeletion \
--KeyId key-111111111111111111111 \
--PendingWindowInDays 7