The company needs to use the kms key management service provided by Alibaba to verify that the service can be used normally. Use the test secret key resources applied by the company for testing.
1. Use the demo code provided by Alibaba to verify that it can read, encrypt and decrypt normally.
(ps: mainly pay attention to the configuration permission, which is basically normal)

2. Local service validation.
Because the rule requires that you use a secret key alias to get information. Therefore, during the test, aliases are always used to carry in the logical operation.

The code operation is as follows:

public static byte[] encrypt(String keyId,String msgBuf) {
        try {
        	EncryptResponse kmsEncryptResp = encryptByKms(keyId,msgBuf);//Encryption via KMS
        	String encryptedStr = kmsEncryptResp.getCiphertextBlob();//Get ciphertext
            byte[] encrypted = encryptedStr.getBytes(CharsetUtil.UTF8);
            return encrypted;
        } catch (ClientException eResponse) {
        	logger.error("Encryption failed, processing failed:{}，Error code:{}，Error Description:{}",eResponse.getMessage(),eResponse.getErrCode(),eResponse.getErrMsg());
        }catch (Exception e) {
            logger.error("Encryption failed, unknown exception:{}", e.getMessage());
       }
    }

private static EncryptResponse encryptByKms(String keyId, String plainText) throws ClientException {
		String regionId = "cn-hongkong";
        String accessKeyId = "LTAI4FiHpR4VzCRrdYN5E8nK";
        String accessKeySecret = "TEcSKvYlGR8iHSbB5wiJmvTPRHmx22";
    	DefaultAcsClient kmsClient  = kmsClient(regionId, accessKeyId, accessKeySecret);
    	EncryptRequest encReq = new EncryptRequest();
        encReq.setProtocol(ProtocolType.HTTPS);
        encReq.setAcceptFormat(FormatType.JSON);
        encReq.setMethod(MethodType.POST);
        encReq.setKeyId(keyId);
        encReq.setPlaintext(plainText);
        final EncryptResponse encResponse = kmsClient.getAcsResponse(encReq);
        return encResponse;
    }

    private static DefaultAcsClient kmsClient(String regionId, String accessKeyId, String accessKeySecret) {
        IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
        DefaultAcsClient client = new DefaultAcsClient(profile);
        return client;
    }

As a result, the exception of catch is always reported: encryption failure, processing failure
1. First of all, I thought that the configuration was abnormal, resulting in the failure to obtain alikms information. I found it was OK by using debug step by step. What alikms returned was

2. Go back to Alibaba's demo code check, No. Normal! So add logic to the code:

            keyId = "alias";
            final DescribeKeyResponse decKeyRes = DescribeKey(keyId);

            /**
             * Parse response and do more further
             */
            DescribeKeyResponse.KeyMetadata meta = decKeyRes.getKeyMetadata();

It is found that the keyId read is inconsistent with my expectation. Look up the list and find that the aliases of two keyids are the same. One of them is in normal status and the other is suspended for deletion.

3. Communicate with colleagues applying for resources in the system group of the company. It turns out that when they provide resources, some configurations were filled in incorrectly during the first maintenance, so they were deleted and rebuilt. Two keyids are maintained as the same alias!!!

summary

When using the alikms service, try not to maintain the same alias with different keyids. When using the alias, I really don't know which one is taken out!!!