Support Alibaba Cloud Dedicated KMS (instance VPC gateway + TLS cert) in Vault seal #31664
Description
Feature request: Support Alibaba Cloud Dedicated KMS instance gateways (VPC endpoints with TLS certificates) in Vault’s alicloudkms seal so that Vault–KMS traffic can remain inside a VPC without enabling Internet access on the KMS instance.
Currently the alicloudkms seal talks to the classic/shared KMS endpoint (for example kms..aliyuncs.com or a custom domain override). According to Alibaba Cloud documentation on “Access KMS instance keys over the Internet” (https://www.alibabacloud.com/help/en/kms/key-management-service/user-guide/access-keys-of-a-kms-instance-over-the-internet), using KMS instance keys through this shared endpoint requires enabling Internet access for the KMS instance, which is not acceptable in environments where all cryptographic key operations must stay in private networks.
Alibaba Cloud KMS has introduced Dedicated KMS instances with VPC-only instance gateways such as <KMS_INSTANCE_ID>.cryptoservice.kms..aliyuncs.com. The “Initialize the client” documentation (https://www.alibabacloud.com/help/en/kms/key-management-service/developer-reference/initialize-the-client) shows how SDKs can use these gateways by configuring a downloadable TLS certificate so the client can trust the dedicated endpoint.
The current alicloudkms seal still targets the classic/shared KMS model (see #24269) and does not expose options to configure a Dedicated KMS instance gateway plus a custom CA bundle (or client certificate and key) for TLS when calling that gateway. As a result, Vault cannot use Dedicated KMS instance gateways for auto-unseal in a VPC-only, no-Internet-access architecture.
The request is to add first-class support for Alibaba Cloud Dedicated KMS instance gateways in the seal: allow specifying the dedicated KMS endpoint, a custom CA certificate bundle, and optionally a client certificate and key, so that Vault can auto-unseal using Dedicated KMS entirely within a VPC without enabling Internet access on the KMS instance.
A typical reference environment would be Vault 1.20.4 running in Docker on Alibaba Cloud ECS in the cn-shanghai region, with a Dedicated KMS instance key used as the seal key, Vault and KMS in the same VPC, and a policy that disallows Internet access for KMS instances. This feature would enable Vault + Alibaba Cloud KMS to be used as a compliant enterprise key management solution on Alibaba Cloud in such environments.