Scenarios
Consumer Key is the core credential for client applications to securely invoke AI gateway services. When enterprises or developers integrate and schedule backend AI capabilities through the TSF AI Gateway for microservices, the Consumer Key creates unique authentication credentials for different clients (such as business applications, mobile Apps, or third-party services). These credentials are used for identity authentication and access control when these clients invoke gateway APIs.
To ensure the security of sensitive key information, the microservice TSF AI gateway is deeply integrated with Tencent Cloud KMS to achieve encrypted storage of keys throughout their entire lifecycle. KMS uses third-party certified Hardware Security Modules (HSM) to generate and protect keys, ensuring that no one, including Tencent Cloud, can obtain your plaintext master key, meeting strict compliance requirements. Through centralized management, this feature aims to enhance security controls, eliminate the risks of plaintext leakage and unauthorized access, and simultaneously simplify the Ops processes for key creation, update, disablement, and deletion.
Prerequisite
If the generation method uses KMS (KMS credentials), then credentials need to be created. For details, see SSM-Quick Start. Operation Steps
View Key List
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. The list page displays all created consumer keys, including information such as Key Name, Type, Status, and Generation Method. You can perform operations like Create, Edit, or Delete here.
5. When the key status is "Enabled", the delete operation will be grayed out and unavailable. The system will prompt "Please disable the key first.".
Creating Keys
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Consumer Key List Page, click Create.
5. In the "Create Key" window, configure the following parameters:
|
Key Name | Yes | The name can contain up to 60 characters, including uppercase and lowercase letters in Chinese and English, digits, and separators ("-", "_"). It cannot start with a digit or a separator, nor end with a separator. |
Generation method | Yes | Key Management Service (KMS Credential): Associate with a credential in Tencent Cloud KMS. Enter the "Credential Name" and "Credential Version". If no KMS credential exists, you can click "Create Credential" to navigate and create one. |
|
| Auto-generated: The gateway automatically generates a random API key. |
|
| Custom: Manually enter the key value (the consumer key is the credential content). |
Description | No | The identification and description information for the key. Up to 200 characters can be entered. |
6. Click OK to complete key creation. The gateway ensures encrypted and secure key storage by integrating the KMS service (when KMS credentials are selected as the generation method).
Note:
When the generation method is set to "Key Management System (KMS Credentials)", to handle KMS credentials, navigate to the KMS console to perform operations. When the generation method is set to "Custom" or "Auto-generated", modification is not supported, but copying and viewing are allowed. The value defaults to *** to protect sensitive information.
Viewing Key Details
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Consumer Key List page, click the "ID/Name" of the target key.
5. Go to the key details page, where you can view:
Basic Information: including key name, type, status, creation time, and so on.
Bound Consumers: displays the consumer information associated with the current key.
Edit Key
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Consumer Key List page, locate the target key and click Edit under its Operation column; or click Edit in the top-right corner of the key details page.
5. In the edit window, you can modify the Name and Description (remarks) of the key.
6. Click OK to save the changes.
Key Consumer Binding
The relationship between consumers and keys is one-to-many: a consumer can bind to multiple keys, but a key can only bind to one consumer. You can bind a consumer to a key.
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Consumer Key List page, click the "ID/Name" of the target key to go to the details page.
5. Click Add Resource, in the "Add Resource" dialog box, the "Select Consumers" section on the left lists all available consumers. You can quickly search for them using the search box.
6. In the left panel, select a consumer to be bound to this key. The selected consumer will appear in the "Selected" list on the right.
7. To remove a consumer, click the × icon next to the consumer entry in the "Selected" list on the right to remove it from the group association.
8. After making the adjustments, click OK to save the association.
Enabling/Disabling the Key
Consumer Keys are only valid when in the enabled status. This means that when a key is disabled or inactive, the AI Gateway will not recognize or use it for any operations. Therefore, it is essential to confirm whether the key has been properly enabled before use.
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Consumer Key List page, locate the target key and click the Disable button in the Actions column. The key will then enter the "Disabled" state, and the AI Gateway will not recognize or use it for any operations.
5. Enabling Process requires the target key to be in the "Disabled" state: Click Enable to change the key status to "Enabled".
Deleting the Key
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Consumer Key List page, locate the target key and click the Disable button in the Actions column before you can perform the deletion operation. After the key is disabled, click Delete to complete the process.
5. The system will perform a dependency check before deletion:
If the key has been disassociated from all related resources (for consumer keys, disassociate from all consumers), the pop-up window will directly display the key information. Click Confirm to delete it.
If the key still has associated resources, a pop-up will display "Unresolved dependencies exist" and list specific dependencies. You need to remove all dependencies first, then click Recheck. The key can only be deleted after the verification is passed.
Note:
KMS credential status changes: If you modify a credential in the Tencent Cloud KMS console, the AI Gateway will temporarily continue using the cached old credential content (default cache duration approximately 5 minutes) to ensure business continuity. We recommend creating a new version of the credential in KMS and associating it with the gateway before the old API Key version is deleted. This ensures the changes take effect promptly.
To enhance the high availability of keys, we recommend configuring multiple credentials. This prevents service disruptions for consumers when a specific credential is disabled.