Scenarios
Model Key is the core credential for securely invoking large model services through the AI gateway. When enterprises/developers connect to model APIs from multiple AI vendors via the AI gateway, a critical key scenario exists: Model Key is used to store authentication keys (such as vendor AccessKey and API Secret) for each AI vendor. The gateway uses these keys to initiate model API calls to vendors on behalf of users.
To ensure the security of sensitive key information, the microservice TSF AI gateway is deeply integrated with Tencent Cloud KMS to achieve encrypted storage of keys throughout their entire lifecycle. KMS uses third-party certified Hardware Security Modules (HSM) to generate and protect keys, ensuring that no one, including Tencent Cloud, can obtain your plaintext master key, meeting strict compliance requirements. Through centralized management, this feature aims to enhance security controls, eliminate the risks of plaintext leakage and unauthorized access, and simultaneously simplify the Ops processes for key creation, update, disablement, and deletion.
Prerequisite
If the generation method uses KMS (KMS credentials), then credentials need to be created. For details, see SSM-Quick Start. Operation Steps
View Key List
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. The list page displays all created model keys, including information such as Key Name, Type, Status, and Generation Method. You can perform operations like Create, Edit, or Delete here.
5. When the key status is "Enabled", the delete operation will be grayed out and unavailable. The system will prompt "Please disable the key first".
Creating Keys
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Model Key List Page, click Create.
5. In the "Create Key" window, configure the following parameters:
|
Key Name | Yes | The name can contain up to 60 characters, including uppercase and lowercase letters in Chinese and English, digits, and separators ("-", "_"). It cannot start with a digit or a separator, nor end with a separator. |
Generation method | Yes | Key Management Service (KMS Credential): Associate with a credential in Tencent Cloud KMS. Enter the "Credential Name" and "Credential Version". If no KMS credential exists, you can click "Create Credential" to navigate and create one. Custom: Manually enter the key value (the model key is the API-KEY value, and the consumer key is the credential content). |
Description | No | The identification and description information for the key. Up to 200 characters can be entered. |
6. Click OK to complete key creation. The gateway ensures encrypted and secure key storage by integrating the KMS service (when KMS credentials are selected as the generation method).
Note:
For the generation method, select "KMS (KMS credentials)". To manage KMS credentials, navigate to the KMS console for operations. When the generation method is set to "Custom", modification is not supported, but copying and viewing are allowed. The value is displayed as "***" by default to protect sensitive information.
Viewing Key Details
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Model Key List page, click the "ID/Name" of the target key.
5. Go to the key details page, where you can view:
Basic Information: including key name, type, status, creation time, and so on
Bound Model Resources: displays the model service resources associated with the current key.
Edit Key
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Model Key List page, locate the target key and click Edit under its Operation column; or click Edit in the top-right corner of the key details page.
5. In the edit window, you can modify the Name and Description (remarks) of the key.
6. Click OK to save the changes.
Key Binding Model Service
The relationship between model services and keys is many-to-many: a model service can bind to multiple keys, and a key can bind to multiple model services. You can bind multiple model services to a key.
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Model Key List page, click the "ID/Name" of the target key to go to the details page.
5. Click Add Resource, in the "Add New Resource" pop-up window, the "Please select model service" section on the left lists all available model services, you can quickly search using the search box.
6. In the list on the left, select one or more model services to be bound to this key. The selected model services will appear in the "Selected" list on the right.
7. To remove a model service, click the × icon next to the corresponding entry in the "Selected" list on the right to unbind it from this group.
8. After making the adjustments, click OK to save the association.
Enabling/Disabling the Key
Model keys are only effective when enabled. This means that when a key is disabled or inactive, the AI gateway will not recognize or use it for any operations. Therefore, before use, it is essential to confirm whether the key has been properly enabled.
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Model Key List page, locate the target key and click Disable in the Actions column. The key will enter the "Disabled" state, and the AI gateway will not recognize or use it to perform any operations.
5. Enabling Process requires the target key to be in the "Disabled" state: Click Enable to change the key status to "Enabled".
Deleting the Key
2. On the instance list page, click the "ID" of the gateway instance to be configured to go to its basic information page.
3. In the left sidebar, click Key Management, go to the Key List page.
4. On the Model Key List Page, locate the target key, click Disable in the Actions column before you can delete it. After the key is disabled, click Delete.
5. The system will perform a dependency check before deletion:
If the key has been disassociated from all related resources (model keys need to be disassociated from all model services), a pop-up window will display the key information. Click OK to delete it.
If the key is still associated with resources, a pop-up window will display "Unresolved dependencies exist" and list specific dependent items. You need to resolve all dependencies first, then click Recheck. The key can only be deleted after the validation is passed.
Note:
KMS credential status changes: If you modify a credential in the Tencent Cloud KMS console, the AI Gateway will temporarily continue using the cached old credential content (default cache duration approximately 5 minutes) to ensure business continuity. We recommend creating a new version of the credential in KMS and associating it with the gateway before the old API Key version is deleted. This ensures the changes take effect promptly.
To enhance key high availability, we recommend configuring multiple credentials for model services. This prevents service disruptions when a specific credential is disabled.