diff --git a/tools/init_aecs/src/main.rs b/tools/init_aecs/src/main.rs
index d1c015af..5815d0a1 100644
--- a/tools/init_aecs/src/main.rs
+++ b/tools/init_aecs/src/main.rs
@@ -174,7 +174,10 @@ fn main() -> Result<(), Box<dyn Error>> {
         ra_conf_string.clone().into_bytes(),
     )?;
 
-    let server_addr = CString::new(init_ra_conf.kms_server).unwrap();
+    // aecs kms server address from environment has higher priority
+    let server_addr =
+        CString::new(env::var("OCCLUM_INIT_RA_KMS_SERVER").unwrap_or(init_ra_conf.kms_server))
+            .unwrap();
     env::set_var("UA_ENV_PCCS_URL", init_ra_conf.ua_env_pccs_url.clone());
 
     // Get the key of FS image if needed
diff --git a/tools/init_grpc_ratls/src/main.rs b/tools/init_grpc_ratls/src/main.rs
index 68b1f6c7..19a7878e 100644
--- a/tools/init_grpc_ratls/src/main.rs
+++ b/tools/init_grpc_ratls/src/main.rs
@@ -5,6 +5,7 @@ extern crate serde_json;
 use libc::syscall;
 use serde::{Deserialize, Serialize};
 
+use std::env;
 use std::error::Error;
 use std::fs;
 use std::fs::File;
@@ -130,7 +131,11 @@ fn main() -> Result<(), Box<dyn Error>> {
     let ra_conf_string = serde_json::to_string_pretty(&init_ra_conf.ra_config).unwrap();
     fs::write("ra_config.json", ra_conf_string.clone().into_bytes())?;
     let config_json = CString::new("ra_config.json").unwrap();
-    let server_addr = CString::new(init_ra_conf.kms_server).unwrap();
+
+    // grpc server address from environment has higher priority
+    let server_addr =
+        CString::new(env::var("OCCLUM_INIT_RA_KMS_SERVER").unwrap_or(init_ra_conf.kms_server))
+            .unwrap();
 
     // Get the key of FS image if needed
     let key = match &image_config.image_type[..] {