diff --git a/demos/remote_attestation/init_aecs_client/README.md b/demos/remote_attestation/init_aecs_client/README.md
new file mode 100644
index 00000000..861d0ea2
--- /dev/null
+++ b/demos/remote_attestation/init_aecs_client/README.md
@@ -0,0 +1,54 @@
+# Secret acquisition with AECS client in Occlum Init
+
+In this demo, we will show how to acquire secrets in Occlum init by AECS client.
+
+[AECS](https://github.com/SOFAEnclave/enclave-configuration-service) is a short name of **Attestation based Enclave Configuration Service**. Basically, part of its function is acting as a remote attestation based key management service. 
+
+Occlum provides a way to embed the AECS client function in Occlum Init process by simply running `occlum new --init-ra aecs` to initiate an Occlum instance.
+
+## Start a demo AECS server
+
+A public docker image for AECS server is provided for test only. It's running in simulation mode and also has debug log messages. Start it like this:
+```
+git clone https://github.com/SOFAEnclave/enclave-configuration-service.git
+cd enclave-configuration-service
+./deployment/aecs_test.sh start  # stop command to stop it
+```
+
+Once successful, a demo AECS server is started locally. It holds secrets **secret-my-keypair** and **secret-my-aes256-key** for test purpose. The below client demo tries to acquire those two secrets in customized **Occlum Init** by predefined **init_ra_conf.json**.
+
+## Build and Run the client demo
+
+### Prerequisites
+
+A valid PCCS service should be accessible in your environment. This demo is verified in Aliyun, thus `https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/` is used as the PCCS URL. And please also make sure the client demo can access the locally started AECS server. For example, 
+
+* Start the Occlum develop container with host network
+```
+docker run --rm -it \
+     --device /dev/sgx/enclave --device /dev/sgx/provision \
+     --network host \
+     occlum/occlum:latest-ubuntu20.04 bash
+```
+
+In the container, update the **pccs_url** in the file `/etc/sgx_default_qcnl.conf` with the valid address.
+
+### Build the demo
+
+Just run `build.sh`, it generates an Occlum instance with:
+* Init with AECS client.
+* `busybox` is added to act as the real application.
+
+Note, a valid PCCS URL needs to be passed to the Occlum instance. In our case, Aliyun `https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/` is used. Also, to acquire the secrets, the secret name and saved path should be filled into the `init_ra_conf.json` before occlum build. Details please refer to the script [build.sh](./build.sh).
+
+### Run the demo
+
+The boot flow of the demo is as below.
+```
+init (get secrets and save to rootfs per the definition in init_ra_conf.json) --> busybox
+```
+
+Thus, a simple command as below will print the secret **secret-my-keypair** acquired in **init** process.
+```
+occlum run /bin/busybox cat /etc/saved_secret_rsa_keypair
+```
diff --git a/demos/remote_attestation/init_aecs_client/app.yaml b/demos/remote_attestation/init_aecs_client/app.yaml
new file mode 100644
index 00000000..448c6bc0
--- /dev/null
+++ b/demos/remote_attestation/init_aecs_client/app.yaml
@@ -0,0 +1,9 @@
+includes:
+  - base.yaml
+# bash
+targets:
+  # copy busybox
+  - target: /bin
+    copy:
+      - files:
+        - /opt/occlum/toolchains/busybox/glibc/busybox
diff --git a/demos/remote_attestation/init_aecs_client/build.sh b/demos/remote_attestation/init_aecs_client/build.sh
new file mode 100755
index 00000000..80abf15b
--- /dev/null
+++ b/demos/remote_attestation/init_aecs_client/build.sh
@@ -0,0 +1,40 @@
+#! /bin/bash
+set -e
+
+
+UA_ENV_PCCS_URL=${1:-https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/}
+
+
+function update_client_init_ra_conf()
+{
+    local ua_pccs_url=$1
+
+    # Fill in the keys
+    new_json="$(jq '.kms_keys = [ {"key": "secret-my-keypair", "path": "/etc/saved_secret_rsa_keypair", "service": "service1"}] |
+        .kms_keys += [ {"key": "secret-my-aes256-key", "path": "/etc/saved_secret_aes_256", "service": "service1"}]' init_ra_conf.json)" && \
+    echo "${new_json}" > init_ra_conf.json
+
+    # Fill in the ua pccs url
+    new_json="$(jq .ua_env_pccs_url=\"$ua_pccs_url\" init_ra_conf.json)" && \
+    echo "${new_json}" > init_ra_conf.json
+
+    # Fill in the KMS ra_config measurements if necessary.
+}
+
+rm -rf occlum_instance
+occlum new occlum_instance --init-ra aecs
+
+pushd occlum_instance
+rm -rf image
+copy_bom -f ../app.yaml --root image --include-dir /opt/occlum/etc/template
+
+new_json="$(jq '.resource_limits.user_space_size = "800MB" |
+                .resource_limits.kernel_space_stack_size ="2MB" ' Occlum.json)" && \
+    echo "${new_json}" > Occlum.json
+
+# Update init_ra_conf.json
+update_client_init_ra_conf $UA_ENV_PCCS_URL
+
+occlum build
+
+popd