diff --git a/demos/remote_attestation/init_aecs_client/README.md b/demos/remote_attestation/init_aecs_client/README.md
index 861d0ea2..7c17655f 100644
--- a/demos/remote_attestation/init_aecs_client/README.md
+++ b/demos/remote_attestation/init_aecs_client/README.md
@@ -49,6 +49,8 @@ init (get secrets and save to rootfs per the definition in init_ra_conf.json) --
 ```
 
 Thus, a simple command as below will print the secret **secret-my-keypair** acquired in **init** process.
+
+Just note, **UA_ENV_PCCS_URL** needs to be set as PCCS URL when running.
 ```
-occlum run /bin/busybox cat /etc/saved_secret_rsa_keypair
+UA_ENV_PCCS_URL=https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/ occlum run /bin/busybox cat /etc/saved_secret_rsa_keypair
 ```
diff --git a/demos/remote_attestation/init_aecs_client/build.sh b/demos/remote_attestation/init_aecs_client/build.sh
index 80abf15b..4a61c28c 100755
--- a/demos/remote_attestation/init_aecs_client/build.sh
+++ b/demos/remote_attestation/init_aecs_client/build.sh
@@ -2,21 +2,15 @@
 set -e
 
 
-UA_ENV_PCCS_URL=${1:-https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/}
-
-
 function update_client_init_ra_conf()
 {
-    local ua_pccs_url=$1
-
     # Fill in the keys
     new_json="$(jq '.kms_keys = [ {"key": "secret-my-keypair", "path": "/etc/saved_secret_rsa_keypair", "service": "service1"}] |
         .kms_keys += [ {"key": "secret-my-aes256-key", "path": "/etc/saved_secret_aes_256", "service": "service1"}]' init_ra_conf.json)" && \
     echo "${new_json}" > init_ra_conf.json
 
-    # Fill in the ua pccs url
-    new_json="$(jq .ua_env_pccs_url=\"$ua_pccs_url\" init_ra_conf.json)" && \
-    echo "${new_json}" > init_ra_conf.json
+    # Fill in the ua pccs url if for sure
+    # otherwise this value could overwritten when running with env UA_ENV_PCCS_URL set
 
     # Fill in the KMS ra_config measurements if necessary.
 }
@@ -29,11 +23,12 @@ rm -rf image
 copy_bom -f ../app.yaml --root image --include-dir /opt/occlum/etc/template
 
 new_json="$(jq '.resource_limits.user_space_size = "800MB" |
-                .resource_limits.kernel_space_stack_size ="2MB" ' Occlum.json)" && \
+                .resource_limits.kernel_space_stack_size ="2MB" |
+                .env.untrusted += [ "UA_ENV_PCCS_URL", "OCCLUM_INIT_RA_KMS_SERVER" ]' Occlum.json)" && \
     echo "${new_json}" > Occlum.json
 
 # Update init_ra_conf.json
-update_client_init_ra_conf $UA_ENV_PCCS_URL
+update_client_init_ra_conf
 
 occlum build