Key Management Service (KMS) offers a web console and multiple integration methods, including OpenAPI Explorer for online debugging, Alibaba Cloud SDK, and Terraform, to help you develop and deploy applications more efficiently.
Integration process
API version
You can debug the API list for the 2016-01-20 version online. The string 2016-01-20 represents the API version number, not a date. The displayed data is the latest public API data and has been updated since 2016-01-20. To learn how to view the API version, see View API version.
|
Version |
Description |
|
Recommended |
Online debugging
Alibaba Cloud OpenAPI Explorer helps you quickly and efficiently learn and use cloud product APIs. OpenAPI Explorer is a comprehensive tool that integrates features such as intelligent API search, documentation, online debugging, SDK acquisition, code samples, error diagnosis, and call statistics. You can use OpenAPI Explorer to call the APIs of various Alibaba Cloud services, view requests and responses, and automatically generate SDK sample code to accelerate your development. For more information, see What is an API?.
You can debug KMS APIs in OpenAPI Explorer. Before you begin, familiarize yourself with the API version, endpoints, and API parameters. After you log on to OpenAPI Explorer with your Alibaba Cloud account, your account is used for online debugging by default.
To debug APIs, go to https://next.api.aliyun.com/api/Kms/2016-01-20.
After you log on to OpenAPI Explorer, the left pane displays the KMS API list, such as DescribeRegions. In the center area, you can set the input parameters for the API and click Send Request. The right pane shows information such as Documentation, Debugging Result, SDK Sample Code, and CLI Sample Code, as well as the definitions of response parameters.
Endpoints
KMS supports two types of gateways: shared gateways and dedicated gateways. You can use shared gateways for both control-plane and data-plane operations, while dedicated gateways support only data-plane operations. A shared gateway can be accessed over the internet or a VPC, while a dedicated gateway is accessed through the KMS private network. The two types of gateways have different endpoints. For more information about the differences between the two gateways, see Differences between shared gateways and dedicated gateways.
Shared gateway endpoint
To call cryptographic operations through a shared gateway, you must enable public access. For more information, see Access keys in a KMS instance over the internet.
To minimize latency, select an endpoint based on the region where your resources reside. For example, in the China (Hangzhou) region, the public endpoint for KMS is kms.cn-hangzhou.aliyuncs.com, and the VPC endpoint is kms-vpc.cn-hangzhou.aliyuncs.com. For a complete list of endpoints, see Endpoints.
-
Public endpoints can be accessed globally.
-
VPC endpoints are accessible only from within a VPC in a specific Alibaba Cloud region. VPC endpoints provide the following advantages:
-
High security: VPC endpoints can only be accessed from within a VPC, providing enhanced security and privacy.
-
Faster response: Operating on the internal network, VPC endpoints typically offer faster response times and avoid public network issues such as latency and bandwidth limitations.
-
Lower cost: VPC endpoints use internal network communication.
-
Dedicated gateway endpoint
A dedicated gateway endpoint is accessed through the KMS private network and uses the format <YOUR_KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com, for example, kst-hzz65f176a0ogplgq****.cryptoservice.kms.aliyuncs.com.
-
Replace
<YOUR_KMS_INSTANCE_ID>with your actual KMS instance ID. -
When calling data-plane operations through a dedicated gateway, you must add the instance CA certificate configuration during client initialization. For more information, see Initialize the client.
Authentication methods
When you use an Alibaba Cloud SDK to access OpenAPI through a shared or dedicated gateway, the authentication methods are the same. KMS supports Resource Access Management (RAM)-based identity authentication methods such as AccessKey, STS token, RamRoleArn, and instance RAM role. For more information, see Manage credentials and Identity, credential, and authorization. To learn how to configure an access policy, see Use RAM to implement access control.
AccessKey
By default, an Alibaba Cloud account has administrator permissions for all resources, which cannot be modified. To ensure resource security, we recommend that you use a RAM user to create an AccessKey pair and grant it only the necessary permissions.
Log on to the RAM console. On the Users page, click the name of the target RAM user.
On the Authentication tab, in the AccessKey section, click Create AccessKey and follow the on-screen instructions.
Grant the RAM user permissions to access KMS.
Method 1: Configure an identity-based policy
In the Actions column of the RAM user, click Grant Permission to attach a built-in system permission policy for KMS to the RAM user. For more information about the system permission policies for KMS, see System policies for KMS.
NoteYou can also create custom permission policies. For more information, see Create a custom policy.
Method 2: Configure a resource-based policy
KMS supports resource-based policies that grant access permissions for individual keys and secrets. You can use these policies to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.
ECS RAM role
An ECS instance RAM role allows you to obtain a temporary access credential (STS token) from within an ECS instance to call KMS API operations, without needing to configure an AccessKey pair.
For more information, see Instance RAM roles.
Log on to the RAM console and create a RAM role for a trusted Alibaba Cloud service.
Trusted Entity Type: Select Elastic Compute Service.
Trusted entity: Select Elastic Compute Service (ECS).
Grant the RAM role permissions to access KMS.
Method 1: Configure an identity-based policy
In the Actions column of the RAM role, click Grant Permission to attach a built-in system permission policy for KMS to the RAM role. For more information about the system permission policies for KMS, see System policies for KMS.
NoteYou can also create custom permission policies. For more information, see Create a custom policy.
Method 2: Configure a resource-based policy
KMS supports resource-based policies that grant access permissions for individual keys and secrets. You can use these policies to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.
Log on to the ECS console and attach the RAM role to an ECS instance.

STS token
Security Token Service (STS) issues a temporary access credential, an STS token, to a RAM user or RAM role. This token allows access to KMS with specific permissions for a limited validity period. After the token expires, it automatically becomes invalid.
Log on to the RAM console to create a RAM user or a RAM role. For more information, see Create a RAM user and Create a RAM role.
Grant the
AliyunSTSAssumeRoleAccesspermission to the RAM user or RAM role. For more information, see Manage RAM user permissions and Grant permissions to a RAM role.Grant the RAM user or RAM role permissions to access KMS.
Method 1: Configure an identity-based policy
In the Actions column of the RAM role or user, click Grant Permission to attach a built-in system permission policy for KMS. For more information about the system permission policies for KMS, see System policies for KMS.
NoteYou can also create custom permission policies. For more information, see Create a custom policy.
Method 2: Configure a resource-based policy
KMS supports resource-based policies that grant access permissions for individual keys and secrets. You can use these policies to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.
Use the RAM user or RAM role to call the STS AssumeRole operation to obtain a temporary STS access credential. For more information, see AssumeRole.
RamRoleArn
RAM users or cloud services can assume a role to obtain temporary permissions (STS token) instead of using long-term keys, which reduces the risk of key leaks. For example, in a temporary data processing task, a RAM user or cloud service temporarily assumes a role with a specific RamRoleArn. After the task is complete, the role permissions are revoked, minimizing the risk of exposure.
Create a user AccessKey pair
Log on to the RAM console. In the left-side navigation pane, choose . On the Users page, click the name of the target RAM user.
Attach the
AliyunSTSAssumeRoleAccesssystem policy or a custom policy that includes thests:AssumeRoleaction to the RAM user.On the Authentication tab, in the AccessKey section, click Create AccessKey and follow the on-screen instructions.
Create and authorize a RAM role:
In the left-side navigation pane, choose . On the Roles page, click Create Role. For more information, see Create a RAM role.
Grant the RAM role permissions to access KMS.
Method 1: Configure an identity-based policy
In the Actions column of the RAM role, click Grant Permission to attach a built-in system permission policy for KMS to the RAM role. For more information about the system permission policies for KMS, see System policies for KMS.
NoteYou can also create custom permission policies. For more information, see Create a custom policy.
Method 2: Configure a resource-based policy
KMS supports resource-based policies that grant access permissions for individual keys and secrets. You can use these policies to control which Alibaba Cloud accounts, RAM users, and RAM roles can manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.
Obtain the RamRoleArn of the target RAM role. For more information, see View the information about a RAM role.
In the left-side navigation pane, choose . On the Roles page, click the name of the target role.
On the role details page, find the RamRoleArn in the ARN section.
NoteThe RamRoleArn is the Alibaba Cloud Resource Name (ARN) of the RAM role to assume. The format is
acs:ram::$accountID:role/$roleName, where$accountIDis the Alibaba Cloud account ID and$roleNameis the RAM role name.
Integration methods
We recommend using the Alibaba Cloud SDK for integration, as it is the easiest and best-supported method for calling APIs.
Alibaba Cloud SDK
Alibaba Cloud provides SDKs for multiple programming languages, including Java, C#, Go, Python, Node.js/TypeScript, PHP, and C++. The SDKs encapsulate the signature logic, timeout mechanism, and retry mechanism. They also provide request and response objects for API calls, which simplifies development. For more information about the Alibaba Cloud SDK, see Alibaba Cloud SDK.
Alibaba Cloud CLI
The Alibaba Cloud Command Line Interface (Alibaba Cloud CLI) is a unified command-line tool based on our OpenAPI. You can use the Alibaba Cloud CLI to interact with and manage your Alibaba Cloud resources from a shell. Instead of using a graphical user interface (GUI), you can enter commands to perform operations. For more information, see What is Alibaba Cloud CLI. To learn how to get and use Alibaba Cloud CLI commands, see User guide of Alibaba Cloud CLI.
Terraform
Terraform is an open-source tool that allows you to safely and efficiently preview, provision, and manage cloud infrastructure and resources. It supports multiple major cloud providers and calls OpenAPI after converting templates into an internal data structure. Terraform automatically calculates resource differences and generates an execution plan. You can preview the impact of changes before applying them, which helps prevent accidental resource damage or service interruption. For more information, see What is Alibaba Cloud Terraform?. For a quick guide on using Terraform to orchestrate Key Management Service, see Overview.
You can use Terraform to orchestrate and use Key Management Service, but only some API operations are supported. For a list of supported resources and data sources, see Terraform resources and data sources for KMS.
Direct API calls
Making native HTTP calls requires you to implement the signature algorithm, construct a custom request with the required parameters, and then initiate the HTTP call. For information about the signature algorithm, see API overview. In addition to the required business parameters, you must also include common request parameters. For more information, see Common parameters. For an example of a direct API call, see Request syntax and signature method V3.
Usage notes
-
KMS accepts requests only over HTTPS. TLS 1.0, 1.1, and 1.2 are supported. SSL v2 and SSL v3 are not supported.
-
The maximum queries per second (QPS) for a single Alibaba Cloud account varies by API. For more information, see the QPS limit in the documentation for each API. For more information, see Throttling and quota management.
NoteAll RAM users under a single Alibaba Cloud account share the QPS quota of that account.
-
If an API call returns an error, use the error code to verify that your request parameters and their values are correct. For more information, see Common error codes.
-
You can record the request ID from the response or the SDK error message and use Alibaba Cloud OpenAPI Diagnostics for troubleshooting.