Key Management Service (KMS) sets a quota on the number of queries per second (QPS). If you exceed the quota, subsequent requests are throttled. This topic describes the performance data of KMS.
Overview
You can integrate SDKs to access Key Management Service (KMS) through a shared gateway or a dedicated gateway. A shared gateway allows you to call the KMS API. A dedicated gateway allows you to call the KMS API or the KMS Instance API, depending on the SDK that you integrate. For more information, see SDK reference. For more information about the differences between the gateways, see Differences between shared gateways and dedicated gateways.
The queries per second (QPS) quota for a shared gateway is fixed for each Alibaba Cloud account and cannot be increased. In contrast, the QPS quota for a dedicated gateway applies to each KMS instance. You can achieve a higher QPS for a dedicated gateway by upgrading the instance's computing performance.
Shared gateway
The following table lists the QPS for each Alibaba Cloud account in a single region.
|
Operation type |
API |
QPS |
|
Service activation |
Operations to activate Key Management Service (KMS) and query its status. The following APIs share this quota: |
1 QPS |
|
Instance management |
Operations to connect to a KMS instance and update the VPC that is bound to the instance. The following APIs share this quota:
|
10 QPS |
|
50 QPS |
||
|
Key management |
Operations to query the metadata, properties, or status of resources such as customer master keys (CMKs), aliases, and tags. The following APIs share this quota: |
50 QPS |
|
Operations to query key tags. |
300 QPS |
|
|
Operations to create customer master keys (CMKs). |
10 QPS |
|
|
Operations to create aliases or modify CMKs, aliases, and tags. The following APIs share this quota: |
30 QPS |
|
|
Cryptographic operations |
Operations that use a symmetric key to generate data keys, encrypt data, or decrypt data. The following APIs share this quota: |
1,000 QPS |
|
Operations that use an asymmetric key for encryption, decryption, signing, and signature verification. The following APIs share this quota: |
200 QPS |
|
|
Secret operations |
Operations to create or delete secrets. The following APIs share this quota: |
10 QPS |
|
Operations to query secret information and retrieve a secret value. The following APIs share this quota: |
450 QPS |
|
|
Low-frequency read and write operations, such as querying a list of secrets and secret metadata. The following APIs share this quota: |
40 QPS |
|
|
Secret rotation. |
50 per hour |
|
|
Resource policies |
Operations to set a resource policy for a customer master key (CMK) or secret. The following APIs share this quota: |
10 QPS |
|
Operations to get the resource policy for a customer master key (CMK) or secret. The following APIs share this quota: |
50 QPS |
|
|
Application access point (AAP) |
Operations to retrieve information about AAPs, including network rules, access policies, and client keys. The following APIs share this quota: |
50 QPS |
|
Operations to create, delete, or update AAPs and their related resources, such as network rules, access policies, and client keys. The following APIs share this quota: |
10 QPS |
Dedicated gateway
A dedicated gateway has no fixed upper limit for API requests. Instead, it processes requests on a best-effort basis using the maximum computing and storage resources of the instance. When you purchase a KMS instance, you can select an appropriate computing performance plan based on your business requirements.
Test scenarios
-
The performance data for symmetric algorithms is based on tests where a customer master key (CMK) with the Aliyun_AES_256 key specification is used to encrypt or decrypt 32-byte data in GCM mode.
-
The performance data for asymmetric algorithms is based on tests where a customer master key (CMK) with the RSA_2048 key specification is used to generate a signature for 32-byte data.
-
The performance data for retrieving a secret value is based on tests where the secret value is 32 bytes.
-
To test the performance of a hardware key management instance, the KMS instance must be connected to a hardware security module (HSM) cluster that contains at least two HSMs.
QPS for software key management instances
The following table lists the reference QPS values for software key management instances in different scenarios.
To purchase a software key management instance with a computing performance of 10,000 QPS or 20,000 QPS, contact your account manager.
|
Operation type |
API |
Instance API |
1,000 QPS |
2,000 QPS |
4,000 QPS |
10,000 QPS |
20,000 QPS |
|
Operations that use symmetric algorithms |
Operations that use a symmetric key to encrypt data, decrypt data, or generate data keys. The following APIs share this quota: |
Operations that use a symmetric key to encrypt data, decrypt data, or generate data keys. The following APIs share this quota: |
1,000 |
2,000 |
4,000 |
10,000 |
20,000 |
|
Operations that use asymmetric algorithms |
Operations that use an asymmetric key for encryption, decryption, signing, and signature verification. The following APIs share this quota: |
Operations that use an asymmetric key for encryption, decryption, signing, and signature verification. The following APIs share this quota: |
200 |
300 |
500 |
1,300 |
2,500 |
|
Get public key |
Retrieves the public key of a specified asymmetric key. |
Retrieves the public key of a specified asymmetric key. GetPublicKey |
1,000 |
2,000 |
4,000 |
10,000 |
20,000 |
|
Use secrets |
Retrieves a secret value. |
Retrieves a secret value. |
500 |
1,000 |
2,000 |
4,000 |
4,000 |
|
Generate random numbers |
N/A |
Generates a random number. |
1,000 |
2,000 |
4,000 |
10,000 |
20,000 |
|
Generate data key pairs |
N/A |
Operations to generate a data key pair. The following APIs share this quota: |
1 |
1 |
1 |
1 |
1 |
QPS for hardware key management instances
The following table lists the reference QPS values for hardware key management instances in different scenarios.
|
Operation type |
API |
Instance API |
2,000 QPS |
4,000 QPS |
6,000 QPS |
|
Operations that use symmetric algorithms |
Operations that use a symmetric key to encrypt data, decrypt data, or generate data keys. The following APIs share this quota: |
Operations that use a symmetric key to encrypt data, decrypt data, or generate data keys. The following APIs share this quota: |
2,000 |
4,000 |
6,000 |
|
Operations that use asymmetric algorithms |
Operations that use an asymmetric key for encryption, decryption, signing, and signature verification. The following APIs share this quota: |
Operations that use an asymmetric key for encryption, decryption, signing, and signature verification. The following APIs share this quota: |
300 |
500 |
700 |
|
Get public key |
Retrieves the public key of a specified asymmetric key. |
Retrieves the public key of a specified asymmetric key. |
2,000 |
4,000 |
6,000 |
|
Use secrets |
Retrieves a secret value. |
Retrieves a secret value. |
1,000 |
2,000 |
3,000 |
|
Generate random numbers |
N/A |
Generates a random number. |
2,000 |
4,000 |
6,000 |
|
Generate data key pairs |
N/A |
Operations to generate a data key pair. The following APIs share this quota: |
1 |
1 |
1 |