The following tables list API operations available for use in KMS. For more information, see OpenAPI Explorer.
Alibaba Cloud also provides a command line tool for you to learn APIs and for the purpose of command line automation. For more information about how to install and use the command line tool, seeAlibaba Cloud CLI.
Key API operations
- CMK management
CMK management API operations are used to create and modify CMKs and manage their lifecycle.
Operation Description CreateKey Creates a CMK. You can use key material created in KMS or import external key material to the CMK. Importing external key material is known as Bring Your Own Key (BYOK). Calling CreateKey is the first step of BYOK. GetParametersForImport Obtains key material to be imported. This operation is the second step of BYOK. ImportKeyMaterial Imports key material to a CMK. This operation is the final step of BYOK. EnableKey Changes the state of a CMK to Enabled. DisableKey Changes the state of a CMK to Disabled. ScheduleKeyDeletion Schedules the deletion of a CMK. After you call this operation, the CMK enters the Pending Deletion state. The CMK is automatically deleted after the specified waiting period elapses. CancelKeyDeletion Cancels the scheduled deletion of a CMK. You can cancel the scheduled deletion of a CMK before the scheduled waiting period elapses. After the deletion is canceled, the CMK enters the Enabled state again. DeleteKeyMaterial Deletes key material of a CMK. You can directly delete key material that is imported from an external source. After key material of a CMK is deleted, the CMK enters the Pending Import state. DescribeKey Queries the detailed information of a CMK. ListKeys Queries all CMKs of the current Alibaba Cloud account in the current region. UpdateKeyDescription Updates the description of a CMK.
- Key version management
Key version management API operations are used for CMK rotation.
Operation Description DescribeKeyVersion Queries the detailed information of a key version. ListKeyVersions Queries all key versions of a CMK. UpdateRotationPolicy Updates the rotation policy of a symmetric CMK. If automatic rotation is configured, KMS automatically generates a new key version on a periodic basis. CreateKeyVersion Creates a new version for a CMK. This operation is available only for asymmetric CMKs.
- Cryptographic operation
Cryptographic API operations are used to perform cryptographic operations such as data encryption and decryption.
Operation Description Encrypt Uses a specified CMK to encrypt data. This operation is used to encrypt data of no more than 6 KB. GenerateDataKey Generates a random number and encrypts the random number with a specified CMK. The ciphertext and plaintext of the random number are returned. The random number can be used as a data key to encrypt or decrypt a large amount of local data. GenerateDataKeyWithoutPlaintext Generates a random number and encrypts the random number with a specified CMK. The ciphertext of the random number is returned. The random number can be used as a data key to encrypt or decrypt a large amount of local data. ExportDataKey Encrypts a data key by using a specific public key and exports the data key. GenerateAndExportDataKey Generates a random data key, encrypts the data key by using a specific CMK and public key, and returns the ciphertext encrypted by using the CMK and that encrypted by using the public key. Decrypt Decrypts the ciphertext that is generated by calling the Encrypt or GenerateDataKey operation. You do not need to specify a CMK for decryption. ReEncrypt Re-encrypts ciphertext. Decrypts the specified ciphertext, uses a different CMK to encrypt the obtained plaintext data or data key, and returns ciphertext. AsymmetricSign Uses the private key of an asymmetric key pair to generate a digital signature. AsymmetricVerify Uses the public key of an asymmetric key pair to verify a digital signature that is generated by using the private key. AsymmetricDecrypt Uses the private key of an asymmetric key pair to decrypt the data that is encrypted by using the public key. AsymmetricEncrypt Uses the public key of an asymmetric key pair to encrypt data. GetPublicKey Obtains the public key of an asymmetric key pair. You can use the public key to encrypt data or verify digital signatures offline.
- Alias management
An alias is an independent object in KMS. It must be bound to a unique CMK. You can set the KeyId parameter in certain API operations to an alias to specify a CMK.
Operation Description CreateAlias Creates an alias and binds it to a CMK. UpdateAlias Changes the CMK to which a specified alias is bound. DeleteAlias Deletes an alias. ListAliases Queries all aliases under the current Alibaba Cloud account in the current region. ListAliasesByKeyId Queries all aliases bound to a specified CMK.
Secrets Manager API operations
KMS Secrets Manager hosts, protects, distributes, and rotates secrets.
|CreateSecret||Creates a secret and stores the secret value in the initial version.|
|ListSecrets||Queries all secrets created by your Alibaba Cloud account in the current region.|
|DeleteSecret||Deletes a secret.|
|DescribeSecret||Obtains the metadata of a secret.|
|GetSecretValue||Obtains a secret value.|
|PutSecretValue||Stores the secret value of a new version into a secret object.|
|UpdateSecret||Updates the metadata of a secret.|
|UpdateSecretVersionStage||Updates the stage label that marks a secret version.|
|RestoreSecret||Restores a deleted secret.|
|ListSecretVersionIds||Queries all versions of a secret.|
|GetRandomPassword||Obtains a random password string.|
Tag management API operations
CMKs support tags. You can add multiple tags to a CMK. A tag is defined by a pair of TagKey and TagValue.
|TagResource||Adds tags to or modifies existing tags of a CMK or secret.|
|UntagResource||Removes a tag from a CMK or secret.|
|ListResourceTags||Queries all tags of a CMK or secret.|
Other API operations
|DescribeRegions||Queries available regions under your Alibaba Cloud account.|
|OpenKmsService||Activates KMS under your Alibaba cloud account.|
|DescribeAccountKmsStatus||Queries the status of KMS under your Alibaba cloud account.|