API standard and pre-built SDKs in multi-language
The OpenAPI specification of this product (Kms/2016-01-20) follows the RPC standard. Alibaba Cloud provides pre-built SDKs for popular programming languages to abstract low-level complexities such as request signing. This enables developers to call APIs using language-specific syntax without dealing with HTTP details directly.
Custom signature
If your specific needs, such as a customized signature, are not supported by the SDK, manually sign requests using the signature mechanism. Note that manual signing requires significant effort (usually about 5 business days). For support, join our DingTalk group (ID: 147535001692).
Before you begin
An Alibaba Cloud account has full administrative privileges. A compromised AccessKey pair exposes all associated resources to unauthorized access, posing a significant security risk. Create a Resource Access Management (RAM) user with API-only access and use RAM policies to apply the principle of least privilege (PoLP). Alibaba Cloud accounts are only used when explicitly required.
To call APIs securely, configure the following:
A RAM user account
An AccessKey pair for the account
Service Management
|
API |
Title |
Description |
| DescribeRegions | DescribeRegions | Describes the active regions for the current account. |
| OpenKmsService | OpenKmsService | Activates Key Management Service (KMS) for your Alibaba Cloud account. |
Manage Instances
|
API |
Title |
Description |
| ListKmsInstances | ListKmsInstances | Lists the KMS instances. |
| GetKmsInstance | GetKmsInstance | Queries the details of a KMS instance. |
| UpdateKmsInstanceBindVpc | UpdateKmsInstanceBindVpc | Updates the virtual private clouds (VPCs) that are configured for a Key Management Service (KMS) instance. |
| ReleaseKmsInstance | ReleaseKmsInstance | Releases a pay-as-you-go KMS instance. |
| GetDefaultKmsInstance | GetDefaultKmsInstance | Retrieves the default KMS instance. |
Key Management
|
API |
Title |
Description |
| CreateKey | CreateKey | Creates a master key. |
| ListKeys | ListKeys | Queries the IDs of the caller's master keys in the current region. |
| GetPublicKey | GetPublicKey | Retrieves the public key of an asymmetric key. You can use the public key to encrypt data or verify a signature on your device. |
| SetDeletionProtection | SetDeletionProtection | Enables or disables deletion protection for a customer master key (CMK). |
| SetKeyPolicy | SetKeyPolicy | Sets a key policy for a key in a KMS instance. |
Key
|
API |
Title |
Description |
| GenerateDataKey | GenerateDataKey | Generates a random data key that is used to locally encrypt data. |
| GenerateAndExportDataKey | GenerateAndExportDataKey | This operation generates a random data key. The data key is then encrypted using a customer master key (CMK) and a public key that you specify. The operation returns the ciphertext of the data key encrypted by the CMK and the ciphertext of the data key encrypted by the public key. |
| Encrypt | Encrypt | Encrypts plaintext into ciphertext using a symmetric key. |
| Decrypt | Decrypt | Decrypts ciphertext. |
| ReEncrypt | ReEncrypt | Re-encrypts ciphertext. This operation decrypts ciphertext and then uses a new master key to re-encrypt the data or data key. The operation returns the re-encrypted ciphertext. |
| ExportDataKey | ExportDataKey | Exports a data key that is encrypted by a specified public key. |
| GenerateDataKeyWithoutPlaintext | GenerateDataKeyWithoutPlaintext | Generates a random data key for local data encryption. |
| AsymmetricSign | AsymmetricSign | Signs data with an asymmetric key. |
| AsymmetricVerify | AsymmetricVerify | Verifies a signature using an asymmetric key. |
| AsymmetricEncrypt | AsymmetricEncrypt | Encrypts data with an asymmetric key. |
| AsymmetricDecrypt | AsymmetricDecrypt | Decrypts data using an asymmetric key. |
Secrets
|
API |
Title |
Description |
| CreateSecret | CreateSecret | Creates a secret and stores its initial version. |
| UpdateSecretVersionStage | UpdateSecretVersionStage | Updates the version stage of a secret. |
| ListSecrets | ListSecrets | Queries all secrets in the current region. |
| GetSecretValue | GetSecretValue | Obtains the value of a secret. |
| ListSecretVersionIds | ListSecretVersionIds | Queries information about all versions of a secret. |
| PutSecretValue | PutSecretValue | Stores a new version of a secret value for a generic secret. |
| SetSecretPolicy | SetSecretPolicy | Sets a secret policy for a secret in a KMS instance. |
| GetSecretPolicy | GetSecretPolicy | Queries the access policy of a specified credential. |
Certificate
|
API |
Title |
Description |
| DescribeCertificate | DescribeCertificate | Queries information about a certificate. |
Tag
|
API |
Title |
Description |
| UntagResource | UntagResource | Detaches tags from a master key, a credential, or a certificate. |
Manage Applications
|
API |
Title |
Description |
| DescribeNetworkRule | DescribeNetworkRule | Queries the details of a specified network rule. |
| UpdateNetworkRule | UpdateNetworkRule | Updates a network control rule. |
| DeleteNetworkRule | DeleteNetworkRule | Deletes a network control rule. |
| DescribeApplicationAccessPoint | DescribeApplicationAccessPoint | Describes an application access point. |
| DeleteApplicationAccessPoint | DeleteApplicationAccessPoint | Deletes an application access point (AAP). |
| GetClientKey | GetClientKey | Retrieves information about a client key. |
| DeleteClientKey | DeleteClientKey | Deletes a ClientKey, which is an application identity credential. |
Others
|
API |
Title |
Description |
| CancelKeyDeletion | CancelKeyDeletion | Cancels the deletion task of a CMK. |
| CertificatePrivateKeyDecrypt | CertificatePrivateKeyDecrypt | Decrypts data by using a specific certificate. |
| CertificatePrivateKeySign | CertificatePrivateKeySign | Generates a signature by using a specified certificate. |
| CertificatePublicKeyEncrypt | CertificatePublicKeyEncrypt | Encrypts data by using a specific certificate. |
| CertificatePublicKeyVerify | CertificatePublicKeyVerify | Verifies a signature by using a specified certificate. |
| ConnectKmsInstance | ConnectKmsInstance | Enables a Key Management Service (KMS) instance. |
| CreateAlias | CreateAlias | Creates an alias for a key. |
| CreateApplicationAccessPoint | CreateApplicationAccessPoint | Creates an application access point (AAP) |
| CreateCertificate | CreateCertificate | Creates a certificate. |
| CreateClientKey | CreateClientKey | Creates a client key. |
| CreateKeyVersion | CreateKeyVersion | Creates a version for a customer master key (CMK). |
| CreateNetworkRule | CreateNetworkRule | Creates a network access rule to configure the private IP addresses or private CIDR blocks that are allowed to access a Key Management Service (KMS) instance. |
| CreatePolicy | CreatePolicy | Creates a permission policy to configure the keys and secrets that are allowed to access. |
| DeleteAlias | DeleteAlias | Deletes an alias. |
| DeleteCertificate | DeleteCertificate | Deletes a certificate and the private key and certificate chain of the certificate. |
| DeleteKeyMaterial | DeleteKeyMaterial | Deletes the key material that you imported. |
| DeletePolicy | DeletePolicy | Deletes a permission policy. |
| DeleteSecret | DeleteSecret | Deletes a secret. |
| DescribeAccountKmsStatus | DescribeAccountKmsStatus | Queries the status of Key Management Service (KMS) within your Alibaba Cloud account. |
| DescribeKey | DescribeKey | Queries the information about a key. |
| DescribeKeyVersion | DescribeKeyVersion | Queries the information about a key version. |
| DescribePolicy | DescribePolicy | Queries the details of a permission policy. |
| DescribeSecret | DescribeSecret | Queries the metadata of a secret. |
| DisableKey | DisableKey | Disables a key. |
| EnableKey | EnableKey | Enables a key to encrypt and decrypt data. |
| GetCertificate | GetCertificate | Queries a certificate that is managed by Certificates Manager. |
| GetKmsInstanceQuotaInfos | GetKmsInstanceQuotaInfos | Queries instance quotas. |
| GetParametersForImport | GetParametersForImport | Queries the parameters that are used to import key material for a customer master key (CMK). |
| GetRandomPassword | GetRandomPassword | Obtains a random password string. |
| ImportKeyMaterial | ImportKeyMaterial | Call the ImportKeyMaterial operation to import the key material. |
| ListAliases | ListAliases | Queries all aliases in the current region for the current account. |
| ListAliasesByKeyId | ListAliasesByKeyId | Queries all aliases that are bound to a key. |
| ListApplicationAccessPoints | ListApplicationAccessPoints | Queries a list of application access points (AAPs). |
| ListClientKeys | ListClientKeys | Queries a list of client keys |
| ListKeyVersions | ListKeyVersions | Queries all versions of a key. |
| ListNetworkRules | ListNetworkRules | Queries a list of network access rules. |
| ListPolicies | ListPolicies | Queries a list of permission policies. |
| ListResourceTags | ListResourceTags | Queries the tags of a customer master key (CMK). |
| ListTagResources | ListTagResources | Queries the tags of a key or a secret. |
| RestoreSecret | RestoreSecret | Restores a deleted secret. |
| RotateSecret | RotateSecret | Manually rotates a secret. |
| ScheduleKeyDeletion | ScheduleKeyDeletion | Deletes a specified customer master key (CMK). |
| TagResource | TagResource | Adds tags to a customer master key (CMK), secret, or certificate. |
| TagResources | TagResources | Adds tags to keys or secrets. |
| UntagResources | UntagResources | Removes tags from keys or secrets. |
| UpdateAlias | UpdateAlias | Binds an existing alias to a different customer master key (CMK) ID. |
| UpdateApplicationAccessPoint | UpdateApplicationAccessPoint | Updates the information about an application access point (AAP). |
| UpdateCertificateStatus | UpdateCertificateStatus | Updates the status of a certificate. |
| UpdateKeyDescription | UpdateKeyDescription | Updates the description of a key. |
| UpdatePolicy | UpdatePolicy | Updates a permission policy. |
| UpdateRotationPolicy | UpdateRotationPolicy | Updates a key rotation policy. |
| UpdateSecret | UpdateSecret | Updates the metadata of a secret. |
| UpdateSecretRotationPolicy | UpdateSecretRotationPolicy | Updates the rotation policy of a secret. |
| UploadCertificate | UploadCertificate | Imports a certificate and a certificate chain issued by a certificate authority (CA) into Certificates Manager. |