This topic describes the limits of Key Management Service (KMS).

KMS is a region-specific service. The limits of KMS vary with the region. For more information about the regions supported by KMS, see the "Endpoints" section of the Request syntax topic.

Resource quotas

KMS defines resource quotas to provide fast and elastic services. Some quotas limit only the resources that you create, but do not apply to the resources that are created by other Alibaba Cloud services. If the resources that you use do not belong to your Alibaba Cloud account, the resources are not counted in your resource quotas.

If the quota of a resource is exhausted, the system reports the error Rejected.LimitExceeded for new requests to create this type of resource.

The following table describes the KMS resource quotas for each Alibaba Cloud account in a region. To increase a quota, submit a ticket.

Note No additional fees are charged for increased quotas.
Resource type Default quota Description
Customer master key (CMK) 200 The maximum number of CMKs that you can create in a region.
Alias 300 The maximum number of aliases that you can create in a region.
CMK version 10,000 The maximum number of versions for all CMKs that you can create in a region.

Request quotas

KMS sets a quota for the number of API operations that you can call per second. When the API request quota is exceeded, KMS blocks valid requests and returns an error similar to the following code. This type of error can be fixed by retries. You can configure your application to use the exponential backoff method to retry requests. For more information, see Use the exponential backoff method to retry requests.

{
  "HttpStatus": 429
  "Code": "Rejected.Throttling"
  "Message": "QPS Limit Exceeded"
  "RequestId": "e85db688-a2d3-44ca-9790-4259etas154f"
}

The following table describes the KMS request quotas for each Alibaba Cloud account in a region. To increase a quota, submit a ticket.

Note No additional fees are charged for increased quotas.
Table 1. Default request quotas for CMKs per second
CMK specification Create operation Key operation Read-only operation Write operation
  • Aliyun_AES_256
  • Aliyun_SM4
10 750 20 10
  • RSA_2048
  • RSA_3072
10 200 20 10
  • EC_P256
  • EC_P256K
  • EC_SM2
10 200 20 10

The default request quotas for CMKs are grouped by operation. All operations in a group share the request quota for this group. The following groups are defined:

  • Create operation group: consists of the CreateKey operation. For more information, see CreateKey.
  • Key operation group: includes the key operations for a specific CMK. For more information, see Key service operations.
  • Read-only operation group: includes the operations that are related to CMKs, aliases, and CMK tags but do not change the metadata, properties, or status of resources.
  • Write operation group: includes the operations that are related to CMKs, aliases, and CMK tags and change the metadata, properties, or status of resources.