This topic describes the limits of Key Management Service (KMS).

KMS is a region-specific service. It has different limits for different regions. For more information about the regions supported by KMS, see Request structure.

Resource quotas

KMS defines resource quotas to provide fast and elastic services. Some quotas only limit the resources that you create, but do not apply to the resources that are created for you by Alibaba Cloud. If the resources that you use do not belong to your Alibaba Cloud account, the resources are not counted as a part of your resource quota.

If the quota of a resource is exhausted, the system reports the error Rejected.LimitExceeded for other requests that create this type of resource, except for the current request.

The following table lists the KMS resource quotas for each Alibaba Cloud account in a region. If you want to increase a quota, submit a ticket.

Resource type Default quota Description
Customer master key (CMK) 200 The maximum number of CMKs that can be created in a region
Alias 300 The maximum number of aliases that can be created in a region
CMK version 10,000 The maximum number of versions for all CMKs that can be created in a region

Request quotas

KMS sets a quota for the number of API operations that can be called per second. When the API request quota is exceeded, KMS blocks valid requests and returns an error similar to the following code. This type of error can be fixed by retries. You can configure the request backoff and retry policies for your application.

{
  "HttpStatus": 429
  "Code": "Rejected.Throttling"
  "Message": "QPS Limit Exceeded"
  "RequestId": "e85db688-a2d3-44ca-9790-4259********"
}

The following table lists the KMS request quotas for each Alibaba Cloud account in a region. If you want to increase a quota, submit a ticket.

Table 1. Default request quotas for CMKs per second
CMK specification Create operation Key operation Read-only operation Write operation

Aliyun_AES_256

Aliyun_SM4

10 750 20 10

RSA_2048

10 200 20 10

EC_P256

EC_P256K

EC_SM2

10 200 20 10
Note The default request quotas for CMKs are grouped by operation. All operations in a group share the request quota for this group. The groups are defined as follows:
  • Create operation group: consists of the CreateKey operation. For more information, see CreateKey.
  • Key operation group: includes the key operations for a specific CMK. For more information, see Key operation.
  • Read-only operation group: includes the operations that are related to CMKs, aliases, and CMK tags and do not change the metadata, properties, or status of resources.
  • Write operation group: includes the operations that are related to CMKs, aliases, and CMK tags and change the metadata, properties, and status of resources.