Queries all customer master keys (CMKs) of the current Alibaba Cloud account in the current region.


OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ListKeys

The operation that you want to perform. Set the value to ListKeys.

PageNumber Integer No. 1

The number of the page to return.

Pages start from page 1.

Default value: 1.

PageSize Integer No. 10

The number of entries to return on each page.

Valid values: 1 to 100.

Default value: 10.

Filters String No [{"Key":"KeyState", "Values":["Enabled","Disabled"]}]

The CMK filter. The filter consists of one or more key-value pairs. You can specify a maximum of 10 key-value pairs.

  • Key
    • Description: the property that you want to filter.
    • Type: string.
    • Valid values:
      • KeyState: the status of the CMK.
      • KeySpec: the type of the CMK.
      • KeyUsage: the usage of the CMK.
      • ProtectionLevel: the protection level.
      • CreatorType: the type of the creator.
      • DKMSInstanceId: the ID of the KMS instance.
  • Values
    • Description: the value to be included after filtering.
    • Format: string array.
    • Length: 0 to 10.
    • Valid values:
      • When Key is set to KeyState, the value can be Enabled, Disabled, PendingDeletion, or PendingImport.
      • When Key is set to KeySpec, the value can be Aliyun_AES_256, Aliyun_SM4, RSA_2048, EC_P256, EC_P256K, or EC_SM2.

        Note: You can create CMKs of the EC_SM2 or Aliyun_SM4 specification only in regions where State Cryptography Administration (SCA)-certified managed HSMs reside. For more information about the regions, see Supported regions. If your region does not support EC_SM2 and Aliyun_SM4, the two values are ignored if they are specified.

      • When Key is set to KeyUsage, the value can be ENCRYPT/DECRYPT or SIGN/VERIFY. ENCRYPT/DECRYPT indicates that the CMK is used to encrypt and decrypt data. SIGN/VERIFY indicates that the CMK is used to sign data and verify digital signatures.
      • When Key is set to ProtectionLevel, the value can be SOFTWARE (software) or HSM (hardware).

        You can set ProtectionLevel to HSM in only specific regions. For more information about the regions, see Supported regions. If your region does not support the value HSM, the value is ignored if the value is specified.

      • If Key is set to CreatorType, the value can be User or Service. User indicates that CMKs created by the current account are queried. Service indicates that CMKs automatically created by other cloud services authorized by the current account are queried.
      • If Key is set to DKMSInstanceId, the value is the ID of the KMS instance and is in the kst-xxx format.

The logical relationship between different keys is AND. The logical relationship between values of the Values field in a key-value pair is OR. Example:

[ {"Key":"KeyState", "Values":["Enabled","Disabled"]}, {"Key":"KeyState", "Values":["PendingDeletion"]}, {"Key":"KeySpec", "Values":["Aliyun_AES_256"]} ]

. In this example, the semantics are:

(KeyState=Enabled OR KeyState=Disabled OR KeyState=PendingDeletion) AND (KeySpec=Aliyun_AES_256).

Response parameters

Parameter Type Example Description
PageNumber Integer 1

The page number of the returned page.

PageSize Integer 10

The number of entries returned per page.

RequestId String 8252db58-2036-408c-a3d5-56e656dc2551

The ID of the request, which is used to locate and troubleshoot issues.

TotalCount Integer 3

The total number of CMKs.

Keys Array of Key

An array that consists of CMKs.

KeyId String 08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4****

The ID of the CMK. The ID must be globally unique.

KeyArn String acs:kms:cn-hangzhou:123456:key/80e9409f-78fa-42ab-84bd-83f40c81****

The Alibaba Cloud Resource Name (ARN) of the CMK.


Sample requests

&Filters=[{"Key":"KeyState", "Values":["Enabled","Disabled"]}]
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK


JSON format

HTTP/1.1 200 OK

  "PageNumber" : 1,
  "PageSize" : 10,
  "RequestId" : "8252db58-2036-408c-a3d5-56e656dc2551",
  "TotalCount" : 3,
  "Keys" : [ {
    "KeyId" : "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4****",
    "KeyArn" : "acs:kms:cn-hangzhou:123456:key/80e9409f-78fa-42ab-84bd-83f40c81****"
  } ]

Error codes

HTTP status code Error code Error message Description
400 InvalidParameter The specified parameter is not valid. The error message returned because an invalid value is specified for the parameter.
404 InvalidAccessKeyId.NotFound The Access Key ID provided does not exist in our records. The error message returned because the specified AccessKey ID does not exist.

For a list of error codes, see Service error codes.