All Products
Document Center

Key Management Service:CreateApplicationAccessPoint

Last Updated:Dec 18, 2023

Creates an application access point (AAP)

Usage notes

To perform cryptographic operations and retrieve secret values, self-managed applications must use a client key to access a Key Management Service (KMS) instance. The following process shows how to create a client key-based AAP:

1. Create a network access rule: You can configure the private IP addresses or private CIDR blocks that are allowed to access KMS. For more information, see CreateNetworkRule.

2. Create a permission policy: You can configure the keys and secrets that are allowed to access and bind network access rules to the keys and secrets. For more information, see CreatePolicy.

3. Create an AAP: You can configure an authentication method and bind a permission policy to an AAP. This topic describes how to create an AAP.

4. Create a client key: You can configure the encryption password and validity period of a client key and bind the client key to an AAP. For more information, see CreateClientKey.


OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters






Action String Yes CreateApplicationAccessPoint

The operation that you want to perform. Set the value to CreateApplicationAccessPoint.

Name String Yes aap_test

The name of the AAP.

Description String No aap description

The description of the AAP.

AuthenticationMethod String No ClientKey

The authentication method. Currently, only ClientKey is supported.

Policies String Yes ["kst-hzz62ee817bvyyr5x****.efkd","kst-hzz62ee817bvyyr5x****.eyyp"]

The permission policy.

Note You can bind up to three permission policies to each AAP.

Response parameters





RequestId String bcfefe15-46f0-44a3-bd96-3d422474b71a

The ID of the request, which is used to locate and troubleshoot issues.

Description String aap description

The description of the AAP.

Policies String ["kst-hzz62ee817bvyyr5x****.efkd","kst-hzz62ee817bvyyr5x****.eyyp"]

The permission policy.

Name String aap_test

The name of the AAP.

Arn String acs:kms:cn-hangzhou:119285303511****:applicationaccesspoint/aap_test

The Alibaba Cloud Resource Name (ARN) of the AAP.

AuthenticationMethod String ClientKey

The authentication method.


Sample requests

&Description=aap description
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK

    <Description>aap description</Description>

JSON format

HTTP/1.1 200 OK

  "RequestId" : "bcfefe15-46f0-44a3-bd96-3d422474b71a",
  "Description" : "aap description",
  "Policies" : "[\"kst-hzz62ee817bvyyr5x****.efkd\",\"kst-hzz62ee817bvyyr5x****.eyyp\"]",
  "Name" : "aap_test",
  "Arn" : "acs:kms:cn-hangzhou:119285303511****:applicationaccesspoint/aap_test",
  "AuthenticationMethod" : "ClientKey"

Error codes

HTTP status code

Error code

Error message


409 Rejected.ResourceExist The request was rejected because the resource already exists. The resource already exists.

For a list of error codes, see Service error codes.