CreateKey - Key Management Service - Alibaba Cloud Documentation Center

Creates a master key.

Operation description

For information about the access policies required for a RAM user or RAM role to call this OpenAPI operation, see Resource Access Management.
Alibaba Cloud Key Management Service (KMS) supports common specifications for symmetric and asymmetric keys. For more information, see Key management types and key specifications.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter	Type	Required	Description	Example
Description	string	No	The description of the key. The description can be 0 to 8,192 characters in length.	key description example
KeyUsage	string	No	The usage of the key. Valid values: ENCRYPT/DECRYPT: encrypts and decrypts data. SIGN/VERIFY: generates and verifies digital signatures. Default value: If the key supports signature verification, the default value is SIGN/VERIFY. Otherwise, the default value is ENCRYPT/DECRYPT.	ENCRYPT/DECRYPT
Origin	string	No	The source of the key material. Valid values: Aliyun_KMS (default): The key material is generated by Alibaba Cloud KMS. EXTERNAL: The key material is imported. Note The value is case-sensitive. If you set this parameter to EXTERNAL, import key material. For more information, see Import key material for a symmetric key or Import key material for an asymmetric key.	Aliyun_KMS
ProtectionLevel	string	No	You do not need to specify this parameter. KMS automatically sets an appropriate protection level for your key. The protection level of the key. Valid values: SOFTWARE HSM Note If you specify DKMSInstanceId, this parameter is ignored. If the instance is a software key management instance, the protection level is SOFTWARE. If the instance is a hardware key management instance, the protection level is HSM. If you do not specify DKMSInstanceId, leave this parameter empty. KMS sets the protection level. If a managed HSM is available in the region, KMS sets this parameter to HSM. Otherwise, KMS sets this parameter to SOFTWARE. For more information, see Managed HSM overview.	SOFTWARE
EnableAutomaticRotation	boolean	No	Specifies whether to enable automatic key rotation. Valid values: true: enables automatic key rotation. false (default): disables automatic key rotation. This parameter is valid only when the key management type of the key supports automatic rotation. For more information, see Key rotation.	true
RotationInterval	string	No	The automatic rotation period. The format is `integer[unit]`. `integer` indicates the length of the period. `unit` indicates the unit of time. Valid units: d (day), h (hour), m (minute), and s (second). For example, both 7d and 604800s represent a period of 7 days. If the key is a default key, the value is 365d. If the key is a software-protected key, the value can be from 7d to 365d. If the key is a hardware-protected key, automatic rotation is not supported. Note This parameter is required if you set EnableAutomaticRotation to true.	365d
KeySpec	string	No	The specification of the key. The valid values vary based on the key management type. For more information about key specifications, supported standards, and algorithms, see Key management types and key specifications. Note If you do not specify this parameter, the key specification is Aliyun_AES_256 by default.	Aliyun_AES_256
DKMSInstanceId	string	No	The ID of the KMS instance. Note This parameter is required when you create a key for a KMS instance. This parameter is not required when you create a default key (master key).	kst-bjj62d8f5e0sgtx8h****
Tags	string	No	The tags to bind to the key. Each tag consists of a key-value pair (Key:Value), which includes a tag key and a tag value. Specify a maximum of 20 tags. To specify multiple tags, use the following format: `[{"TagKey":"key1","TagValue":"value1"},{"TagKey":"key2","TagValue":"value2"},...]`. Each tag key and tag value can be up to 128 characters in length and can contain uppercase letters, lowercase letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal signs (=), colons (:), and at signs (@). Note The tag key cannot start with aliyun or acs:.	[{"TagKey":"disk-encryption","TagValue":"true"}]
Policy	string	No	The content of the key policy. The value is in the JSON format. The policy can be up to 32,768 bytes in length. For more information about key policies, see Key policy overview. If you do not specify this parameter, the default credential policy is used. A key policy contains the following content: Version: The version of the key policy. Only version 1 is supported. Statement: The statements of the key policy. Each key policy contains one or more statements. The following is the format of a key policy: `{ "Version": "1", "Statement": [ { "Sid": "Enable RAM User Permissions", "Effect": "Allow", "Principal": { "RAM": ["acs:ram::112890462***:root"] }, "Action": [ "kms:" ], "Resource": [ "" ], "Condition": { "condition operator": { "condition key": "condition value" } } } ] }` Details about a statement: Sid: (Optional) The custom statement identifier. The identifier can be up to 128 characters in length and can contain uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters, including underscores (_), forward slashes (/), plus signs (+), equal signs (=), periods (.), at signs (@), and hyphens (-). Effect: (Required) The effect of the policy statement. Valid values: Allow and Deny. Principal: (Required) The principal to which the permission is granted. Set this parameter to the current Alibaba Cloud account (the Alibaba Cloud account to which the key belongs), a RAM user or RAM role of the current Alibaba Cloud account, or a RAM user or RAM role of another Alibaba Cloud account. Action: (Required) The API operations that are allowed or denied. The value must start with "kms:". For a list of supported operations, see Key policy overview. If you specify an operation that is not in the list, the setting does not take effect. Resource: (Required) The value can only be , which indicates the current KMS key. Condition: (Optional) The conditions for the authorization to take effect. Use conditions to evaluate the context of an API request to determine whether to apply the policy statement. The format is `"Condition": {"condition operator": {"condition key": "condition value"}}`. For more information, see Key policy overview. Note After granting permissions to a RAM user or RAM role of another Alibaba Cloud account, use that account to grant the RAM user or RAM role permissions to use the key in the RAM console. The RAM user or RAM role can use the key only after this is complete. For more information, see Custom policies for Key Management Service, Grant permissions to a RAM user, and Grant permissions to a RAM role.	{"Statement":[{"Action":["kms:"],"Effect":"Allow","Principal":{"RAM":["acs:ram::119285303511**:"]},"Resource":[""],"Sid":"kms default key policy"},{"Action":["kms:List","kms:Describe","kms:Create","kms:Enable","kms:Disable","kms:Get","kms:Set","kms:Update","kms:Delete","kms:Cancel","kms:TagResource","kms:UntagResource","kms:ImportKeyMaterial","kms:ScheduleKeyDeletion"],"Effect":"Allow","Principal":{"RAM":["acs:ram::119285303511**:user/for_test_policy"]},"Resource":[""]}],"Version":"1"}
KeyStorageMechanism	string	No	The key storage location. This parameter is valid only when DKMSInstanceId is specified for a hardware key management instance. Valid values: HsmInternal (default): The key is stored in an HSM and does not support rotation. HsmEncryptedDatabase: The key is stored in a database. Symmetric keys: Rotation is supported. Asymmetric keys: Rotation is not supported.	HsmInternal

For information about common request parameters, see Common parameters.

Response elements

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request. This ID is a globally unique identifier (GUID) generated by Alibaba Cloud for the request. Use this ID to troubleshoot issues.	381D5D33-BB8F-395F-8EE4-AE3BB4B523C4
KeyMetadata	object	The metadata of the key.
KeyId	string	The globally unique identifier (GUID) of the key.	key-hzz62f1cb66fa42qo****
NextRotationDate	string	The time when the next rotation is scheduled. This parameter is returned only when the value of AutomaticRotation is Enabled or Suspended.	2024-03-25T10:00:00Z
KeyState	string	The status of the key. For more information, see Impact of CMK status on API calls.	Enabled
RotationInterval	string	The automatic rotation period of the key. The value is in seconds. The value is an integer followed by the character s. For example, a rotation period of 7 days is 604800s. This parameter is returned only when the value of AutomaticRotation is Enabled or Suspended.	31536000s
Arn	string	The Alibaba Cloud Resource Name (ARN) of the key.	acs:kms:cn-qingdao:154035569884**:key/key-hzz62f1cb66fa42qo**
Creator	string	The creator of the key.	154035569884****
LastRotationDate	string	The time when the last rotation was performed. The time is in UTC. If the key is new, this value is the generation time of the initial key version.	2023-03-25T10:00:00Z
DeleteDate	string	The scheduled time to delete the key. For more information, see ScheduleKeyDeletion . This parameter is returned only when the value of KeyState is PendingDeletion.	2025-03-25T10:00:00Z
PrimaryKeyVersion	string	The ID of the current primary version of the key.	7ce1d081-06cb-42e6-aab6-5c5de030****
Description	string	The description of the key.	key description example
KeySpec	string	The specification of the key.	Aliyun_AES_256
Origin	string	The source of the key material.	Aliyun_KMS
MaterialExpireTime	string	The expiration time of the key material. The time is in UTC. If this value is empty, the key material does not expire.	2025-03-25T10:00:00Z
AutomaticRotation	string	Indicates whether automatic key rotation is enabled. Valid values: Enabled: Automatic rotation is enabled. Disabled: Automatic rotation is disabled. Suspended: Automatic rotation is suspended.	Enabled
ProtectionLevel	string	The protection level of the key.	SOFTWARE
KeyUsage	string	The usage of the key.	ENCRYPT/DECRYPT
CreationDate	string	The date and time when the key was created. The time is in UTC.	2023-03-25T10:00:00Z
DKMSInstanceId	string	The ID of the KMS instance.	kst-bjj62d8f5e0sgtx8h****

Examples

Success response

JSON format

{
  "RequestId": "381D5D33-BB8F-395F-8EE4-AE3BB4B523C4",
  "KeyMetadata": {
    "KeyId": "key-hzz62f1cb66fa42qo****",
    "NextRotationDate": "2024-03-25T10:00:00Z",
    "KeyState": "Enabled",
    "RotationInterval": "31536000s",
    "Arn": "acs:kms:cn-qingdao:154035569884****:key/key-hzz62f1cb66fa42qo****",
    "Creator": "154035569884****",
    "LastRotationDate": "2023-03-25T10:00:00Z",
    "DeleteDate": "2025-03-25T10:00:00Z",
    "PrimaryKeyVersion": "7ce1d081-06cb-42e6-aab6-5c5de030****",
    "Description": "key description example",
    "KeySpec": "Aliyun_AES_256",
    "Origin": "Aliyun_KMS",
    "MaterialExpireTime": "2025-03-25T10:00:00Z",
    "AutomaticRotation": "Enabled",
    "ProtectionLevel": "SOFTWARE",
    "KeyUsage": "ENCRYPT/DECRYPT",
    "CreationDate": "2023-03-25T10:00:00Z",
    "DKMSInstanceId": "kst-bjj62d8f5e0sgtx8h****"
  }
}

Error codes

HTTP status code	Error code	Error message	Description
400	Rejected.LimitExceeded	The request was rejected because user create resource limit was exceeded	The request is rejected because the number of created resources reaches the upper limit.
400	InvalidParameter	The specified parameter is not valid.	An invalid value is specified for the parameter.
400	UnsupportedOperation	This action is not supported.	The operation is not supported.
400	Forbidden.NoPermission	This operation is forbidden by permission system.	You are not authorized to perform this operation.
400	Rejected.ShareQuotaExceedLimit	Instance Share Quota Exceed Limit.	The instance share quota exceeds the limit.
500	InternalFailure	Internal Failure	An internal error occurred.
403	Forbidden.DKMSInstanceNotFound	The specified DKMS Instance is not found.	Your dedicated KMS instance is not found.
503	SerivceUnvailableTemporary	Service Unvailable Temporary	The service is temporarily unavailable.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.