This topic lists all OpenAPI operations for Key Management Service (KMS).
Service management
API | Description |
Queries a list of available regions for the current Alibaba Cloud account. | |
Enable KMS for the current Alibaba Cloud account. | |
Queries the status of KMS for the current Alibaba Cloud account. |
Instance management
API | Description |
Enables a KMS instance. | |
Queries the details of a KMS instance. | |
Queries a list of KMS instances. | |
Updates the virtual private cloud (VPC) associated with a KMS instance. |
Key management
Manage keys by calling the following API operations, such as creating and deleting keys and aliases.
API | Description |
Creates a key. You can use key material that is generated by KMS or import your own key material. Importing your own key material is known as Bring Your Own Key (BYOK). | |
Queries the parameters that are used to import key material to a key. | |
Imports key material to a key. | |
Changes the status of a key to Enabled. | |
Changes the status of a key to Disabled. | |
Queries the information about a key. | |
Queries all keys within an Alibaba Cloud account in a region. | |
Updates the description of a key. | |
Creates an alias and binds it to a key. | |
Updates the ID of a key that is bound to an alias. | |
Deletes an alias. | |
Queries all aliases within an Alibaba Cloud account in a region. | |
Queries aliases that are bound to a key. | |
Enables or disables deletion protection. | |
Schedules deletion of a key. After you call this operation, the key enters the Pending Deletion state. The key is automatically deleted after the specified waiting period elapses. | |
Cancels the scheduled deletion of a key. You can cancel the scheduled deletion of a key before the specified waiting period elapses. After the scheduled deletion is canceled, the key re-enters the Enabled state. | |
Deletes key material. Important You can only delete external key material of the customer master key (CMK) that is used as a default key. | |
Creates a version. Symmetric keys in KMS instances of the software key management type support this operation. Asymmetric keys outside KMS support this operation. | |
Queries the information about a key version. | |
Queries all versions of a key. | |
Updates the rotation policy of a key. If automatic rotation is enabled for a key, KMS automatically generates a key version on a regular basis. |
Cryptographic operations
Perform cryptographic operations on data using KMS keys, such as encrypting data, generating data keys, decrypting data, and calculating signatures.
API | Description |
Encrypts plaintext into ciphertext by using a symmetric key. | |
Generates a random data key that is used to encrypt on-premises data. | |
Generates a random data key, which can be used to encrypt on-premises data. | |
Encrypts a data key by using a specified public key and exports the data key. | |
Generates a random data key. The data key is encrypted by using the KMS key and public key that you specify. This operation returns the ciphertext of the data key encrypted by both the KMS key and the public key. | |
Decrypts ciphertext. | |
Re-encrypts ciphertext. When you call this operation, KMS decrypts the ciphertext, uses a different key to re-encrypt the generated plaintext or data key, and then returns the new ciphertext. | |
Generates a signature by using an asymmetric key. | |
Verifies a signature by using an asymmetric key. | |
Decrypts data by using an asymmetric key. | |
Encrypts data by using an asymmetric key. | |
Queries the public key of an asymmetric key pair. You can use the public key to encrypt local data and verify signatures. |
Secret management
Manage, protect, distribute, and rotate secrets by calling API operations.
API | Description |
Creates a secret and stores the secret value in the initial version. | |
Queries all secrets within an Alibaba Cloud account in a region. | |
Queries the metadata of a secret. | |
Updates the metadata of a secret. | |
Stores the secret value of a new version in a secret. Note Only generic secrets support this operation. | |
Updates the stage label that marks a secret version. Note Only generic secrets support this operation. | |
Deletes or schedules deletion of a secret. | |
Restores a secret that is scheduled to be deleted. | |
Queries all versions of a secret. | |
Queries a random password string. | |
Manually rotates a secret. | |
Updates the rotation policy of a secret. |
Retrieve secret value
GetSecretValue: Retrieves a secret value.
Tag management
Add multiple tags to a key or secret, with each tag comprising a tag key and a tag value.
TagResource, UntagResource, and ListResourceTags allow operations on a single resource. TagResources, UntagResources, and ListTagResources enable batch operations on multiple resources.
API | Description |
Adds a tag to a key or secret. | |
Removes a tag from a key or secret. | |
Queries all tags of a key. | |
Adds tags to multiple keys or secrets. | |
Removes tags from multiple keys or secrets at a time. | |
Queries all tags or specific tags of multiple keys or secrets at a time. |
Application management
API | Description |
Creates an access control rule to configure the private IP addresses or CIDR blocks that are allowed to access a KMS instance. | |
Deletes a network access rule. | |
Queries the details of a network access rule. | |
Queries a list of network access rules. | |
Updates a network access rule. | |
Creates a permission policy to configure the keys and secrets that are accessible to an application. | |
Deletes a permission policy. | |
Queries the details of a permission policy. | |
Updates a permission policy. | |
Queries permission policies. | |
Creates an application access point (AAP). | |
Deletes an AAP. | |
Queries the details of an AAP. | |
Queries a list of AAPs. | |
Updates the information about an AAP. | |
Creates a client key. | |
Deletes a client key. | |
Queries a list of client keys | |
Queries the information about a client key. |