All Products
Search

This Product

    Key Management Service:Alibaba Cloud SDK

    Document Center

    Key Management Service:Alibaba Cloud SDK

    Last Updated:Apr 22, 2025

    Integrating Alibaba Cloud SDK allows you to call the OpenAPI for management operations, such as creating instances and keys. You can also perform business operations, such as encryption, decryption, and retrieving secret values. This topic helps you to use Key Management Service (KMS) by integrating Alibaba Cloud SDK.

    Access overview

    When integrating Alibaba Cloud SDK for KMS, note that management operations are accessible only through the shared gateway, while business operations are accessible through both the shared and dedicated gateways. The following figure illustrates these access methods.

    image

    Differences between shared and dedicated gateways for accessing KMS

    The table below lists the key differences between accessing a shared gateway and a dedicated gateway when using Alibaba Cloud SDK to access KMS for business operations.

    Item

    Shared gateway

    Dedicated gateway

    Network

    Public network or VPC network.

    KMS private network.

    Performance

    KMS has a quota that limits the number of API requests per second.

    For example, the QPS for encryption and decryption is fixed at 1000.

    Instead of limiting the number of API requests, KMS processes them in best effort mode. The maximum available computing and storage resources are used during processing. When you purchase a KMS instance, you can select an appropriate QPS based on your business requirements.

    Supported APIs

    All OpenAPIs for cryptographic operations and retrieving secret values.

    All OpenAPIs for cryptographic operations and retrieving secret values, except ReEncrypt.

    Network access control

    The VPC ID (condition key: acs:SourceVpc) and IP addresses within the VPC (condition key: acs:VpcSourceIp) are supported for network access control.

    The VPC ID (condition key: acs:SourceVpc) and source IP addresses within a VPC (condition key: acs:VpcSourceIp) are not supported for network access control. If you require network access control, contact your account manager.

    Authorization

    When using STS authentication to retrieve secrets, authorization is applied only to the GetSecretValue operation, not to the Decrypt operation. Other authentication methods apply authorization to both operations.

    During the secrets retrieval process, both the GetSecretValue and Decrypt operations are authorized.

    Log auditing

    ActionTrail

    Simple Log Service (SLS)

    SDK configurations

    Endpoint

    During client initialization, the shared gateway endpoint must be configured with one of the following formats:

    • Public network domain names: kms.<REGION_ID>.aliyuncs.com.

    • VPC domain names: kms-vpc.<REGION_ID>.aliyuncs.com.

    During client initialization, the dedicated gateway endpoint must be configured following the format: <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com.

    CA certificate

    Not required.

    • Alibaba Cloud SDK V2.0: Requires setting a CA certificate.

    • Alibaba Cloud SDK V1.0: Does not support certificates. Instead, the HTTPSInsecure runtime parameter must be set to true: client.SetHTTPSInsecure(true).

    Supported OpenAPI

    The management operations are only accessible through the shared gateway, while business operations can be accessed through both the shared and dedicated gateways.

    Management operations

    Service management

    API

    Description

    DescribeRegions

    Queries a list of available regions for the current Alibaba Cloud account.

    OpenKmsService

    Enable KMS for the current Alibaba Cloud account.

    DescribeAccountKmsStatus

    Queries the status of KMS for the current Alibaba Cloud account.

    Instance management

    API

    Description

    ConnectKmsInstance

    Enables a KMS instance.

    GetKmsInstance

    Queries the details of a KMS instance.

    ListKmsInstances

    Queries a list of KMS instances.

    UpdateKmsInstanceBindVpc

    Updates the virtual private cloud (VPC) associated with a KMS instance.

    Key management

    Manage keys by calling the following API operations, such as creating and deleting keys and aliases.

    API

    Description

    CreateKey

    Creates a key. You can use key material that is generated by KMS or import your own key material. Importing your own key material is known as Bring Your Own Key (BYOK).

    GetParametersForImport

    Queries the parameters that are used to import key material to a key.

    ImportKeyMaterial

    Imports key material to a key.

    EnableKey

    Changes the status of a key to Enabled.

    DisableKey

    Changes the status of a key to Disabled.

    DescribeKey

    Queries the information about a key.

    ListKeys

    Queries all keys within an Alibaba Cloud account in a region.

    UpdateKeyDescription

    Updates the description of a key.

    CreateAlias

    Creates an alias and binds it to a key.

    UpdateAlias

    Updates the ID of a key that is bound to an alias.

    DeleteAlias

    Deletes an alias.

    ListAliases

    Queries all aliases within an Alibaba Cloud account in a region.

    ListAliasesByKeyId

    Queries aliases that are bound to a key.

    SetDeletionProtection

    Enables or disables deletion protection.

    ScheduleKeyDeletion

    Schedules deletion of a key. After you call this operation, the key enters the Pending Deletion state. The key is automatically deleted after the specified waiting period elapses.

    CancelKeyDeletion

    Cancels the scheduled deletion of a key. You can cancel the scheduled deletion of a key before the specified waiting period elapses. After the scheduled deletion is canceled, the key re-enters the Enabled state.

    DeleteKeyMaterial

    Deletes key material.

    Important

    You can only delete external key material of the customer master key (CMK) that is used as a default key.

    CreateKeyVersion

    Creates a version. Symmetric keys in KMS instances of the software key management type support this operation. Asymmetric keys outside KMS support this operation.

    DescribeKeyVersion

    Queries the information about a key version.

    ListKeyVersions

    Queries all versions of a key.

    UpdateRotationPolicy

    Updates the rotation policy of a key. If automatic rotation is enabled for a key, KMS automatically generates a key version on a regular basis.

    Secret management

    Manage, protect, distribute, and rotate secrets by calling API operations.

    API

    Description

    CreateSecret

    Creates a secret and stores the secret value in the initial version.

    ListSecrets

    Queries all secrets within an Alibaba Cloud account in a region.

    DescribeSecret

    Queries the metadata of a secret.

    UpdateSecret

    Updates the metadata of a secret.

    PutSecretValue

    Stores the secret value of a new version in a secret.

    Note

    Only generic secrets support this operation.

    UpdateSecretVersionStage

    Updates the stage label that marks a secret version.

    Note

    Only generic secrets support this operation.

    DeleteSecret

    Deletes or schedules deletion of a secret.

    RestoreSecret

    Restores a secret that is scheduled to be deleted.

    ListSecretVersionIds

    Queries all versions of a secret.

    GetRandomPassword

    Queries a random password string.

    RotateSecret

    Manually rotates a secret.

    UpdateSecretRotationPolicy

    Updates the rotation policy of a secret.

    Tag management

    Add multiple tags to a key or secret, with each tag comprising a tag key and a tag value.

    Note

    TagResource, UntagResource, and ListResourceTags allow operations on a single resource. TagResources, UntagResources, and ListTagResources enable batch operations on multiple resources.

    API

    Description

    TagResource

    Adds a tag to a key or secret.

    UntagResource

    Removes a tag from a key or secret.

    ListResourceTags

    Queries all tags of a key.

    TagResources

    Adds tags to multiple keys or secrets.

    UntagResources

    Removes tags from multiple keys or secrets at a time.

    ListTagResources

    Queries all tags or specific tags of multiple keys or secrets at a time.

    Application management

    API

    Description

    CreateNetworkRule

    Creates an access control rule to configure the private IP addresses or CIDR blocks that are allowed to access a KMS instance.

    DeleteNetworkRule

    Deletes a network access rule.

    DescribeNetworkRule

    Queries the details of a network access rule.

    ListNetworkRules

    Queries a list of network access rules.

    UpdateNetworkRule

    Updates a network access rule.

    CreatePolicy

    Creates a permission policy to configure the keys and secrets that are accessible to an application.

    DeletePolicy

    Deletes a permission policy.

    DescribePolicy

    Queries the details of a permission policy.

    UpdatePolicy

    Updates a permission policy.

    ListPolicies

    Queries permission policies.

    CreateApplicationAccessPoint

    Creates an application access point (AAP).

    DeleteApplicationAccessPoint

    Deletes an AAP.

    DescribeApplicationAccessPoint

    Queries the details of an AAP.

    ListApplicationAccessPoints

    Queries a list of AAPs.

    UpdateApplicationAccessPoint

    Updates the information about an AAP.

    CreateClientKey

    Creates a client key.

    DeleteClientKey

    Deletes a client key.

    ListClientKeys

    Queries a list of client keys

    GetClientKey

    Queries the information about a client key.

    Business operations

    Important

    To perform cryptographic operations through the shared gateway, you must first enable public access.

    Cryptographic operations

    对 indicates it is supported, and × indicates it is not.

    API operation

    Description

    Shared gateway

    Dedicated gateway

    Encrypt

    Encrypts plaintext by using a symmetric key.

    对

    对

    GenerateDataKey

    Generates a random data key that is used to encrypt on-premises data.

    对

    对

    GenerateDataKeyWithoutPlaintext

    Generates a random data key, which can be used to encrypt on-premises data.

    对

    对

    ExportDataKey

    Encrypts a data key by using a specific public key, and exports the data key.

    对

    对

    GenerateAndExportDataKey

    Randomly generates a data key, and uses a KMS key and a public key to encrypt the data key. This operation returns the ciphertext of the data key encrypted using both the data key and the public key.

    对

    对

    Decrypt

    Decrypts ciphertext.

    对

    对

    ReEncrypt

    Re-encrypts ciphertext. When you call this operation, KMS uses a different key to re-encrypt the generated plaintext or data key, and then returns the new ciphertext.

    对

    ×

    AsymmetricSign

    Generates a signature by using an asymmetric key.

    对

    对

    AsymmetricVerify

    Verifies a signature by using an asymmetric key.

    对

    对

    AsymmetricDecrypt

    Decrypts data by using an asymmetric key.

    对

    对

    AsymmetricEncrypt

    Encrypts data by using an asymmetric key.

    对

    对

    GetPublicKey

    Retrieves the public key of an asymmetric key pair. You can use the public key to encrypt local data and verify signatures.

    对

    对

    Retrieving secret values

    对 indicates it is supported, and × indicates it is not.

    API operation

    Description

    Shared gateway

    Dedicated gateway

    GetSecretValue

    Retrieves a secret value.

    对

    对

    Endpoint

    Shared gateway endpoint (also known as KMS service endpoint)

    • Regions in China

      Region name

      Region ID

      Public endpoint

      VPC address

      China (Hangzhou)

      cn-hangzhou

      kms.cn-hangzhou.aliyuncs.com

      kms-vpc.cn-hangzhou.aliyuncs.com

      China (Shanghai)

      cn-shanghai

      kms.cn-shanghai.aliyuncs.com

      kms-vpc.cn-shanghai.aliyuncs.com

      China (Shenzhen)

      cn-shenzhen

      kms.cn-shenzhen.aliyuncs.com

      kms-vpc.cn-shenzhen.aliyuncs.com

      China (Heyuan)

      cn-heyuan

      kms.cn-heyuan.aliyuncs.com

      kms-vpc.cn-heyuan.aliyuncs.com

      China (Guangzhou)

      cn-guangzhou

      kms.cn-guangzhou.aliyuncs.com

      kms-vpc.cn-guangzhou.aliyuncs.com

      China (Qingdao)

      cn-qingdao

      kms.cn-qingdao.aliyuncs.com

      kms-vpc.cn-qingdao.aliyuncs.com

      China (Beijing)

      cn-beijing

      kms.cn-beijing.aliyuncs.com

      kms-vpc.cn-beijing.aliyuncs.com

      China (Zhangjiakou)

      cn-zhangjiakou

      kms.cn-zhangjiakou.aliyuncs.com

      kms-vpc.cn-zhangjiakou.aliyuncs.com

      China (Hohhot)

      cn-huhehaote

      kms.cn-huhehaote.aliyuncs.com

      kms-vpc.cn-huhehaote.aliyuncs.com

      China (Ulanqab)

      cn-wulanchabu

      kms.cn-wulanchabu.aliyuncs.com

      kms-vpc.cn-wulanchabu.aliyuncs.com

      China (Chengdu)

      cn-chengdu

      kms.cn-chengdu.aliyuncs.com

      kms-vpc.cn-chengdu.aliyuncs.com

      China (Hong Kong)

      cn-hongkong

      kms.cn-hongkong.aliyuncs.com

      kms-vpc.cn-hongkong.aliyuncs.com

    • Regions outside China

      Region name

      Region ID

      Public endpoint

      VPC address

      Singapore

      ap-southeast-1

      kms.ap-southeast-1.aliyuncs.com

      kms-vpc.ap-southeast-1.aliyuncs.com

      Malaysia (Kuala Lumpur)

      ap-southeast-3

      kms.ap-southeast-3.aliyuncs.com

      kms-vpc.ap-southeast-3.aliyuncs.com

      Indonesia (Jakarta)

      ap-southeast-5

      kms.ap-southeast-5.aliyuncs.com

      kms-vpc.ap-southeast-5.aliyuncs.com

      Philippines (Manila)

      Important

      In this region, only one zone exists and the service-level agreement (SLA) is not guaranteed.

      ap-southeast-6

      kms.ap-southeast-6.aliyuncs.com

      kms-vpc.ap-southeast-6.aliyuncs.com

      Thailand (Bangkok)

      Important

      In this region, only one zone exists and the SLA is not guaranteed.

      ap-southeast-7

      kms.ap-southeast-7.aliyuncs.com

      kms-vpc.ap-southeast-7.aliyuncs.com

      Japan (Tokyo)

      ap-northeast-1

      kms.ap-northeast-1.aliyuncs.com

      kms-vpc.ap-northeast-1.aliyuncs.com

      Germany (Frankfurt)

      eu-central-1

      kms.eu-central-1.aliyuncs.com

      kms-vpc.eu-central-1.aliyuncs.com

      UK (London)

      eu-west-1

      kms.eu-west-1.aliyuncs.com

      kms-vpc.eu-west-1.aliyuncs.com

      US (Silicon Valley)

      us-west-1

      kms.us-west-1.aliyuncs.com

      kms-vpc.us-west-1.aliyuncs.com

      US (Virginia)

      us-east-1

      kms.us-east-1.aliyuncs.com

      kms-vpc.us-east-1.aliyuncs.com

      UAE (Dubai)

      me-east-1

      kms.me-east-1.aliyuncs.com

      kms-vpc.me-east-1.aliyuncs.com

    Dedicated gateway endpoint (also known as KMS instance endpoint)

    <KMS_INSTANCE_ID>.cryptoservice.kms.aliyuncs.com

    Replace <KMS_INSTANCE_ID> with your actual KMS Instance ID.

    image

    Authentication method

    When accessing the OpenAPI through a shared gateway or dedicated gateway using Alibaba Cloud SDK, the authentication methods are the same. RAM-based identity authentication methods are supported, such as AccessKey (AK), STS Token, RamRoleArn, and ECS instance RAM roles. For more information, see Manage access credentials.

    AccessKey

    By default, an Alibaba Cloud account serves as an administrator with the authority to manage all associated Alibaba Cloud resources. The permissions tied to the Alibaba Cloud account cannot be altered. If an AccessKey pair associated with an Alibaba Cloud account is compromised, the resources of the account are at risk. For enhanced security, we do not advise creating an AccessKey pair for an Alibaba Cloud account. Instead, create a RAM user with API access mode enabled and generate an AccessKey pair for this user. By granting the RAM user only necessary permissions in accordance with the principle of least privilege, they can perform API operations to access Alibaba Cloud resources. For more information, see Create an AccessKey pair.

    1. Log on to the RAM console by using an Alibaba Cloud account, a RAM administrator with the AliyunRAMFullAccess policy attached, or a RAM user granted permissions to manage AccessKey pairs.

    2. In the left-side navigation pane, choose Identities > Users, and click on the desired RAM user.

    3. In the Authentication tab, click Create AccessKey and follow the instructions to complete the creation.

      image

    4. Grant the RAM user access to KMS. You have two methods to complete the grant.

      • Method 1: Through identity-based policies

        KMS provides system-defined permission policies that can be attached to RAM users. For more information, see System policies for KMS. You can also create custom policies.

      • Method 2: Through resource-based policies

        KMS supports resource-based policies, which allow you to set access permissions for keys and secrets. This lets you control which Alibaba Cloud accounts, RAM users, and RAM roles have permission to manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.

    STS token

    By using STS services, a temporary access credential can be issued to RAM users or RAM roles, allowing them to access KMS with permissions specified by the policy for a limited validity period. After the expiration period, the credential will automatically become invalid.

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

    2. Create a RAM user or create a RAM role.

    3. Grant AliyunSTSAssumeRoleAccess permission to a RAM user or Grant AliyunSTSAssumeRoleAccess permission to a RAM role.

      image

    4. Grant the RAM user access to KMS. You have two methods to complete the grant.

      • Method 1: Through identity-based policies

        KMS provides system-defined permission policies that can be attached to RAM users. For more information, see System policies for KMS. You can also create custom policies.

      • Method 2: Through resource-based policies

        KMS supports resource-based policies, which allow you to set access permissions for keys and secrets. This lets you control which Alibaba Cloud accounts, RAM users, and RAM roles have permission to manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.

    1. Use the RAM user or RAM role to call the AssumeRole interface of the STS service to obtain temporary access credentials.

    RamRoleArn

    RAM users or cloud services can obtain temporary permissions by assuming roles instead of directly using long-term access keys, thereby reducing the risk of key leakage. For instance, in temporary data processing tasks, RAM users or cloud services can temporarily assume a role with a specific RamRoleArn. RamRoleArn is the ARN information of the RAM role. Once the task is completed, the role's permissions are revoked, further mitigating the risk of exposure.

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM role who has administrative rights.

    2. Create a RAM role.

    3. Grant the RAM role access to KMS. You have two methods to complete the grant.

      • Method 1: Through identity-based policies

        KMS provides system-defined permission policies that can be attached to RAM users. For more information, see System policies for KMS. You can also create custom policies.

      • Method 2: Through resource-based policies

        KMS supports resource-based policies, which allow you to set access permissions for keys and secrets. This lets you control which Alibaba Cloud accounts and RAM roles have permission to manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.

    4. View the RamRoleArn about a RAM role.

      The RamRoleArn follows the format acs:ram::$accountID:role/$roleName, where $accountID is the Alibaba Cloud account and $roleName is the RAM role name.

      image

    ECS instance RAM roles

    An ECS instance RAM role is a regular service role that is attached to ECS instances, and the trusted entity of an instance RAM role is ECS. You can use an instance RAM role to obtain Security Token Service (STS) tokens as temporary access credentials from within an ECS instance without the need to provide an AccessKey pair. Then, you can use the temporary access credentials to call the OpenAPI operations of KMS. 

    1. Log on to the RAM console, and create an instance RAM role whose Principal Type is an Alibaba Cloud service.

      • Principal Type: Select Cloud Service.

      • Principal Name: Select Elastic Compute Service / ECS.

    2. Grant the RAM user access to KMS. You have two methods to complete the grant.

      • Method 1: Through identity-based policies

        KMS provides system-defined permission policies that can be attached to RAM users. For more information, see System policies for KMS. You can also create custom policies.

      • Method 2: Through resource-based policies

        KMS supports resource-based policies, which allow you to set access permissions for keys and secrets. This lets you control which Alibaba Cloud accounts, RAM users, and RAM roles have permission to manage or use KMS keys and secrets. For more information, see Key policies and Secret policies.

    3. Log on to the ECS console, and attach the instance RAM role to an ECS instance. image

    Supported programming languages

    The table below lists supported languages and their SDK download links and reference documentation.

    Supported programming language

    V2.0 SDK (recommended)

    V1.0 SDK (not recommended)

    Java

    Python

    C++

    PHP

    .NET (C#)

    Go

    TypeScript

    None

    Swift

    None