Key Management Service (KMS) supports multiple integration methods: Alibaba Cloud SDK for programmatic access, OpenAPI Explorer for browser-based debugging, Alibaba Cloud CLI for scripting, Terraform for infrastructure as code, and custom API encapsulation for native HTTP calls. Use the SDK for most application integrations—it handles request signing, retries, and response parsing automatically.
Integration methods
| Method | Supported | Best for |
|---|---|---|
| Alibaba Cloud SDK | Yes (recommended) | Application integration in Java, Python, Go, and other languages |
| OpenAPI Explorer | Yes | Exploring the API and testing calls in a browser |
| Alibaba Cloud CLI | Yes | Shell scripting and ad hoc management tasks |
| Terraform | Partial | Infrastructure as code and resource provisioning |
| Custom API encapsulation | Yes | Native HTTP integrations with full control over request construction |
| Resource Orchestration Service (ROS) | No | — |
Alibaba Cloud SDK
The SDK is the recommended integration path. It handles data signing, timeouts, and retries, and returns structured response objects.
SDKs are available in Java, C#, Go, Python, Node.js, TypeScript, PHP, and C++. For the list of supported languages, dependency installation instructions, and per-language code examples, see KMS SDK and Alibaba Cloud SDK.
Alibaba Cloud CLI
Run aliyun commands to call KMS API operations from the shell. See What is Alibaba Cloud CLI? and the CLI user guide.
Terraform
Terraform provisions and manages KMS resources by interpreting templates. See Use Terraform to manage KMS resources for supported resources and examples.
Custom API encapsulation
To make native HTTP calls, construct requests manually and sign them using the V3 signature method. See List of operations by function and Request syntax and signature method V3.
OpenAPI Explorer
OpenAPI Explorer lets you browse KMS API operations, read documentation, run live calls, generate SDK sample code, diagnose errors, perform intelligent search, and view call statistics—all from the browser.
API version
KMS uses a single API version: 2016-01-20. This is a version identifier, not a date.
| Version | Status |
|---|---|
| 2016-01-20 | Current (recommended) |
Online debugging
The API debugging page is at https://next.api.alibabacloud.com/api/Kms/2016-01-20.
Before calling an operation, review the version, endpoint, and required parameters for that operation.
Endpoints
Select the endpoint in the same region as the resource you want to access. Each region has a public endpoint (accessible globally) and a virtual private cloud (VPC) endpoint (accessible only from within a VPC in that region).
VPC endpoints offer lower latency, higher throughput, no exposure to the public internet, and lower cost compared to public endpoints.
Regions in China
| Region | Region ID | Public endpoint | VPC endpoint |
|---|---|---|---|
| China (Hangzhou) | cn-hangzhou | kms.cn-hangzhou.aliyuncs.com | kms-vpc.cn-hangzhou.aliyuncs.com |
| China (Shanghai) | cn-shanghai | kms.cn-shanghai.aliyuncs.com | kms-vpc.cn-shanghai.aliyuncs.com |
| China (Shenzhen) | cn-shenzhen | kms.cn-shenzhen.aliyuncs.com | kms-vpc.cn-shenzhen.aliyuncs.com |
| China (Heyuan) | cn-heyuan | kms.cn-heyuan.aliyuncs.com | kms-vpc.cn-heyuan.aliyuncs.com |
| China (Guangzhou) | cn-guangzhou | kms.cn-guangzhou.aliyuncs.com | kms-vpc.cn-guangzhou.aliyuncs.com |
| China (Qingdao) | cn-qingdao | kms.cn-qingdao.aliyuncs.com | kms-vpc.cn-qingdao.aliyuncs.com |
| China (Beijing) | cn-beijing | kms.cn-beijing.aliyuncs.com | kms-vpc.cn-beijing.aliyuncs.com |
| China (Zhangjiakou) | cn-zhangjiakou | kms.cn-zhangjiakou.aliyuncs.com | kms-vpc.cn-zhangjiakou.aliyuncs.com |
| China (Hohhot) | cn-huhehaote | kms.cn-huhehaote.aliyuncs.com | kms-vpc.cn-huhehaote.aliyuncs.com |
| China (Ulanqab) | cn-wulanchabu | kms.cn-wulanchabu.aliyuncs.com | kms-vpc.cn-wulanchabu.aliyuncs.com |
| China (Chengdu) | cn-chengdu | kms.cn-chengdu.aliyuncs.com | kms-vpc.cn-chengdu.aliyuncs.com |
| China (Hong Kong) | cn-hongkong | kms.cn-hongkong.aliyuncs.com | kms-vpc.cn-hongkong.aliyuncs.com |
Regions outside China
| Region | Region ID | Public endpoint | VPC endpoint |
|---|---|---|---|
| Singapore | ap-southeast-1 | kms.ap-southeast-1.aliyuncs.com | kms-vpc.ap-southeast-1.aliyuncs.com |
| Malaysia (Kuala Lumpur) | ap-southeast-3 | kms.ap-southeast-3.aliyuncs.com | kms-vpc.ap-southeast-3.aliyuncs.com |
| Indonesia (Jakarta) | ap-southeast-5 | kms.ap-southeast-5.aliyuncs.com | kms-vpc.ap-southeast-5.aliyuncs.com |
| Philippines (Manila) | ap-southeast-6 | kms.ap-southeast-6.aliyuncs.com | kms-vpc.ap-southeast-6.aliyuncs.com |
| Thailand (Bangkok) | ap-southeast-7 | kms.ap-southeast-7.aliyuncs.com | kms-vpc.ap-southeast-7.aliyuncs.com |
| Japan (Tokyo) | ap-northeast-1 | kms.ap-northeast-1.aliyuncs.com | kms-vpc.ap-northeast-1.aliyuncs.com |
| Germany (Frankfurt) | eu-central-1 | kms.eu-central-1.aliyuncs.com | kms-vpc.eu-central-1.aliyuncs.com |
| UK (London) | eu-west-1 | kms.eu-west-1.aliyuncs.com | kms-vpc.eu-west-1.aliyuncs.com |
| US (Silicon Valley) | us-west-1 | kms.us-west-1.aliyuncs.com | kms-vpc.us-west-1.aliyuncs.com |
| US (Virginia) | us-east-1 | kms.us-east-1.aliyuncs.com | kms-vpc.us-east-1.aliyuncs.com |
| UAE (Dubai) | me-east-1 | kms.me-east-1.aliyuncs.com | kms-vpc.me-east-1.aliyuncs.com |
Philippines (Manila) and Thailand (Bangkok) have only one zone and do not guarantee a service level agreement (SLA).
Authentication
After logging in to OpenAPI Explorer, calls run under your Alibaba Cloud account by default. An Alibaba Cloud account has unrestricted access to all API operations, which creates security risk. Use a Resource Access Management (RAM) user or RAM role with only the permissions your application needs.
| Identity | Supported |
|---|---|
| Alibaba Cloud account | Yes |
| RAM user (recommended) | Yes |
| RAM role (recommended) | Yes |
For permission setup, see Use RAM to implement access control.
For details on credentials and authorization, see Identity, credential, and authorization and Throttling and quota management.
Usage notes
Rate limits
The queries per second (QPS) limit varies by operation. Check the QPS limit in the API reference for each operation.
All RAM users under the same Alibaba Cloud account share that account's QPS quota.
Error handling
If a call returns an error, check the error code against the input parameters and values you sent. See Common error codes.
For self-service diagnostics using a request ID or SDK error message, use Alibaba Cloud OpenAPI Diagnostics.