Key Management Service (KMS) has different queries per second (QPS) quotas on different API operations. If the QPS quotas are exhausted, the API operations are restricted. This topic describes the QPS quotas supported by KMS.
Overview
You can integrate SDKs for KMS to access KMS over shared or dedicated gateways. You can use shared gateways to call KMS API, and dedicated gateways to call KMS API and KMS Instance API. For more information, see SDK references. For more information about differences between shared and dedicated gateways, see Differences between shared and dedicated gateways for accessing KMS.
For shared gateways, QPS quotas are imposed based on each Alibaba Cloud account and cannot be increased. For dedicated gateways, QPS quotas are imposed based on each KMS instance and can be increased by upgrading the computing performance of a KMS instance.
Shared gateway
The following table describes the QPS quotas for each Alibaba Cloud account in a region.
Operation type | Operation of KMS API | QPS quota |
Key management operations | The operations that query the metadata, properties, or status of resources such as keys, aliases, and tags. All API operations in the following list consume the quota: | 50 QPS |
The operation that queries the tags of a key. | 300 QPS | |
The operation that creates a key. | 10 QPS | |
The operations that create aliases and modify keys, aliases, and tags. All API operations in the following list consume the quota: | 30 QPS | |
Cryptographic operations | The operations that generate data keys, encrypt data, and decrypt data by using symmetric keys. All API operations in the following list consume the quota: | 1,000 QPS |
The operations that encrypt data, decrypt data, sign data, and verify signatures by using asymmetric keys. All API operations in the following list consume the quota: | 200 QPS | |
Secrets-related operations | The operations that create or delete a secret. All API operations in the following list consume the quota: | 10 QPS |
The operations that query the information about a secret and retrieve a secret value. All API operations in the following list consume the quota: | 450 QPS | |
The operations that query a list of secrets and the metadata of secrets. All the API operations in the following list are low-frequency operations and consume the quota. | 40 QPS | |
The operation that rotates a secret. | 50 queries per hour | |
Other supported operations | The operations that activate KMS and query the status of KMS. All API operations in the following list consume the quota: | 1 QPS |
Dedicated gateway
If you use dedicated gateways to access KMS, KMS does not limit the number of API requests. KMS processes API requests in best effort mode. The maximum available computing and storage resources are used during processing. When you purchase a KMS instance, you can select an appropriate computing performance plan based on your business requirements.
Test scenario
The performance quota for symmetric algorithms is calculated when an Aliyun_AES_256 key is used to encrypt or decrypt 32-byte data in GCM mode.
The performance quota for asymmetric algorithms is calculated when an RSA_2048 key is used to sign 32-byte data.
The performance quota for retrieving secret values is calculated when KMS retrieves 32-byte secret values.
Your KMS instance of the hardware key management type is connected to a hardware security module (HSM) cluster, and the number of HSMs in the HSM cluster is greater than or equal to two. This allows you to test the performance quotas of the KMS instance.
QPS quotas for KMS instances of the software key management type
The following table describes the performance quotas of KMS instances of the software key management type in different scenarios.
If you want to purchase a KMS instance of the software key management type with a computing performance of 10,000 or 20,000, submit a ticket.
Operation type | Operation of KMS API | Operation of KMS Instance API | Computing performance plan (1,000 QPS) | Computing performance plan (2,000 QPS) | Computing performance plan (4,000 QPS) | Computing performance plan (10,000 QPS) | Computing performance plan (20,000 QPS) |
Operations by using symmetric algorithms | The operations that encrypt data, decrypt data, and generate data keys by using symmetric algorithms. All API operations in the following list consume the quota: | The operations that encrypt data, decrypt data, and generate data keys by using symmetric algorithms. All API operations in the following list consume the quota: | 1,000 | 2,000 | 4,000 | 10,000 | 20,000 |
Operations by using asymmetric algorithms | The operations that encrypt data, decrypt data, and generate data keys by using asymmetric algorithms. All API operations in the following list consume the quota: | The operations that encrypt data, decrypt data, and generate data keys by using asymmetric algorithms. All API operations in the following list consume the quota: | 200 | 300 | 500 | 1,300 | 2,500 |
Operations to obtain a public key | The operation that queries the public key of an asymmetric key. | The operation that queries the public key of an asymmetric key. | 1,000 | 2,000 | 4,000 | 10,000 | 20,000 |
Operations to use secrets | The operation that retrieves values of secrets. | The operation that retrieves values of secrets. | 500 | 1,000 | 2,000 | 4,000 | 4,000 |
Operations to generate random numbers | N/A | The operation that generates a random number. | 1,000 | 2,000 | 4,000 | 10,000 | 20,000 |
Operations to generate data key pairs | N/A | The operations that generate data key pairs. All API operations in the following list consume the quota: | 1 | 1 | 1 | 1 | 1 |
QPS quotas for KMS instances of the hardware key management type
The following table describes the QPS quotas of KMS instances of the hardware key management type in different scenarios.
Operation type | Operation of KMS API | Operation of KMS Instance API | Computing performance plan (2,000 QPS) | Computing performance plan (4,000 QPS) | Computing performance plan (6,000 QPS) | Computing performance plan (8,000 QPS) |
Operations by using symmetric algorithms | The operations that encrypt data, decrypt data, and generate data keys by using symmetric algorithms. All API operations in the following list consume the quota: | The operations that encrypt data, decrypt data, and generate data keys by using symmetric algorithms. All API operations in the following list consume the quota: | 2,000 | 4,000 | 6,000 | 8,000 |
Operations by using asymmetric algorithms | The operations that encrypt data, decrypt data, and generate data keys by using asymmetric algorithms. All API operations in the following list consume the quota: | The operations that encrypt data, decrypt data, and generate data keys by using asymmetric algorithms. All API operations in the following list consume the quota: | 300 | 500 | 700 | 900 |
Operations to obtain a public key | The operation that queries the public key of an asymmetric key. | The operation that queries the public key of an asymmetric key. | 2,000 | 4,000 | 6,000 | 8,000 |
Operations to use secrets | The operation that retrieves values of secrets. | The operation that retrieves values of secrets. | 1,000 | 2,000 | 3,000 | 4,000 |
Operations to generate random numbers | N/A | The operation that generates a random number. | 2,000 | 4,000 | 6,000 | 8,000 |
Operations to generate data key pairs. | N/A | The operations that generate data key pairs. All API operations in the following list consume the quota: | 1 | 1 | 1 | 1 |