Key Management Service (KMS) enforces a quota on queries per second (QPS). Requests that exceed the quota are throttled.
KMS supports two access paths: a shared gateway and a dedicated gateway. The shared gateway has a fixed QPS quota per Alibaba Cloud account that cannot be increased. The dedicated gateway has no fixed upper limit—it processes requests on a best-effort basis up to the maximum capacity of the instance, and you can raise throughput by upgrading the instance's computing performance.
For SDK integration details, see SDK reference. For a comparison of the two gateway types, see Differences between shared gateways and dedicated gateways.
Shared gateway
The following quotas apply per Alibaba Cloud account in a single region. This quota is fixed and cannot be increased. To handle higher throughput, use a dedicated gateway instead.
| Operation type | API | QPS |
|---|---|---|
| Service activation | Operations to activate KMS and query its status. The following APIs share this quota: OpenKmsService, DescribeAccountKmsStatus | 1 |
| Instance management (write) | Operations to connect a KMS instance or update its bound VPC. The following APIs share this quota: ConnectKmsInstance, UpdateKmsInstanceBindVpc, ReleaseKmsInstance | 10 |
| Instance management (read) | Operations to query KMS instance information. The following APIs share this quota: GetKmsInstance, ListKmsInstances, GetDefaultKmsInstance, GetKmsInstanceQuotaInfos | 50 |
| Key management (read) | Operations to query metadata, properties, or status of customer master keys (CMKs), aliases, and tags. The following APIs share this quota: GetParametersForImport, DescribeKey, ListKeys, DescribeKeyVersion, ListKeyVersions, GetPublicKey, ListAliases, ListAliasesByKeyId, ListTagResources, DescribeRegions | 50 |
| Key tag query | ListResourceTags | 300 |
| CMK creation | CreateKey | 10 |
| Key management (write) | Operations to create aliases or modify CMKs, aliases, and tags. The following APIs share this quota: ImportKeyMaterial, EnableKey, DisableKey, SetDeletionProtection, ScheduleKeyDeletion, CancelKeyDeletion, DeleteKeyMaterial, UpdateKeyDescription, UpdateRotationPolicy, CreateAlias, UpdateAlias, DeleteAlias, TagResources, UntagResources | 30 |
| Symmetric cryptographic operations | Operations using a symmetric key to encrypt data, decrypt data, or generate data keys. The following APIs share this quota: Encrypt, Decrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, GenerateAndExportDataKey, ExportDataKey, ReEncrypt | 1,000 |
| Asymmetric cryptographic operations | Operations using an asymmetric key for encryption, decryption, signing, and signature verification. The following APIs share this quota: AsymmetricSign, AsymmetricVerify, AsymmetricDecrypt, AsymmetricEncrypt | 200 |
| Secret create/delete | Operations to create or delete secrets. The following APIs share this quota: CreateSecret, DeleteSecret | 10 |
| Secret query/retrieve | Operations to query secret information or retrieve a secret value. The following APIs share this quota: DescribeSecret, GetSecretValue | 450 |
| Secret operations (low-frequency) | Operations to list secrets, manage secret versions, and update rotation policies. The following APIs share this quota: ListSecrets, ListSecretVersionIds, PutSecretValue, UpdateSecret, UpdateSecretVersionStage, GetRandomPassword, UpdateSecretRotationPolicy, RestoreSecret | 40 |
| Secret rotation | RotateSecret | 50 per hour |
| Resource policies (write) | Operations to set a resource policy for a CMK or secret. The following APIs share this quota: SetKeyPolicy, SetSecretPolicy | 10 |
| Resource policies (read) | Operations to get the resource policy for a CMK or secret. The following APIs share this quota: GetKeyPolicy, GetSecretPolicy | 50 |
| Application access point (AAP) read | Operations to retrieve information about AAPs, including network rules, access policies, and client keys. The following APIs share this quota: DescribeNetworkRule, ListNetworkRules, DescribePolicy, ListPolicies, DescribeApplicationAccessPoint, ListApplicationAccessPoints, ListClientKeys, GetClientKey | 50 |
| Application access point (AAP) write | Operations to create, delete, or update AAPs and related resources. The following APIs share this quota: CreateNetworkRule, DeleteNetworkRule, UpdateNetworkRule, CreatePolicy, DeletePolicy, UpdatePolicy, CreateApplicationAccessPoint, DeleteApplicationAccessPoint, UpdateApplicationAccessPoint, CreateClientKey, DeleteClientKey | 10 |
Dedicated gateway
A dedicated gateway has no fixed upper limit for API requests. It processes requests on a best-effort basis using the maximum computing and storage resources of the instance. Select an appropriate computing performance plan when purchasing a KMS instance. To purchase a software key management instance with a computing performance of 10,000 QPS or 20,000 QPS, contact your account manager.
Test conditions
The reference QPS values in the following tables are based on these test conditions:
Symmetric algorithms: A CMK with the
Aliyun_AES_256key specification encrypts or decrypts 32-byte data in GCM mode.Asymmetric algorithms: A CMK with the
RSA_2048key specification generates a signature for 32-byte data.Secret value retrieval: The secret value is 32 bytes.
Hardware key management instances: The KMS instance must be connected to a hardware security module (HSM) cluster that contains at least two HSMs.
QPS for software key management instances
The following table lists reference QPS values for software key management instances.
| Operation type | API | Instance API | 1,000 QPS | 2,000 QPS | 4,000 QPS | 10,000 QPS | 20,000 QPS |
|---|---|---|---|---|---|---|---|
| Symmetric algorithms | Operations using a symmetric key to encrypt data, decrypt data, or generate data keys. APIs: Encrypt, Decrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext | Operations using a symmetric key to encrypt data, decrypt data, or generate data keys. APIs: AdvanceEncrypt, AdvanceDecrypt, AdvanceGenerateDataKey, Encrypt, Decrypt, GenerateDataKey | 1,000 | 2,000 | 4,000 | 10,000 | 20,000 |
| Asymmetric algorithms | Operations using an asymmetric key for encryption, decryption, signing, and signature verification. APIs: AsymmetricEncrypt, AsymmetricDecrypt, AsymmetricSign, AsymmetricVerify | Operations using an asymmetric key for encryption, decryption, signing, and signature verification. APIs: Encrypt, Decrypt, Sign, Verify | 200 | 300 | 500 | 1,300 | 2,500 |
| Get public key | GetPublicKey | GetPublicKey | 1,000 | 2,000 | 4,000 | 10,000 | 20,000 |
| Get secret value | GetSecretValue | GetSecretValue | 500 | 1,000 | 2,000 | 4,000 | 4,000 |
| Generate random numbers | N/A | GenerateRandom | 1,000 | 2,000 | 4,000 | 10,000 | 20,000 |
| Generate data key pairs | N/A | Operations to generate a data key pair. APIs: GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, AdvanceGenerateDataKeyPair, AdvanceGenerateDataKeyPairWithoutPlaintext | 1 | 1 | 1 | 1 | 1 |
QPS for hardware key management instances
The following table lists reference QPS values for hardware key management instances.
Operation type | API | Instance API | 2,000 QPS | 4,000 QPS | 6,000 QPS | 8,000 QPS |
Operations that use symmetric algorithms | Operations that use a symmetric key to encrypt data, decrypt data, or generate data keys. The following APIs share this quota: | Operations that use a symmetric key to encrypt data, decrypt data, or generate data keys. The following APIs share this quota: | 2,000 | 4,000 | 6,000 | 8,000 |
Operations that use asymmetric algorithms | Operations that use an asymmetric key for encryption, decryption, signing, and signature verification. The following APIs share this quota: | Operations that use an asymmetric key for encryption, decryption, signing, and signature verification. The following APIs share this quota: | 300 | 500 | 700 | 900 |
Get public key | Retrieves the public key of a specified asymmetric key. | Retrieves the public key of a specified asymmetric key. | 2,000 | 4,000 | 6,000 | 8,000 |
Use secrets | Retrieves a secret value. | Retrieves a secret value. | 1,000 | 2,000 | 3,000 | 4,000 |
Generate random numbers | N/A | Generates a random number. | 2,000 | 4,000 | 6,000 | 8,000 |
Generate data key pairs | N/A | Operations to generate a data key pair. The following APIs share this quota: | 1 | 1 | 1 | 1 |
| Operation type | API | Instance API | 2,000 QPS | 4,000 QPS | 6,000 QPS | 8,000 QPS |
|---|---|---|---|---|---|---|
| Symmetric algorithms | Operations using a symmetric key to encrypt data, decrypt data, or generate data keys. APIs: Encrypt, Decrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext | Operations using a symmetric key to encrypt data, decrypt data, or generate data keys. APIs: AdvanceEncrypt, AdvanceDecrypt, AdvanceGenerateDataKey, Encrypt, Decrypt, GenerateDataKey | 2,000 | 4,000 | 6,000 | 8,000 |
| Asymmetric algorithms | Operations using an asymmetric key for encryption, decryption, signing, and signature verification. APIs: AsymmetricEncrypt, AsymmetricDecrypt, AsymmetricSign, AsymmetricVerify | Operations using an asymmetric key for encryption, decryption, signing, and signature verification. APIs: Encrypt, Decrypt, Sign, Verify | 300 | 500 | 700 | 900 |
| Get public key | GetPublicKey | GetPublicKey | 2,000 | 4,000 | 6,000 | 8,000 |
| Get secret value | GetSecretValue | GetSecretValue | 1,000 | 2,000 | 3,000 | 4,000 |
| Generate random numbers | N/A | GenerateRandom | 2,000 | 4,000 | 6,000 | 8,000 |
| Generate data key pairs | N/A | Operations to generate a data key pair. APIs: GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, AdvanceGenerateDataKeyPair, AdvanceGenerateDataKeyPairWithoutPlaintext | 1 | 1 | 1 | 1 |