Switch a KMS Alias to a New CMK Using UpdateAlias API - Key Management Service - Alibaba Cloud - Key Management Service

Reassign an existing alias to a different customer master key (CMK) without modifying application code that references the alias.

Prerequisites

Before you begin, make sure you have:

Two CMKs: the original CMK the alias currently points to, and the target CMK to bind it to
A custom RAM policy that grants kms:UpdateAlias on all three resources: the alias, the original CMK, and the new CMK

The following example grants RAM user 123456 permission to bind alias/example to CMK 127d2f84-ee5f-4f4d-9d41-dbc1aca2****. The alias currently points to CMK 08ec3bb9-034f-485b-b1cd-3459baa8****.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:UpdateAlias"
      ],
      "Resource": [
        "acs:kms:cn-hangzhou:123456:key/08ec3bb9-034f-485b-b1cd-3459baa8****",
        "acs:kms:cn-hangzhou:123456:key/127d2f84-ee5f-4f4d-9d41-dbc1aca2****",
        "acs:kms:cn-hangzhou:123456:alias/example"
      ]
    }
  ]
}

Rebind an alias

Use the API

Call the UpdateAlias operation to update the alias binding.

Use the Alibaba Cloud CLI

Run the following command to bind alias/example to a different CMK:

aliyun kms UpdateAlias --AliasName alias/example --KeyId 127d2f84-ee5f-4f4d-9d41-dbc1aca2****

Parameter	Description
`--AliasName`	The alias to rebind. Example: `alias/example`
`--KeyId`	The ID of the target CMK. Example: `127d2f84-ee5f-4f4d-9d41-dbc1aca2****`