An alias is an optional, human-readable name for a customer master key (CMK). Use aliases to reference CMKs in your applications and policies without hardcoding key IDs.
Prerequisites
Before you begin, ensure that you have:
An existing CMK in Key Management Service (KMS)
The
kms:CreateAliaspermission on both the alias resource and the CMK (see Permissions below)
Alias naming rules
The alias must start with the
alias/prefix.The part after
alias/must be 1–255 characters and can contain letters, digits, underscores (_), hyphens (-), and forward slashes (/).Adding a new alias to a CMK does not affect its existing aliases.
Permissions
If you want to allow a Resource Access Management (RAM) user to create an alias, you must create a custom policy to grant the RAM user the required permissions.
The following policy grants RAM user 123456 permission to create the alias alias/example for CMK 08ec3bb9-034f-485b-b1cd-3459baa8**** in the cn-hangzhou region:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateAlias"
],
"Resource": [
"acs:kms:cn-hangzhou:123456:key/08ec3bb9-034f-485b-b1cd-3459baa8****",
"acs:kms:cn-hangzhou:123456:alias/example"
]
}
]
}Create an alias in the KMS console
Log on to the KMS console.
In the top navigation bar, select the region where your CMK resides.
In the left-side navigation pane, click Keys.
Find the CMK and click Create Alias below the CMK ID in the Key column.
In the Create Alias dialog box, specify Alias Name.
Click OK.
To create additional aliases for the same CMK, click the CMK ID, then click Create Alias in the Aliases section.
Create an alias by calling an API operation
Call the CreateAlias operation to create an alias.
Create an alias using Alibaba Cloud CLI
Run the following command to create an alias:
aliyun kms CreateAlias \
--KeyId 08ec3bb9-034f-485b-b1cd-3459baa8**** \
--AliasName alias/example