Delete an alias - Key Management Service - Alibaba Cloud Documentation Center

Delete a KMS alias that is no longer in use. Deleting an alias does not affect the Customer Master Key (CMK) it was associated with.

Prerequisites

Before you begin, make sure you have:

A CMK with at least one alias to delete
The kms:DeleteAlias permission for both the CMK and the alias (for RAM users, see Grant RAM users permission to delete an alias)

Grant RAM users permission to delete an alias

To allow a RAM user to delete an alias, create a custom policy that grants the kms:DeleteAlias action on both the target CMK and the alias.

The following example policy grants user 123456 permission to delete the alias/example alias from CMK 127d2f84-ee5f-4f4d-9d41-dbc1aca2**** in the cn-hangzhou region:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:DeleteAlias"
      ],
      "Resource": [
        "acs:kms:cn-hangzhou:123456:key/127d2f84-ee5f-4f4d-9d41-dbc1aca2****",
        "acs:kms:cn-hangzhou:123456:alias/example"
      ]
    }
  ]
}

Both resources — the key ARN and the alias ARN — must be included in the Resource field.

Delete an alias in the KMS console

Log on to the KMS console.
In the top navigation bar, select the region where your CMK resides.
In the left-side navigation pane, choose Resource > Keys.
Find the CMK whose alias you want to delete and click the CMK ID.
In the Aliases section, find the alias you want to delete and click Delete Alias.
In the Delete Alias dialog, click OK.

Delete an alias by calling an API operation

Call the DeleteAlias operation.

Delete an alias using Alibaba Cloud CLI

Run the following command:

aliyun kms DeleteAlias --AliasName alias/example

Replace alias/example with the name of the alias to delete.

Lifecycle behavior

Deleting an alias removes only the alias. The CMK remains unaffected and continues to function normally.