All Products
Search

This Product

    Key Management Service:Overview

    Document Center

    Key Management Service:Overview

    Last Updated:Mar 31, 2026

    Hardcoding Customer Master Key (CMK) IDs in applications creates a maintenance burden: when you rotate keys, you must update every reference. Aliases give each CMK a stable, human-readable name so your application code references the alias — not the key ID — and key rotation requires no code changes.

    Aliases are optional for CMKs.

    Alias characteristics

    Aliases are independent resources

    An alias is not a property of a CMK. Deleting an alias does not delete the CMK it is bound to, and rebinding an alias to a different CMK (via UpdateAlias) does not affect the CMK.

    Each alias is bound to one CMK at a time

    An alias can be bound to only one CMK in a region. A CMK, however, can have multiple aliases.

    Aliases are unique within a region

    Aliases must be unique within a region for each Alibaba Cloud account. The same alias name can exist in different regions under the same account.

    Aliases cannot be renamed

    To change an alias name, delete the existing alias and create a new one.

    RAM users require explicit authorization

    RAM users must be granted permissions before performing any operations on an alias. For details, see Use RAM to control access to resources.

    Alias format

    An alias must start with the alias/ prefix:

    alias/<alias-name>

# Example
alias/example
    When calling KMS APIs, provide the full alias name including the alias/ prefix (for example, alias/example).

    Use aliases in API operations

    The following API operations accept an alias in place of a CMK ID in their request parameters:

    When you use an alias instead of a CMK ID, the RAM user needs permissions on the CMK, not on the alias.

    Related operations

    OperationDescription
    Create an aliasCreate an alias to simplify key management.
    Bind an alias to a different CMKRebind an existing alias to a different CMK.
    Query aliasesList all aliases in your Alibaba Cloud account for the current region.
    Query aliases bound to a specified CMKList the aliases bound to a specified CMK. Only the related aliases are returned.
    Delete an aliasDelete an alias without affecting the bound CMK.