Limits - Key Management Service - Alibaba Cloud Documentation Center

This topic describes the limits of Key Management Service (KMS).

KMS is a region-specific service. The limits of KMS vary based on regions. For more information about the regions supported by KMS, see the "Endpoints" section of the Request method topic.

Resource quotas

KMS defines resource quotas to provide fast and elastic capabilities. Some resource quotas apply to the resources that you create, but do not apply to the resources that are created by Alibaba Cloud. If the resources that you use do not belong to your Alibaba Cloud account, the resources are not counted in your resource quotas.

If the quota of a resource is exhausted, the system reports the error Rejected.LimitExceeded for new requests to create this type of resource.

The following table describes the KMS resource quotas for each Alibaba Cloud account in a region.


Resource type	Default quota	Description
Customer master key (CMK)	200	The maximum number of CMKs that you can create in a region
Alias	300	The maximum number of aliases that you can create in a region
CMK version	10000	The maximum number of versions for all CMKs that you can create in a region

Request quotas

KMS defines quotas for the number of API operations that you can call per second. When a request quota is exceeded, KMS blocks valid requests and returns an error similar to the following code. This type of error can be fixed by retries. You can configure the request backoff and retry policies for your application. For more information, see Use the exponential backoff method to retry requests.

{
  "HttpStatus": 429,
  "Code": "Rejected.Throttling",
  "Message": "QPS Limit Exceeded",
  "RequestId": "e85db688-a2d3-44ca-9790-4259etas154f"
}

The following table describes the KMS request quotas for each Alibaba Cloud account in a region.

Table 1. Default request quotas for CMKs per second
CMK specification	Create operation	Cryptographic operation	Read-only operation	Write operation
`Aliyun_AES_256` `Aliyun_SM4`	10	750	20	10
`RSA_2048` `RSA_3072`	10	200	20	10
`EC_P256` `EC_P256K` `EC_SM2`	10	200	20	10

The default request quotas for CMKs are grouped by operation. All operations in a group share the request quota for the group. The following groups are defined:

Create operation group: includes only the CreateKey operation. For more information, see CreateKey.
Cryptographic operation group: includes the cryptographic operations for a specific CMK. For more information, see Key service operations.
Read-only operation group: includes the operations that are related to CMKs, aliases, and CMK tags but do not change the metadata, properties, or status of resources.
Write operation group: includes the operations that are related to CMKs, aliases, and CMK tags and change the metadata, properties, or status of resources.