All Products
Search
Document Center

Key Management Service:List of operations by function

Last Updated:Oct 25, 2023

The following tables list the API operations available for use in Key Management Service (KMS).

Service management

API operation

Description

DescribeRegions

Queries a list of available regions for the current Alibaba Cloud account.

OpenKmsService

Activates KMS for the current Alibaba Cloud account.

DescribeAccountKmsStatus

Queries the status of KMS for the current Alibaba Cloud account.

Instance management

API operation

Description

ConnectKmsInstance

Enables a KMS instance.

GetKmsInstance

Queries the details of a KMS instance.

ListKmsInstances

Queries a list of KMS instances.

UpdateKmsInstanceBindVpc

Updates the virtual private cloud (VPC) that is associated with a KMS instance.

Key management

You can call API operations to manage keys and aliases. For example, you can create and delete keys and aliases.

API operation

Description

CreateKey

Creates a key. You can use key material that is generated by KMS or import your own key material. Importing your own key material is known as Bring Your Own Key (BYOK).

GetParametersForImport

Queries the parameters that are used to import key material to a key.

ImportKeyMaterial

Imports key material to a key.

EnableKey

Changes the status of a key to Enabled.

DisableKey

Changes the status of a key to Disabled.

DescribeKey

Queries the information about a key.

ListKeys

Queries all keys within an Alibaba Cloud account in the current region.

UpdateKeyDescription

Updates the description of a key.

CreateAlias

Creates an alias and binds it to a key.

UpdateAlias

Updates the ID of a key that is bound to an alias.

DeleteAlias

Deletes an alias.

ListAliases

Queries all aliases within an Alibaba Cloud account in the current region.

ListAliasesByKeyId

Queries aliases that are bound to a key.

SetDeletionProtection

Enables or disables deletion protection.

ScheduleKeyDeletion

Schedules the deletion of a key. After you call this operation, the key enters the Pending Deletion state. The key is automatically deleted after the specified waiting period elapses.

CancelKeyDeletion

Cancels the scheduled deletion of a key. You can cancel the scheduled deletion of a key before the specified waiting period elapses. After the scheduled deletion is canceled, the key re-enters the Enabled state.

DeleteKeyMaterial

Deletes key material.

Important

You can only delete external key material of the customer master key (CMK) that is used as a default key.

CreateKeyVersion

Creates a new version for a key. Symmetric keys in KMS instances of the software key management type support this operation.

Note

Asymmetric keys outside KMS support this operation.

DescribeKeyVersion

Queries the information about a key version.

ListKeyVersions

Queries all versions of a key.

UpdateRotationPolicy

Updates the rotation policy of a key. If automatic rotation is enabled for a key, KMS automatically generates a key version for the key on a regular basis.

Cryptographic operations

You can perform cryptographic operations on data. For example, you can use KMS keys to encrypt data, generate data keys, decrypt data, and calculate signatures.

Important

To use a key in a KMS instance to perform cryptographic operations, call KMS Instance API operations. For more information, see List of operations by function.

Secret management

  • Secret management

    You can call API operations to manage, protect, distribute, and rotate secrets.

    API operation

    Description

    CreateSecret

    Creates a secret and stores the secret value in the initial version.

    ListSecrets

    Queries all secrets within an Alibaba Cloud account in the current region.

    DescribeSecret

    Queries the metadata of a secret.

    UpdateSecret

    Updates the metadata of a secret.

    PutSecretValue

    Stores the secret value of a new version into a secret.

    Note

    Only generic secrets support this operation.

    UpdateSecretVersionStage

    Updates the stage label that marks a secret version.

    Note

    Only generic secrets support this operation.

    DeleteSecret

    Schedules deletion of a secret or deletes a secret.

    RestoreSecret

    Restores a secret that is scheduled to be deleted.

    ListSecretVersionIds

    Queries all versions of a secret.

    GetRandomPassword

    Queries a random password string.

    RotateSecret

    Manually rotates a secret.

    UpdateSecretRotationPolicy

    Updates the rotation policy of a secret.

  • Secret retrieval

    Queries a secret value.

    Important

    KMS Instance API also supports the GetSecretValue operation to query a secret. The operation that you call to query a secret depends on the SDK that you use. For more information about how to select an SDK, see SDK user guide.

Tag management

You can add multiple tags to a key or secret. Each tag consists of a tag key (TagKey) and a tag value (TagValue).

Note

TagResource, UntagResource, and ListResourceTags apply to a single resource. TagResources, UntagResources, and ListTagResources apply to multiple resources.

API operation

Description

TagResource

Adds a tag to a key or a secret

UntagResource

Removes a tag from a key or a secret.

ListResourceTags

Queries all tags of a key.

TagResources

Adds tags to multiple keys or secrets.

UntagResources

Removes tags from multiple keys or secrets at a time.

ListTagResources

Queries all tags or specific tags of multiple keys or secrets at a time.

Application management

API operation

Description

CreateNetworkRule

Creates a network access rule to configure the private IP addresses or CIDR blocks that are allowed to access a KMS instance.

DeleteNetworkRule

Deletes a network access rule.

DescribeNetworkRule

Queries the details of a network access rule.

ListNetworkRules

Queries a list of network access rules.

UpdateNetworkRule

Updates a network access rule.

CreatePolicy

Creates a permission policy to configure the keys and secrets that are allowed to access.

DeletePolicy

Deletes a permission policy.

DescribePolicy

Queries the details of a permission policy.

UpdatePolicy

Updates a permission policy.

ListPolicies

Queries a list of permission policies.

CreateApplicationAccessPoint

Creates an application access point (AAP)

DeleteApplicationAccessPoint

Deletes an AAP.

DescribeApplicationAccessPoint

Queries the details of an AAP.

ListApplicationAccessPoints

Queries a list of AAPs.

UpdateApplicationAccessPoint

Updates the information about an AAP.

CreateClientKey

Creates a client key.

DeleteClientKey

Deletes a client key.

ListClientKeys

Queries a list of client keys

GetClientKey

Queries the information about a client key.