The following tables list the API operations available for use in Key Management Service (KMS).
Service management
API operation | Description |
Queries a list of available regions for the current Alibaba Cloud account. | |
Activates KMS for the current Alibaba Cloud account. | |
Queries the status of KMS for the current Alibaba Cloud account. |
Instance management
API operation | Description |
Enables a KMS instance. | |
Queries the details of a KMS instance. | |
Queries a list of KMS instances. | |
Updates the virtual private cloud (VPC) that is associated with a KMS instance. |
Key management
You can call API operations to manage keys and aliases. For example, you can create and delete keys and aliases.
API operation | Description |
Creates a key. You can use key material that is generated by KMS or import your own key material. Importing your own key material is known as Bring Your Own Key (BYOK). | |
Queries the parameters that are used to import key material to a key. | |
Imports key material to a key. | |
Changes the status of a key to Enabled. | |
Changes the status of a key to Disabled. | |
Queries the information about a key. | |
Queries all keys within an Alibaba Cloud account in the current region. | |
Updates the description of a key. | |
Creates an alias and binds it to a key. | |
Updates the ID of a key that is bound to an alias. | |
Deletes an alias. | |
Queries all aliases within an Alibaba Cloud account in the current region. | |
Queries aliases that are bound to a key. | |
Enables or disables deletion protection. | |
Schedules the deletion of a key. After you call this operation, the key enters the Pending Deletion state. The key is automatically deleted after the specified waiting period elapses. | |
Cancels the scheduled deletion of a key. You can cancel the scheduled deletion of a key before the specified waiting period elapses. After the scheduled deletion is canceled, the key re-enters the Enabled state. | |
Deletes key material. Important You can only delete external key material of the customer master key (CMK) that is used as a default key. | |
Creates a new version for a key. Symmetric keys in KMS instances of the software key management type support this operation. Note Asymmetric keys outside KMS support this operation. | |
Queries the information about a key version. | |
Queries all versions of a key. | |
Updates the rotation policy of a key. If automatic rotation is enabled for a key, KMS automatically generates a key version for the key on a regular basis. |
Cryptographic operations
You can perform cryptographic operations on data. For example, you can use KMS keys to encrypt data, generate data keys, decrypt data, and calculate signatures.
To use a key in a KMS instance to perform cryptographic operations, call KMS Instance API operations. For more information, see List of operations by function.
Secret management
Secret management
You can call API operations to manage, protect, distribute, and rotate secrets.
API operation
Description
Creates a secret and stores the secret value in the initial version.
Queries all secrets within an Alibaba Cloud account in the current region.
Queries the metadata of a secret.
Updates the metadata of a secret.
Stores the secret value of a new version into a secret.
NoteOnly generic secrets support this operation.
Updates the stage label that marks a secret version.
NoteOnly generic secrets support this operation.
Schedules deletion of a secret or deletes a secret.
Restores a secret that is scheduled to be deleted.
Queries all versions of a secret.
Queries a random password string.
Manually rotates a secret.
Updates the rotation policy of a secret.
Secret retrieval
ImportantKMS Instance API also supports the GetSecretValue operation to query a secret. The operation that you call to query a secret depends on the SDK that you use. For more information about how to select an SDK, see SDK user guide.
Tag management
You can add multiple tags to a key or secret. Each tag consists of a tag key (TagKey) and a tag value (TagValue).
TagResource, UntagResource, and ListResourceTags apply to a single resource. TagResources, UntagResources, and ListTagResources apply to multiple resources.
API operation | Description |
Adds a tag to a key or a secret | |
Removes a tag from a key or a secret. | |
Queries all tags of a key. | |
Adds tags to multiple keys or secrets. | |
Removes tags from multiple keys or secrets at a time. | |
Queries all tags or specific tags of multiple keys or secrets at a time. |
Application management
API operation | Description |
Creates a network access rule to configure the private IP addresses or CIDR blocks that are allowed to access a KMS instance. | |
Deletes a network access rule. | |
Queries the details of a network access rule. | |
Queries a list of network access rules. | |
Updates a network access rule. | |
Creates a permission policy to configure the keys and secrets that are allowed to access. | |
Deletes a permission policy. | |
Queries the details of a permission policy. | |
Updates a permission policy. | |
Queries a list of permission policies. | |
Creates an application access point (AAP) | |
Deletes an AAP. | |
Queries the details of an AAP. | |
Queries a list of AAPs. | |
Updates the information about an AAP. | |
Creates a client key. | |
Deletes a client key. | |
Queries a list of client keys | |
Queries the information about a client key. |