keys and secrets of KMS are billed based on usage - - Alibaba Cloud Documentation Center

Key Management Service (KMS) supports the pay-as-you-go billing method. You can pay for resources such as keys and secrets based on your actual resource usage. This prevents resource waste. This topic describes the pay-as-you-go billing method and overdue payments. This topic also describes how to create and release a KMS instance and how to query bills and resource usage.

Billing method

Calculation formula

Daily fees = Instance fee + Key fee + Secret fee + Queries per second (QPS) fee + Multi-account sharing fee + Multi-virtual private cloud (VPC) fee.

Billing cycle

KMS calculates resource usage by calendar day and generates bills based on the actual usage. In most cases, the bills for resource usage on Day T are generated before 12:00 (UTC+8) on Day T+1. The bill generation time in the Alibaba Cloud Management Console shall prevail.

Note

Resource usage on Day T, excluding QPS, is calculated at 24:00 on Day T.

Billable items

Billable item	Unit price (USD per day)	Description
Instance fee	KMS instances of the software key management type: 4.5 KMS instances of the hardware key management type: 9	Daily instance fee = Unit price of a KMS instance × Number of instances You are charged for a pay-as-you-go KMS instance after you create the instance. You are no longer charged for the instance after you release the instance.
Key fee	0.03	Daily key fee = Unit price of a key × Number of keys If a key has multiple versions, you are charged based on the number of key versions. For example, if a key has three versions, you are charged for three keys. If a key has an external key material origin, you are charged after you create the key, but not after you import the key material. If a key is in the Pending Deletion state, you are not charged for the key. If you restore the key within the scheduled deletion period, you are charged for the key. If a key is disabled, you are charged for the key.
Secret fee	0.013	Daily secret fee = Unit price of a secret × Number of secrets If a secret has multiple versions, you are charged for one secret. You are not charged based on the number of secret versions. If a secret is in the Pending Deletion state, you are not charged for the secret. If you restore the secret within the scheduled deletion period, you are charged for the secret.
QPS fee	0.5	Daily QPS fee = Unit price of QPS × QPS value For a KMS instance, the average value of QPS is calculated for every minute within a calendar day. The maximum value among the average values is selected as the QPS value of the day and is rounded up to the nearest integer. For example, if the maximum average value is greater than 0 but less than 1, the QPS value is considered 1. Note You can go to the Overview page of the KMS console to check the value of the requests per minute (count) metric. Take note that the value of the requests per minute (count) metric is calculated based on downsampling. Therefore, the value of the requests per minute (count) metric may slightly differ from the number of requests per minute based on which KMS calculates the QPS value. You are charged based on the QPS value that is calculated by KMS.
Multi-account sharing fee	3	Daily multi-account sharing fee = Unit price of the multi-account sharing feature × Number of accounts Take note of the following information: If you use the multi-account sharing feature and share a KMS instance with other Alibaba Cloud accounts in a resource directory, the number is calculated based on the Alibaba Cloud accounts. If you configure a custom key policy for a key or a custom secret policy for a secret and authorize other Alibaba Cloud accounts, or Resource Access Management (RAM) users or RAM roles that belong to other Alibaba Cloud accounts to use the key or secret, the number is calculated based on the Alibaba Cloud accounts. Note Alibaba Cloud accounts are counted once and are not counted repeatedly.
Multi-VPC fee	3	Daily multi-VPC fee = Unit price of the multi-VPC feature × Number of VPCs The number of VPCs does not include the VPC that is associated with your KMS instance when you enable the instance.

Billing examples

Scenario	Fee on Day T
You create a pay-as-you-go KMS instance of the software key management type, but you do not enable the instance on Day T.	USD 4.5
You create and enable a pay-as-you-go KMS instance of the software key management type on Day T. You also create three keys and two secrets. The QPS value on that day is 20.	4.5 × 1 + 0.03 × 3 + 0.013 × 2 + 0.5 × 20 = USD 14.616

Create a pay-as-you-go KMS instance

After you create a pay-as-you-go KMS instance, you are charged for the instance.

Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.
On the Software Key Management or Hardware Key Management tab, click Create Instance.
In the Create Instance dialog box, select Pay-as-you-go and click Go to Create.
Configure the Instance Type and Region parameters and click Buy Now.
Read and select Terms of Service and click Pay.

Release a pay-as-you-go KMS instance

Important

If you release a KMS instance, all resources in the instance are released. The data that is encrypted by using keys in the instance cannot be decrypted, and secrets in the instance cannot be obtained. Before you release a KMS instance, make sure that no data is encrypted by using keys in the instance and secrets in the instance are not called.
We recommend that you back up the resources of a KMS instance before you release the instance. This way, you can restore the instance from the backup resources. For more information, see Backups.
KMS calculates resource usage by calendar day. If a KMS instance is released on Day T, the bills for resource usage on Day T are generated before 12:00 (UTC+8) on Day T+1.

Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.
On the Software Key Management or Hardware Key Management tab, find the KMS instance that you want to release.
Click Release in the Actions column. After you confirm the release information, click OK.

Query bills and resource usage

You can query and export KMS bills and bill details in the Expenses and Costs console. For more information, see Billing details.

Overdue payments

If your Alibaba Cloud account does not have sufficient balance, including cash, vouchers, and coupons, to complete an outstanding payment, your account has an overdue payment.
Your KMS instance is suspended 15 days after the payment becomes overdue. If the instance is suspended, you cannot use the keys or secrets in the instance. Your KMS instance is released and cannot be restored 15 days after the instance is suspended.
If your Alibaba Cloud account has an overdue payment, you must add funds to your account at the earliest opportunity to ensure that your account has sufficient balance. Otherwise, your service may become unavailable.

Billing FAQ

Am I charged for keys that are in the Pending Deletion state?
No, you are not charged for keys that are in the Pending Deletion state. If you restore a key within the scheduled deletion period, you are charged for the key.
Am I charged for keys that are disabled?
Yes, you are charged for keys that are disabled.
How do I stop the charges for a pay-as-you-go KMS instance?
After you release a pay-as-you-go KMS instance, you are no longer charged for the instance. Before you release a KMS instance, make sure that you no longer use the keys or secrets in the instance. After you release the instance, the data that is encrypted by using keys in the instance cannot be decrypted, and secrets in the instance cannot be obtained.