Performance quotas of KMS instances - Key Management Service

Key Management Service (KMS) has different performance quotas on different API operations. High performance requires high fees. This topic describes the performance quotas of KMS.

Overview

KMS provides KMS API and KMS Instance API. The performance quotas of KMS API are applied to each Alibaba Cloud account. The performance quotas of KMS Instance API are applied to each KMS instance.

KMS API

For KMS API, KMS has a quota that limits the number of API requests per second. If the number of API requests per second exceeds the quota, KMS denies the requests and returns an error response similar to the following example. You can retry sending the requests to fix this type of error. You can configure the request backoff and retry policies for your application.

{
  "HttpStatus": 429,
  "Code": "Rejected.Throttling",
  "Message": "QPS Limit Exceeded",
  "RequestId": "e85db688-a2d3-44ca-9790-4259etas154f"
}

The following table describes the performance quotas for each Alibaba Cloud account in a region.

Operation type	Operation	Quota
Key management operations	The operations that query the metadata, properties, or status of resources such as keys, aliases, and tags. All API operations in the following list consume the quota: GetParametersForImport DescribeKey ListKeys DescribeKeyVersion ListKeyVersions GetPublicKey ListAliases ListAliasesByKeyId ListResourceTags ListTagResources DescribeRegions	50 queries per second (QPS)
	The operations that create a key. CreateKey	10 QPS
	The operations that create aliases and modify keys, aliases, and tags. All API operations in the following list consume the quota: ImportKeyMaterial EnableKey DisableKey SetDeletionProtection ScheduleKeyDeletion CancelKeyDeletion DeleteKeyMaterial UpdateKeyDescription UpdateRotationPolicy CreateAlias UpdateAlias DeleteAlias TagResource UntagResource TagResources UntagResources	30 QPS
Cryptographic operations	The operations that generate data keys, encrypt data, and decrypt data by using symmetric keys. All API operations in the following list consume the quota: Note You can call the following operations only for server-side encryption of cloud services. For more information, see Integration with KMS. Encrypt GenerateDataKey GenerateDataKeyWithoutPlaintext ExportDataKey GenerateAndExportDataKey Decrypt	750 QPS
Cryptographic operations	The operations that encrypt data, decrypt data, sign data, and verify signatures by using asymmetric keys. All API operations in the following list consume the quota: Note You can call the following operations only for server-side encryption of cloud services. For more information, see Integration with KMS. AsymmetricSign AsymmetricVerify AsymmetricDecrypt AsymmetricEncrypt	200 QPS
Secrets-related operations	The operations that create or delete a secret. All API operations in the following list consume the quota: CreateSecret DeleteSecret	10 QPS
	The operations that query the information about a secret and retrieve a secret value. All API operations in the following list consume the quota: DescribeSecret GetSecretValue	450 QPS
	The operations that query a list of secrets and the metadata of secrets. All the API operations in the following list are low-frequency operations and consume the quota. ListSecrets ListSecretVersionIds PutSecretValue UpdateSecret UpdateSecretVersionStage GetRandomPassword UpdateSecretRotationPolicy RestoreSecret	40 QPS
	The operations that rotate a secret. RotateSecret	50 queries per hour
Other supported operations	The operations that activate KMS and query the status of KMS. All API operations in the following list consume the quota: OpenKmsService DescribeAccountKmsStatus	1 QPS

KMS Instance API

Only KMS instances of the software key management type and the hardware key management type support KMS Instance API.

Important

For KMS Instance API, KMS does not limit the number of API requests. KMS processes API requests in best effort mode. The maximum available computing and storage resources are used during processing. When you purchase a KMS instance, you can select an appropriate computing performance plan based on your business requirements.

Test scenario

The performance quota for symmetric algorithms is calculated when an Aliyun_AES_256 key is used to encrypt or decrypt 32-byte data in GCM mode.
The performance quota for asymmetric algorithms is calculated when an RSA_2048 key is used to sign 32-byte data.
The performance quota for retrieving secret values is calculated when KMS retrieves 32-byte secret values.
Your KMS instance of the hardware key management type is connected to a hardware security module (HSM) cluster, and the number of HSMs in the HSM cluster is greater than or equal to two. This allows you to test the performance quotas of the KMS instance.

KMS instances of the software key management type

The following table describes the performance quotas of KMS instances of the software key management type in different scenarios.

Note

If you want to purchase a KMS instance of the software key management type with a computing performance of 10,000 or 20,000, submit a ticket.

Operation type	Operation	Computing performance plan (1,000 QPS)	Computing performance plan (2,000 QPS)	Computing performance plan (4,000 QPS)	Computing performance plan (10,000 QPS)	Computing performance plan (20,000 QPS)
Operations by using symmetric algorithms	The operations that encrypt data, decrypt data, and generate data keys by using symmetric algorithms. All API operations in the following list consume the quota: AdvanceEncrypt AdvanceDecrypt AdvanceGenerateDataKey Encrypt Decrypt GenerateDataKey	1000	2000	4000	10000	20000
Operations by using asymmetric algorithms	The operations that encrypt data, decrypt data, and generate data keys by using asymmetric algorithms. All API operations in the following list consume the quota: Encrypt Decrypt Sign Verify	200	300	500	1300	2500
Operations to obtain a public key	The operations that query the public key of an asymmetric key. GetPublicKey	1000	2000	4000	10000	20000
Operations to use secrets	The operations that retrieve values of secrets. GetSecretValue	500	1000	2000	4000	4000
Operations to generate random numbers	The operations that generate a random number. GenerateRandom	1000	2000	4000	10000	20000

KMS instances of the hardware key management type

The following table describes the performance quotas of KMS instances of the hardware key management type in different scenarios.

Operation type	Operation	Computing performance plan (2,000 QPS)	Computing performance plan (4,000 QPS)	Computing performance plan (6,000 QPS)	Computing performance plan (8,000 QPS)
Operations by using symmetric algorithms	The operations that encrypt data, decrypt data, and generate data keys by using symmetric algorithms. All API operations in the following list consume the quota: AdvanceEncrypt AdvanceDecrypt AdvanceGenerateDataKey Encrypt Decrypt GenerateDataKey	2000	4000	6000	8000
Operations by using asymmetric algorithms	The operations that encrypt data, decrypt data, and generate data keys by using asymmetric algorithms. All API operations in the following list consume the quota: Encrypt Decrypt Sign Verify	300	500	700	900
Operations to obtain a public key	The operations that query the public key of an asymmetric key. GetPublicKey	2000	4000	6000	8000
Operations to use secrets	The operations that retrieve values of secrets. GetSecretValue	1000	2000	3000	4000
Operations to generate random numbers	The operations that generate a random number. GenerateRandom	2000	4000	6000	8000

References

Billing