This topic describes the limits of Key Management Service (KMS).
KMS is a region-specific service. The limits of KMS vary based on regions. For more information about the regions supported by KMS, see the "Endpoints" section of the Request method topic.
Resource quotas
KMS defines resource quotas to provide fast and elastic capabilities. Some resource quotas apply to the resources that you create, but do not apply to the resources that are created by Alibaba Cloud. If the resources that you use do not belong to your Alibaba Cloud account, the resources are not counted in your resource quotas.
If the quota of a resource is exhausted, the system reports the error Rejected.LimitExceeded
for new requests to create this type of resource.
The following table describes the KMS resource quotas for each Alibaba Cloud account in a region.
Resource type | Default quota | Description |
---|---|---|
Customer master key (CMK) | 200 | The maximum number of CMKs that you can create in a region |
Alias | 300 | The maximum number of aliases that you can create in a region |
CMK version | 10000 | The maximum number of versions for all CMKs that you can create in a region |
Request quotas
KMS defines quotas for the number of API operations that you can call per second. When a request quota is exceeded, KMS blocks valid requests and returns an error similar to the following code. This type of error can be fixed by retries. You can configure the request backoff and retry policies for your application. For more information, see Use the exponential backoff method to retry requests.
{
"HttpStatus": 429,
"Code": "Rejected.Throttling",
"Message": "QPS Limit Exceeded",
"RequestId": "e85db688-a2d3-44ca-9790-4259etas154f"
}
The following table describes the KMS request quotas for each Alibaba Cloud account in a region.
CMK specification | Create operation | Cryptographic operation | Read-only operation | Write operation |
---|---|---|---|---|
|
10 | 750 | 20 | 10 |
|
10 | 200 | 20 | 10 |
|
10 | 200 | 20 | 10 |
The default request quotas for CMKs are grouped by operation. All operations in a group share the request quota for the group. The following groups are defined:
- Create operation group: includes only the CreateKey operation. For more information, see CreateKey.
- Cryptographic operation group: includes the cryptographic operations for a specific CMK. For more information, see Key service operations.
- Read-only operation group: includes the operations that are related to CMKs, aliases, and CMK tags but do not change the metadata, properties, or status of resources.
- Write operation group: includes the operations that are related to CMKs, aliases, and CMK tags and change the metadata, properties, or status of resources.