This topic describes the limits of Key Management Service (KMS).

KMS is a region-specific service. The limits of KMS vary based on regions. For more information about the regions supported by KMS, see the "Endpoints" section of the Request method topic.

Resource quotas

KMS defines resource quotas to provide fast and elastic capabilities. Some resource quotas apply to the resources that you create, but do not apply to the resources that are created by Alibaba Cloud. If the resources that you use do not belong to your Alibaba Cloud account, the resources are not counted in your resource quotas.

If the quota of a resource is exhausted, the system reports the error Rejected.LimitExceeded for new requests to create this type of resource.

The following table describes the KMS resource quotas for each Alibaba Cloud account in a region.

Resource type Default quota Description
Customer master key (CMK) 200 The maximum number of CMKs that you can create in a region
Alias 300 The maximum number of aliases that you can create in a region
CMK version 10000 The maximum number of versions for all CMKs that you can create in a region

Request quotas

KMS defines quotas for the number of API operations that you can call per second. When a request quota is exceeded, KMS blocks valid requests and returns an error similar to the following code. This type of error can be fixed by retries. You can configure the request backoff and retry policies for your application. For more information, see Use the exponential backoff method to retry requests.

{
  "HttpStatus": 429,
  "Code": "Rejected.Throttling",
  "Message": "QPS Limit Exceeded",
  "RequestId": "e85db688-a2d3-44ca-9790-4259etas154f"
}

The following table describes the KMS request quotas for each Alibaba Cloud account in a region.

Table 1. Default request quotas for CMKs per second
CMK specification Create operation Cryptographic operation Read-only operation Write operation
  • Aliyun_AES_256
  • Aliyun_SM4
10 750 20 10
  • RSA_2048
  • RSA_3072
10 200 20 10
  • EC_P256
  • EC_P256K
  • EC_SM2
10 200 20 10

The default request quotas for CMKs are grouped by operation. All operations in a group share the request quota for the group. The following groups are defined:

  • Create operation group: includes only the CreateKey operation. For more information, see CreateKey.
  • Cryptographic operation group: includes the cryptographic operations for a specific CMK. For more information, see Key service operations.
  • Read-only operation group: includes the operations that are related to CMKs, aliases, and CMK tags but do not change the metadata, properties, or status of resources.
  • Write operation group: includes the operations that are related to CMKs, aliases, and CMK tags and change the metadata, properties, or status of resources.