{"id":9452,"library":"alibabacloud-kms20160120","title":"Alibaba Cloud Key Management Service (KMS) SDK","description":"The `alibabacloud-kms20160120` library provides an SDK for interacting with Alibaba Cloud's Key Management Service (KMS) API version 2016-01-20. It allows developers to programmatically manage encryption keys, perform cryptographic operations, and integrate KMS into their applications. The current version is `2.4.0`, and it typically sees updates in response to API changes or underlying SDK framework improvements.","status":"active","version":"2.4.0","language":"en","source_language":"en","source_url":"https://github.com/aliyun/alibabacloud-python-sdk","tags":["aliyun","alibaba cloud","kms","key management service","encryption","security","cloud"],"install":[{"cmd":"pip install alibabacloud-kms20160120","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Core utility library for Alibaba Cloud SDKs.","package":"alibabacloud-tea-util","optional":false},{"reason":"OpenAPI framework for Alibaba Cloud SDKs, handles client configuration and API calls.","package":"alibabacloud-tea-openapi","optional":false},{"reason":"Utility for environment variable handling.","package":"alibabacloud-darabonba-env","optional":false},{"reason":"Utility for number operations within the Darabonba framework.","package":"alibabacloud-darabonba-number","optional":false}],"imports":[{"note":"This SDK has a specific package name reflecting the API version; older or generic Aliyun SDKs use different import paths.","wrong":"from aliyun_python_sdk_kms.client import Client","symbol":"Client","correct":"from alibabacloud_kms20160120.client import Client"},{"note":"The `Config` object for client initialization is provided by the `alibabacloud-tea-openapi` dependency.","symbol":"Config","correct":"from alibabacloud_tea_openapi.models import Config"},{"note":"Optional runtime configurations for API calls are from `alibabacloud-tea-util`.","symbol":"RuntimeOptions","correct":"from alibabacloud_tea_util.models import RuntimeOptions"}],"quickstart":{"code":"import os\nfrom alibabacloud_kms20160120.client import Client as KmsClient\nfrom alibabacloud_tea_openapi.models import Config\nfrom alibabacloud_kms20160120.models import CreateKeyRequest\nfrom alibabacloud_tea_util.models import RuntimeOptions\n\n# Ensure you set these environment variables or replace with actual values\nACCESS_KEY_ID = os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_ID', 'YOUR_ACCESS_KEY_ID')\nACCESS_KEY_SECRET = os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_SECRET', 'YOUR_ACCESS_KEY_SECRET')\nREGION_ID = os.environ.get('ALIBABA_CLOUD_REGION_ID', 'cn-hangzhou')\n\ntry:\n    # Initialize client configuration\n    config = Config(\n        access_key_id=ACCESS_KEY_ID,\n        access_key_secret=ACCESS_KEY_SECRET,\n        region_id=REGION_ID\n    )\n\n    # Create KMS client\n    client = KmsClient(config)\n\n    # Example: Create a new encryption key\n    create_key_request = CreateKeyRequest(\n        description='My Test Key via Python SDK',\n        key_usage='ENCRYPT/DECRYPT'\n    )\n\n    runtime = RuntimeOptions()\n    response = client.create_key_with_options(create_key_request, runtime)\n\n    print(f\"Key created successfully: {response.body.key_id}\")\n    print(f\"Key ARN: {response.body.key_arn}\")\n\nexcept Exception as e:\n    print(f\"An error occurred: {e}\")\n    # In production, handle specific exceptions like ClientException, ServerException\n","lang":"python","description":"This quickstart demonstrates how to initialize the KMS client using Access Key ID and Secret, and then make a basic API call to create an encryption key. It's recommended to retrieve credentials from environment variables for security. Replace `YOUR_ACCESS_KEY_ID` and `YOUR_ACCESS_KEY_SECRET` with your actual Alibaba Cloud credentials."},"warnings":[{"fix":"Ensure `ALIBABA_CLOUD_ACCESS_KEY_ID`, `ALIBABA_CLOUD_ACCESS_KEY_SECRET`, and `ALIBABA_CLOUD_REGION_ID` environment variables are correctly set, or pass valid credentials directly to `Config`.","message":"Incorrect or missing Access Key ID/Secret and Region ID are the most common causes of `ClientException` errors (e.g., `InvalidAccessKeyId.NotFound`, `SignatureDoesNotMatch`).","severity":"gotcha","affected_versions":"All"},{"fix":"Verify the required KMS API features against the 2016-01-20 documentation. If newer features are needed, search for alternative SDKs (if available) or use a different Alibaba Cloud SDK if it encompasses the desired functionality.","message":"The SDK is tied to KMS API version 2016-01-20. If you need features from a newer KMS API version, you might need a different SDK package or to check if the specific features are backported.","severity":"gotcha","affected_versions":"All"},{"fix":"Check network connectivity to Alibaba Cloud. If `region_id` is insufficient, you can explicitly set `config.endpoint = 'kms.<your-region>.aliyuncs.com'` (e.g., `kms.cn-hangzhou.aliyuncs.com`).","message":"Network connectivity issues or incorrect endpoint configurations can lead to `Could not connect to the endpoint URL` errors. While `region_id` is usually sufficient, specific scenarios (e.g., private links) might require setting a custom `endpoint`.","severity":"gotcha","affected_versions":"All"},{"fix":"Pin your `alibabacloud-tea-*` dependencies to specific versions (e.g., in `requirements.txt`). When upgrading, review their release notes carefully for breaking changes to `Config` initialization or API call patterns.","message":"The core `alibabacloud-tea-openapi` and `alibabacloud-tea-util` libraries, which this SDK depends on, can introduce breaking changes in their own major version updates, potentially affecting how `Config` or `RuntimeOptions` are used.","severity":"breaking","affected_versions":"Dependent on major versions of `alibabacloud-tea-*` packages"}],"env_vars":null,"last_verified":"2026-04-17T00:00:00.000Z","next_check":"2026-07-16T00:00:00.000Z","problems":[{"fix":"Verify your `ALIBABA_CLOUD_ACCESS_KEY_ID` environment variable or the `access_key_id` passed to `Config` is correct and active. Ensure there are no leading/trailing spaces.","cause":"The Alibaba Cloud Access Key ID is incorrect, expired, or does not exist.","error":"alibabacloud_tea_util.models.ClientException: Code: InvalidAccessKeyId.NotFound, Message: The Access Key ID provided does not exist."},{"fix":"Verify your `ALIBABA_CLOUD_ACCESS_KEY_SECRET` environment variable or the `access_key_secret` passed to `Config` is correct. This is often caused by typos or outdated secrets.","cause":"The Alibaba Cloud Access Key Secret is incorrect, leading to a signature mismatch during authentication.","error":"alibabacloud_tea_util.models.ClientException: Code: SignatureDoesNotMatch, Message: The request signature does not conform to Aliyun standards."},{"fix":"Check your internet connection. Ensure `ALIBABA_CLOUD_REGION_ID` or `config.region_id` is set to a valid and reachable Alibaba Cloud region (e.g., 'cn-hangzhou'). If behind a firewall, ensure `*.aliyuncs.com` is allowed. You can also try setting `config.endpoint` explicitly.","cause":"Network connectivity issue, incorrect region ID, or firewall blocking access to the Alibaba Cloud KMS endpoint.","error":"alibabacloud_tea_util.models.ClientException: Could not connect to the endpoint URL: \"https://kms.cn-hangzhou.aliyuncs.com/\""},{"fix":"Review the IAM policy attached to your Alibaba Cloud account/user/role. Grant the required permissions for KMS actions (e.g., `kms:CreateKey`, `kms:Encrypt`) to allow the operation.","cause":"The IAM user or RAM role associated with the Access Key ID/Secret does not have the necessary permissions to perform the requested KMS operation.","error":"alibabacloud_tea_util.models.ServerException: Code: Forbidden.NoPermission, Message: User not authorized to perform this operation."}]}