get_key_policy(**kwargs)¶Gets a key policy attached to the specified KMS key.
Cross-account use : No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Required permissions : kms:GetKeyPolicy (key policy)
Related operations : PutKeyPolicy
See also: AWS API Documentation
Request Syntax
response = client.get_key_policy(
KeyId='string',
PolicyName='string'
)
[REQUIRED]
Gets the key policy for the specified KMS key.
Specify the key ID or key ARN of the KMS key.
For example:
1234abcd-12ab-34cd-56ef-1234567890abarn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abTo get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
[REQUIRED]
Specifies the name of the key policy. The only valid name is default . To get the names of key policies, use ListKeyPolicies.
dict
Response Syntax
{
'Policy': 'string'
}
Response Structure
(dict) --
Policy (string) --
A key policy document in JSON format.
Exceptions
KMS.Client.exceptions.NotFoundExceptionKMS.Client.exceptions.InvalidArnExceptionKMS.Client.exceptions.DependencyTimeoutExceptionKMS.Client.exceptions.KMSInternalExceptionKMS.Client.exceptions.KMSInvalidStateExceptionExamples
The following example retrieves the key policy for the specified KMS key.
response = client.get_key_policy(
# The identifier of the KMS key whose key policy you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
# The name of the key policy to retrieve.
PolicyName='default',
)
print(response)
Expected Output:
{
# The key policy document.
'Policy': '{\n "Version" : "2012-10-17",\n "Id" : "key-default-1",\n "Statement" : [ {\n "Sid" : "Enable IAM User Permissions",\n "Effect" : "Allow",\n "Principal" : {\n "AWS" : "arn:aws:iam::111122223333:root"\n },\n "Action" : "kms:*",\n "Resource" : "*"\n } ]\n}',
'ResponseMetadata': {
'...': '...',
},
}