KMS / Client / get_key_policy

get_key_policy#

KMS.Client.get_key_policy(**kwargs)#

Gets a key policy attached to the specified KMS key.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:GetKeyPolicy (key policy)

Related operations: PutKeyPolicy

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

See also: AWS API Documentation

Request Syntax

response = client.get_key_policy(
    KeyId='string',
    PolicyName='string'
)
Parameters:

  • KeyId (string) –

    [REQUIRED]

    Gets the key policy for the specified KMS key.

    Specify the key ID or key ARN of the KMS key.

    For example:

    • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

    • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

    To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.

  • PolicyName (string) –

    [REQUIRED]

    Specifies the name of the key policy. The only valid name is default. To get the names of key policies, use ListKeyPolicies.

Return type:

dict

Returns:

Response Syntax

{
    'Policy': 'string'
}

Response Structure

  • (dict) –

    • Policy (string) –

      A key policy document in JSON format.

Exceptions

  • KMS.Client.exceptions.NotFoundException

  • KMS.Client.exceptions.InvalidArnException

  • KMS.Client.exceptions.DependencyTimeoutException

  • KMS.Client.exceptions.KMSInternalException

  • KMS.Client.exceptions.KMSInvalidStateException

Examples

The following example retrieves the key policy for the specified KMS key.

response = client.get_key_policy(
    # The identifier of the KMS key whose key policy you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
    # The name of the key policy to retrieve.
    PolicyName='default',
)

print(response)

Expected Output:

{
    # The key policy document.
    'Policy': '{\n  "Version" : "2012-10-17",\n  "Id" : "key-default-1",\n  "Statement" : [ {\n    "Sid" : "Enable IAM User Permissions",\n    "Effect" : "Allow",\n    "Principal" : {\n      "AWS" : "arn:aws:iam::111122223333:root"\n    },\n    "Action" : "kms:*",\n    "Resource" : "*"\n  } ]\n}',
    'ResponseMetadata': {
        '...': '...',
    },
}