KMS / Client / get_key_policy
get_key_policy#
- KMS.Client.get_key_policy(**kwargs)#
Gets a key policy attached to the specified KMS key.
Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Required permissions: kms:GetKeyPolicy (key policy)
Related operations: PutKeyPolicy
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.
See also: AWS API Documentation
Request Syntax
response = client.get_key_policy( KeyId='string', PolicyName='string' )
- Parameters:
KeyId (string) –
[REQUIRED]
Gets the key policy for the specified KMS key.
Specify the key ID or key ARN of the KMS key.
For example:
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
PolicyName (string) – Specifies the name of the key policy. If no policy name is specified, the default value is
default
. The only valid name isdefault
. To get the names of key policies, use ListKeyPolicies.
- Return type:
dict
- Returns:
Response Syntax
{ 'Policy': 'string', 'PolicyName': 'string' }
Response Structure
(dict) –
Policy (string) –
A key policy document in JSON format.
PolicyName (string) –
The name of the key policy. The only valid value is
default
.
Exceptions
KMS.Client.exceptions.NotFoundException
KMS.Client.exceptions.InvalidArnException
KMS.Client.exceptions.DependencyTimeoutException
KMS.Client.exceptions.KMSInternalException
KMS.Client.exceptions.KMSInvalidStateException
Examples
The following example retrieves the key policy for the specified KMS key.
response = client.get_key_policy( # The identifier of the KMS key whose key policy you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key. KeyId='1234abcd-12ab-34cd-56ef-1234567890ab', # The name of the key policy to retrieve. PolicyName='default', ) print(response)
Expected Output:
{ # The key policy document. 'Policy': '{\n "Version" : "2012-10-17",\n "Id" : "key-default-1",\n "Statement" : [ {\n "Sid" : "Enable IAM User Permissions",\n "Effect" : "Allow",\n "Principal" : {\n "AWS" : "arn:aws:iam::111122223333:root"\n },\n "Action" : "kms:*",\n "Resource" : "*"\n } ]\n}', 'ResponseMetadata': { '...': '...', }, }