KMS / Client / get_key_policy

get_key_policy#

KMS.Client.get_key_policy(**kwargs)#

Gets a key policy attached to the specified KMS key.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:GetKeyPolicy (key policy)

Related operations: PutKeyPolicy

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

See also: AWS API Documentation

Request Syntax

response = client.get_key_policy(
    KeyId='string',
    PolicyName='string'
)
Parameters:
  • KeyId (string) –

    [REQUIRED]

    Gets the key policy for the specified KMS key.

    Specify the key ID or key ARN of the KMS key.

    For example:

    • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

    • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

    To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.

  • PolicyName (string) – Specifies the name of the key policy. If no policy name is specified, the default value is default. The only valid name is default. To get the names of key policies, use ListKeyPolicies.

Return type:

dict

Returns:

Response Syntax

{
    'Policy': 'string',
    'PolicyName': 'string'
}

Response Structure

  • (dict) –

    • Policy (string) –

      A key policy document in JSON format.

    • PolicyName (string) –

      The name of the key policy. The only valid value is default.

Exceptions

  • KMS.Client.exceptions.NotFoundException

  • KMS.Client.exceptions.InvalidArnException

  • KMS.Client.exceptions.DependencyTimeoutException

  • KMS.Client.exceptions.KMSInternalException

  • KMS.Client.exceptions.KMSInvalidStateException

Examples

The following example retrieves the key policy for the specified KMS key.

response = client.get_key_policy(
    # The identifier of the KMS key whose key policy you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
    # The name of the key policy to retrieve.
    PolicyName='default',
)

print(response)

Expected Output:

{
    # The key policy document.
    'Policy': '{\n  "Version" : "2012-10-17",\n  "Id" : "key-default-1",\n  "Statement" : [ {\n    "Sid" : "Enable IAM User Permissions",\n    "Effect" : "Allow",\n    "Principal" : {\n      "AWS" : "arn:aws:iam::111122223333:root"\n    },\n    "Action" : "kms:*",\n    "Resource" : "*"\n  } ]\n}',
    'ResponseMetadata': {
        '...': '...',
    },
}