GetKeyPolicy
Gets a key policy attached to the specified KMS key.
Description
The `GetKeyPolicy` operation retrieves a key policy attached to a KMS key. By default, this operation returns the default key policy.
note
- The KMS key that you use for this operation must be in a compatible key state.
- The policy document returned by this operation is the actual policy that is in effect, not a template or default policy.
- If you specify a policy name other than the default policy, the operation fails unless that policy exists.
Request Syntax
Headers
| Name | Description | Required | Type |
|---|---|---|---|
| Content-Type | Must be "application/x-amz-json-1.1" | Yes | string |
| X-Amz-Target | Must be "TrentService.GetKeyPolicy" | Yes | string |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| KeyId | The identifier of the KMS key whose key policy you want to retrieve. This can be the key ID or key ARN of the KMS key. | Yes | string |
| PolicyName | Specifies the name of the key policy to retrieve. Currently, the only valid name is "default". | Yes | string |
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.GetKeyPolicy
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"PolicyName": "default"
}
Values in italics indicate user input and should be replaced with actual values.
Examples
Example 1: Get the default key policy for a KMS key
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.GetKeyPolicy
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"PolicyName": "default"
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{
"Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"key-default-1\",\"Statement\":[{\"Sid\":\"Enable IAM User Permissions\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"kms:*\",\"Resource\":\"*\"}]}"
}
Values in italics indicate variable response values.
Response Elements
| Name | Description | Required | Type |
|---|---|---|---|
| Policy | A key policy document in JSON format. | No | String |
Special Errors
| Error Code | Description |
|---|---|
| DependencyTimeoutException | The system timed out while trying to fulfill the request. |
| InvalidArnException | The request was rejected because a specified ARN was not valid. |
| KMSInternalException | An internal error occurred. |
| KMSInvalidStateException | The request was rejected because the key state is not valid for this operation. |
| NotFoundException | The request was rejected because the specified entity or resource could not be found. |
Permissions
To use the `GetKeyPolicy` operation, you must have the following permissions:
- `kms:GetKeyPolicy` on the KMS key (specified in the policy)
Try It Out
Test GetKeyPolicy
Get a key policy for a KMS key.
Coming Soon
This feature is currently under development and will be available soon.