PutKeyPolicy
Attaches a key policy to the specified KMS key.
Description
The `PutKeyPolicy` operation attaches a key policy to the specified KMS key. If the key already has a policy attached, the new policy replaces the existing one.
note
- Currently, QKMS supports only one key policy per KMS key.
- The only valid policy name is "default".
- The key policy size limit is 32 kilobytes (32768 bytes).
- For help writing and formatting a key policy, see Key Policies.
- Changes to the key policy take effect immediately.
Request Syntax
Headers
| Name | Description | Required | Type |
|---|---|---|---|
| Content-Type | Must be "application/x-amz-json-1.1" | Yes | string |
| X-Amz-Target | Must be "TrentService.PutKeyPolicy" | Yes | string |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| KeyId | The identifier of the KMS key to attach the key policy to. This can be the key ID or key ARN of the KMS key. | Yes | string |
| PolicyName | The name of the key policy. Currently, the only valid name is "default". | Yes | string |
| Policy | The key policy to attach to the KMS key. The key policy must be in JSON format. | Yes | string |
| BypassPolicyLockoutSafetyCheck | A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. | No | boolean |
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.PutKeyPolicy
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"PolicyName": "default",
"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Enable IAM User Permissions\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"kms:*\",\"Resource\":\"*\"}]}",
"BypassPolicyLockoutSafetyCheck": false
}
Values in italics indicate user input and should be replaced with actual values.
Examples
Example 1: Attach a key policy to a KMS key
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.PutKeyPolicy
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"PolicyName": "default",
"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Enable IAM User Permissions\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"kms:*\",\"Resource\":\"*\"}]}"
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{}
Values in italics indicate variable response values.
Example 2: Attach a key policy with safety check bypass
POST / HTTP/1.1
Content-Type: application/x-amz-json-1.1
X-Amz-Target: TrentService.PutKeyPolicy
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"PolicyName": "default",
"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Enable IAM User Permissions\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:user/username\"},\"Action\":\"kms:*\",\"Resource\":\"*\"}]}",
"BypassPolicyLockoutSafetyCheck": true
}
Values in italics indicate user input and should be replaced with actual values.
HTTP/1.1 200 OK
Content-Type: application/x-amz-json-1.1
{}
Values in italics indicate variable response values.
Special Errors
| Error Code | Description |
|---|---|
| DependencyTimeoutException | The system timed out while trying to fulfill the request. |
| InvalidArnException | The request was rejected because a specified ARN was not valid. |
| KMSInternalException | An internal error occurred. |
| KMSInvalidStateException | The request was rejected because the key state is not valid for this operation. |
| LimitExceededException | The request was rejected because a quota was exceeded. |
| MalformedPolicyDocumentException | The request was rejected because the specified policy document was malformed. |
| NotFoundException | The request was rejected because the specified entity or resource could not be found. |
| UnsupportedOperationException | The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation. |
Permissions
To use the `PutKeyPolicy` operation, you must have the following permissions:
- `kms:PutKeyPolicy` on the KMS key (specified in the policy)
Try It Out
Test PutKeyPolicy
Attach a key policy to a KMS key.
Coming Soon
This feature is currently under development and will be available soon.