AWS Key Management Service
API Reference (API Version 2014-11-01)


Provides detailed information about the specified customer master key.

Request Syntax

{ "GrantTokens": [ "string" ], "KeyId": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.


In the following list, the required parameters are described first.


A unique identifier for the customer master key. This value can be a globally unique identifier, a fully specified ARN to either an alias or a key, or an alias name prefixed by "alias/".

  • Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

  • Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName

  • Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012

  • Alias Name Example - alias/MyAliasName

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes


A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: No

Response Syntax

{ "KeyMetadata": { "Arn": "string", "AWSAccountId": "string", "CreationDate": number, "DeletionDate": number, "Description": "string", "Enabled": boolean, "ExpirationModel": "string", "KeyId": "string", "KeyState": "string", "KeyUsage": "string", "Origin": "string", "ValidTo": number } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


Metadata associated with the key.

Type: KeyMetadata object


For information about the errors that are common to all actions, see Common Errors.


The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500


The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400


The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400


The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400


The following examples are formatted for legibility.

Example Request

POST / HTTP/1.1 Host: Content-Length: 48 X-Amz-Target: TrentService.DescribeKey X-Amz-Date: 20161107T220837Z Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161107/us-west-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=153ffe57d38b83745cb3d3c6a2ca67835747ed64ed99c07481e464ab0f77f22c {"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OK Server: Server Date: Mon, 07 Nov 2016 22:08:38 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 311 Connection: keep-alive x-amzn-RequestId: bc0c2c4d-a536-11e6-a265-d3aef78e1a90 { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1.444675507571E9, "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_KMS" } }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: