Menu
AWS Key Management Service
API Reference (API Version 2014-11-01)

ListKeyPolicies

Gets the names of the key policies that are attached to a customer master key (CMK). This operation is designed to get policy names that you can use in a GetKeyPolicy operation. However, the only valid policy name is default. You cannot perform this operation on a CMK in a different AWS account.

Request Syntax

Copy
{ "KeyId": "string", "Limit": number, "Marker": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

Note

In the following list, the required parameters are described first.

KeyId

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Limit

Use this parameter to specify the maximum number of items to return. When this value is present, AWS KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 1000, inclusive. If you do not include a value, it defaults to 100.

Currently only 1 policy can be attached to a key.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1000.

Required: No

Marker

Use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of NextMarker from the truncated response you just received.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 320.

Pattern: [\u0020-\u00FF]*

Required: No

Response Syntax

Copy
{ "NextMarker": "string", "PolicyNames": [ "string" ], "Truncated": boolean }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextMarker

When Truncated is true, this element is present and contains the value to use for the Marker parameter in a subsequent request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 320.

Pattern: [\u0020-\u00FF]*

PolicyNames

A list of policy names. Currently, there is only one policy and it is named "Default".

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\w]+

Truncated

A flag that indicates whether there are more items in the list. When this value is true, the list in this response is truncated. To get more items, pass the value of the NextMarker element in this response to the Marker parameter in a subsequent request.

Type: Boolean

Errors

For information about the errors that are common to all actions, see Common Errors.

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500

InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400

KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400

KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Use of a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400

NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

Examples

The following examples are formatted for legibility.

Example Request

Copy
POST / HTTP/1.1 Host: kms.us-east-2.amazonaws.com Content-Length: 49 X-Amz-Target: TrentService.ListKeyPolicies X-Amz-Date: 20161206T235923Z Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161206/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=82fe067c53d0dfff36793b8b6ef2d82d8adf0f1c05016bf4b4d6c50563ec7033 {"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

Copy
HTTP/1.1 200 OK Server: Server Date: Tue, 06 Dec 2016 23:59:24 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 45 Connection: keep-alive x-amzn-RequestId: 036f8e4b-bc10-11e6-b60b-ffb5eb2d1d15 { "PolicyNames": ["default"], "Truncated": false }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: