Menu
AWS Key Management Service
Developer Guide

Working with Key Policies

Use the AWS SDK for Java and the following sample code to list, retrieve, and set key policies for AWS KMS customer master keys (CMKs). This sample code requires that you previously instantiated an AWSKMSClient as kms.

Listing Key Policies

Use a ListKeyPoliciesRequest to list the key policies for a CMK.

Copy
// Listing key policies // // Input Parameters: // keyId - A unique identifier for the CMK. This value can be a globally unique identifier, a // fully specified ARN to either an alias or a key, or an alias name prefixed by // "alias/". // - Key ARN Example - arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - Alias ARN Example - arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias // - Globally Unique Key ID Example - 1234abcd-12ab-34cd-56ef-1234567890ab // - Alias Name Example - alias/ExampleAlias // // Return Values: // A list of key policies. // // Replace the following string with a real key ID. String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ListKeyPoliciesRequest req = new ListKeyPoliciesRequest().withKeyId(keyId); ListKeyPoliciesResult result = kms.listKeyPolicies(req);

Retrieving a Key Policy

Use a GetKeyPolicyRequest to retrieve a key policy.

Copy
// Retrieving a key policy // // Input Parameters: // keyId - A unique identifier for the CMK for which to return the key policy. This value // can be a globally unique identifier or the fully specified ARN for a CMK. // - Key ARN Example - arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - Globally Unique Key ID Example - 1234abcd-12ab-34cd-56ef-1234567890ab // policyName - String that contains the name of the policy. Currently, this must be "default". // // Return Values: // A key policy. // // Replace the following string with a real key ID. String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; GetKeyPolicyRequest req = new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName(policyName); GetKeyPolicyResult result = kms.getKeyPolicy(req);

Setting a Key Policy

Use a PutKeyPolicyRequest to set a key policy for a CMK.

Copy
// Setting a key policy for a CMK // // Input Parameters: // keyId - A unique identifier for the CMK. This value can be a globally unique identifier // or the fully specified ARN to a CMK. // - Key ARN Example - arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - Globally Unique Key ID Example - 1234abcd-12ab-34cd-56ef-1234567890ab // policyName - Name of the policy to use. Currently, the only supported name is "default". // policy - The policy to use. This is required and delegates back to the account. The CMK // is the root of trust. The policy size limit is 32 KiB (32768 bytes). // // Replace the following string with a real key ID. String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; String policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + // Replace the following user ARN with one for a real user. " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}"; PutKeyPolicyRequest req = new PutKeyPolicyRequest().withKeyId(keyId).withPolicy(policy).withPolicyName(policyName); kms.putKeyPolicy(req);