This detailed information includes the key ARN, creation date (and deletion date, if
applicable), the key state, and the origin and expiration date (if any) of the key material.
It includes fields, like KeySpec, that help you distinguish different types of
KMS keys. It also displays the key usage (encryption, signing, or generating and verifying
MACs) and the algorithms that the KMS key supports.
For multi-Region keys,
DescribeKey displays the primary key and all related replica keys. For KMS keys
in CloudHSM key stores, it includes
information about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS
keys in external key stores, it
includes the custom key store ID and the ID of the external key.
DescribeKey does not return the following information:
Aliases associated with the KMS key. To get this information, use ListAliases.
Whether automatic key rotation is enabled on the KMS key. To get this information, use
GetKeyRotationStatus. Also, some key states prevent a KMS key from
being automatically rotated. For details, see How Automatic Key Rotation
Works in the Key Management Service Developer Guide.
Tags on the KMS key. To get this information, use ListResourceTags.
Key policies and grants on the KMS key. To get this information, use GetKeyPolicy and ListGrants.
In general, DescribeKey is a non-mutating operation. It returns data about
KMS keys, but doesn't change them. However, Amazon Web Services services use DescribeKey to
create Amazon Web Services
managed keys from a predefined Amazon Web Services alias with no key
ID.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify
the key ARN or alias ARN in the value of the KeyId parameter.
Provides detailed information about a KMS key. You can run
DescribeKeyon a customer managed key or an Amazon Web Services managed key.This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like
KeySpec, that help you distinguish different types of KMS keys. It also displays the key usage (encryption, signing, or generating and verifying MACs) and the algorithms that the KMS key supports.For multi-Region keys,
DescribeKeydisplays the primary key and all related replica keys. For KMS keys in CloudHSM key stores, it includes information about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in external key stores, it includes the custom key store ID and the ID of the external key.DescribeKeydoes not return the following information:Aliases associated with the KMS key. To get this information, use ListAliases.
Whether automatic key rotation is enabled on the KMS key. To get this information, use GetKeyRotationStatus. Also, some key states prevent a KMS key from being automatically rotated. For details, see How Automatic Key Rotation Works in the Key Management Service Developer Guide.
Tags on the KMS key. To get this information, use ListResourceTags.
Key policies and grants on the KMS key. To get this information, use GetKeyPolicy and ListGrants.
In general,
DescribeKeyis a non-mutating operation. It returns data about KMS keys, but doesn't change them. However, Amazon Web Services services useDescribeKeyto create Amazon Web Services managed keys from a predefined Amazon Web Services alias with no key ID.Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the
KeyIdparameter.Required permissions: kms:DescribeKey (key policy)
Related operations:
GetKeyPolicy
GetKeyRotationStatus
ListAliases
ListGrants
ListKeys
ListResourceTags
ListRetirableGrants
Use a bare-bones client and the command you need to make an API call.
import { KMSClient, DescribeKeyCommand } from "@aws-sdk/client-kms"; // ES Modules import // const { KMSClient, DescribeKeyCommand } = require("@aws-sdk/client-kms"); // CommonJS import const client = new KMSClient(config); const command = new DescribeKeyCommand(input); const response = await client.send(command);DescribeKeyCommandInput for command's
inputshape.DescribeKeyCommandOutput for command's
responseshape.config for KMSClient's
configshape.