Class DescribeKeyCommandProtected

Provides detailed information about a KMS key. You can run DescribeKey on a customer managed key or an Amazon Web Services managed key.

This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec, that help you distinguish different types of KMS keys. It also displays the key usage (encryption, signing, or generating and verifying MACs) and the algorithms that the KMS key supports.

For multi-Region keys, DescribeKey displays the primary key and all related replica keys. For KMS keys in CloudHSM key stores, it includes information about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in external key stores, it includes the custom key store ID and the ID of the external key.

DescribeKey does not return the following information:

• Aliases associated with the KMS key. To get this information, use ListAliases.

• Whether automatic key rotation is enabled on the KMS key. To get this information, use GetKeyRotationStatus. Also, some key states prevent a KMS key from being automatically rotated. For details, see How Automatic Key Rotation Works in the Key Management Service Developer Guide.

• Tags on the KMS key. To get this information, use ListResourceTags.

• Key policies and grants on the KMS key. To get this information, use GetKeyPolicy and ListGrants.

In general, DescribeKey is a non-mutating operation. It returns data about KMS keys, but doesn't change them. However, Amazon Web Services services use DescribeKey to create Amazon Web Services managed keys from a predefined Amazon Web Services alias with no key ID.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:DescribeKey (key policy)

Related operations:

• GetKeyPolicy

• GetKeyRotationStatus

• ListAliases

• ListGrants

• ListKeys

• ListResourceTags

• ListRetirableGrants

Example

Use a bare-bones client and the command you need to make an API call.

import { KMSClient, DescribeKeyCommand } from "@aws-sdk/client-kms"; // ES Modules import
// const { KMSClient, DescribeKeyCommand } = require("@aws-sdk/client-kms"); // CommonJS import
const client = new KMSClient(config);
const input = { // DescribeKeyRequest
  KeyId: "STRING_VALUE", // required
  GrantTokens: [ // GrantTokenList
    "STRING_VALUE",
  ],
};
const command = new DescribeKeyCommand(input);
const response = await client.send(command);
// { // DescribeKeyResponse
//   KeyMetadata: { // KeyMetadata
//     AWSAccountId: "STRING_VALUE",
//     KeyId: "STRING_VALUE", // required
//     Arn: "STRING_VALUE",
//     CreationDate: new Date("TIMESTAMP"),
//     Enabled: true || false,
//     Description: "STRING_VALUE",
//     KeyUsage: "SIGN_VERIFY" || "ENCRYPT_DECRYPT" || "GENERATE_VERIFY_MAC",
//     KeyState: "Creating" || "Enabled" || "Disabled" || "PendingDeletion" || "PendingImport" || "PendingReplicaDeletion" || "Unavailable" || "Updating",
//     DeletionDate: new Date("TIMESTAMP"),
//     ValidTo: new Date("TIMESTAMP"),
//     Origin: "AWS_KMS" || "EXTERNAL" || "AWS_CLOUDHSM" || "EXTERNAL_KEY_STORE",
//     CustomKeyStoreId: "STRING_VALUE",
//     CloudHsmClusterId: "STRING_VALUE",
//     ExpirationModel: "KEY_MATERIAL_EXPIRES" || "KEY_MATERIAL_DOES_NOT_EXPIRE",
//     KeyManager: "AWS" || "CUSTOMER",
//     CustomerMasterKeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2",
//     KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2",
//     EncryptionAlgorithms: [ // EncryptionAlgorithmSpecList
//       "SYMMETRIC_DEFAULT" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "SM2PKE",
//     ],
//     SigningAlgorithms: [ // SigningAlgorithmSpecList
//       "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA",
//     ],
//     MultiRegion: true || false,
//     MultiRegionConfiguration: { // MultiRegionConfiguration
//       MultiRegionKeyType: "PRIMARY" || "REPLICA",
//       PrimaryKey: { // MultiRegionKey
//         Arn: "STRING_VALUE",
//         Region: "STRING_VALUE",
//       },
//       ReplicaKeys: [ // MultiRegionKeyList
//         {
//           Arn: "STRING_VALUE",
//           Region: "STRING_VALUE",
//         },
//       ],
//     },
//     PendingDeletionWindowInDays: Number("int"),
//     MacAlgorithms: [ // MacAlgorithmSpecList
//       "HMAC_SHA_224" || "HMAC_SHA_256" || "HMAC_SHA_384" || "HMAC_SHA_512",
//     ],
//     XksKeyConfiguration: { // XksKeyConfigurationType
//       Id: "STRING_VALUE",
//     },
//   },
// };

Param

DescribeKeyCommandInput

Returns

DescribeKeyCommandOutput

See

• DescribeKeyCommandInput for command's input shape.
• DescribeKeyCommandOutput for command's response shape.
• config for KMSClient's config shape.

Throws

DependencyTimeoutException (server fault)

The system timed out while trying to fulfill the request. You can retry the request.

Throws

InvalidArnException (client fault)

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

Throws

KMSInternalException (server fault)

The request was rejected because an internal exception occurred. The request can be retried.

Throws

NotFoundException (client fault)

The request was rejected because the specified entity or resource could not be found.

Throws

KMSServiceException

Base exception class for all service exceptions from KMS service.

Example

To get details about a KMS key

// The following example gets metadata for a symmetric encryption KMS key.
const input = {
  "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
};
const command = new DescribeKeyCommand(input);
const response = await client.send(command);
/* response ==
{
  "KeyMetadata": {
    "AWSAccountId": "111122223333",
    "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "CreationDate": "2017-07-05T14:04:55-07:00",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Description": "",
    "Enabled": true,
    "EncryptionAlgorithms": [
      "SYMMETRIC_DEFAULT"
    ],
    "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
    "KeyManager": "CUSTOMER",
    "KeySpec": "SYMMETRIC_DEFAULT",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "MultiRegion": false,
    "Origin": "AWS_KMS"
  }
}
*/
// example id: get-key-details-1

Example

To get details about an RSA asymmetric KMS key

// The following example gets metadata for an asymmetric RSA KMS key used for signing and verification.
const input = {
  "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
};
const command = new DescribeKeyCommand(input);
const response = await client.send(command);
/* response ==
{
  "KeyMetadata": {
    "AWSAccountId": "111122223333",
    "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "CreationDate": 1571767572.317,
    "CustomerMasterKeySpec": "RSA_2048",
    "Description": "",
    "Enabled": false,
    "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
    "KeyManager": "CUSTOMER",
    "KeySpec": "RSA_2048",
    "KeyState": "Disabled",
    "KeyUsage": "SIGN_VERIFY",
    "MultiRegion": false,
    "Origin": "AWS_KMS",
    "SigningAlgorithms": [
      "RSASSA_PKCS1_V1_5_SHA_256",
      "RSASSA_PKCS1_V1_5_SHA_384",
      "RSASSA_PKCS1_V1_5_SHA_512",
      "RSASSA_PSS_SHA_256",
      "RSASSA_PSS_SHA_384",
      "RSASSA_PSS_SHA_512"
    ]
  }
}
*/
// example id: to-get-details-about-an-rsa-asymmetric-kms-key-2

Example

To get details about a multi-Region key

// The following example gets metadata for a multi-Region replica key. This multi-Region key is a symmetric encryption key. DescribeKey returns information about the primary key and all of its replicas.
const input = {
  "KeyId": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"
};
const command = new DescribeKeyCommand(input);
const response = await client.send(command);
/* response ==
{
  "KeyMetadata": {
    "AWSAccountId": "111122223333",
    "Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
    "CreationDate": 1586329200.918,
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Description": "",
    "Enabled": true,
    "EncryptionAlgorithms": [
      "SYMMETRIC_DEFAULT"
    ],
    "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "MultiRegion": true,
    "MultiRegionConfiguration": {
      "MultiRegionKeyType": "PRIMARY",
      "PrimaryKey": {
        "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
        "Region": "us-west-2"
      },
      "ReplicaKeys": [
        {
          "Arn": "arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
          "Region": "eu-west-1"
        },
        {
          "Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
          "Region": "ap-northeast-1"
        },
        {
          "Arn": "arn:aws:kms:sa-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
          "Region": "sa-east-1"
        }
      ]
    },
    "Origin": "AWS_KMS"
  }
}
*/
// example id: to-get-details-about-a-multi-region-key-3

Example

To get details about an HMAC KMS key

// The following example gets the metadata of an HMAC KMS key.
const input = {
  "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
};
const command = new DescribeKeyCommand(input);
const response = await client.send(command);
/* response ==
{
  "KeyMetadata": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "CreationDate": 1566160362.664,
    "CustomerMasterKeySpec": "HMAC_256",
    "Description": "Development test key",
    "Enabled": true,
    "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "GENERATE_VERIFY_MAC",
    "MacAlgorithms": [
      "HMAC_SHA_256"
    ],
    "MultiRegion": false,
    "Origin": "AWS_KMS"
  }
}
*/
// example id: to-get-details-about-an-hmac-kms-key-4

Example

To get details about a KMS key in an AWS CloudHSM key store

// The following example gets the metadata of a KMS key in an AWS CloudHSM key store.
const input = {
  "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
};
const command = new DescribeKeyCommand(input);
const response = await client.send(command);
/* response ==
{
  "KeyMetadata": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "CloudHsmClusterId": "cluster-234abcdefABC",
    "CreationDate": 1646160362.664,
    "CustomKeyStoreId": "cks-1234567890abcdef0",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Description": "CloudHSM key store test key",
    "Enabled": true,
    "EncryptionAlgorithms": [
      "SYMMETRIC_DEFAULT"
    ],
    "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
    "KeyManager": "CUSTOMER",
    "KeySpec": "SYMMETRIC_DEFAULT",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "MultiRegion": false,
    "Origin": "AWS_CLOUDHSM"
  }
}
*/
// example id: to-get-details-about-a-kms-key-in-an-AWS-CloudHSM-key-store-5

Example

To get details about a KMS key in an external key store

// The following example gets the metadata of a KMS key in an external key store.
const input = {
  "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
};
const command = new DescribeKeyCommand(input);
const response = await client.send(command);
/* response ==
{
  "KeyMetadata": {
    "AWSAccountId": "123456789012",
    "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
    "CreationDate": 1646160362.664,
    "CustomKeyStoreId": "cks-1234567890abcdef0",
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Description": "External key store test key",
    "Enabled": true,
    "EncryptionAlgorithms": [
      "SYMMETRIC_DEFAULT"
    ],
    "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
    "KeyManager": "CUSTOMER",
    "KeySpec": "SYMMETRIC_DEFAULT",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "MultiRegion": false,
    "Origin": "EXTERNAL_KEY_STORE",
    "XksKeyConfiguration": {
      "Id": "bb8562717f809024"
    }
  }
}
*/
// example id: to-get-details-about-a-kms-key-in-an-external-key-store-6