AWS CLI Command Reference

Navigation

Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . kms ]

get-key-policy

Description

Gets a key policy attached to the specified customer master key (CMK). You cannot perform this operation on a CMK in a different AWS account.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

Synopsis

  get-key-policy
--key-id <value>
--policy-name <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--key-id (string)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey .

--policy-name (string)

Specifies the name of the key policy. The only valid name is default . To get the names of key policies, use ListKeyPolicies .

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Examples

To copy a key policy from one CMK to another CMK

The following get-key-policy example gets the key policy from one CMK and saves it in a text file. Then, it replaces the policy of a different CMK using the text file as the policy input. Because the --policy parameter of put-key-policy requires a string, you must use the --output text option to return the output as a text string instead of JSON. Before running these commands, replace the example key IDs with valid ones from your AWS account.

aws kms get-key-policy \
    --policy-name default \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --query Policy \
    --output text > policy.txt

aws kms put-key-policy \
    --policy-name default \
    --key-id 0987dcba-09fe-87dc-65ba-ab0987654321 \
    --policy file://policy.txt

This command produces no output.

For more information, see PutKeyPolicy in the AWS KMS API Reference.

Output

Policy -> (string)

A key policy document in JSON format.

Navigation

© Copyright 2018, Amazon Web Services. Created using Sphinx.