- Navigation GuideYou are on a Command (operation) page with structural examples. Use the navigation breadcrumb if you would like to return to the Client landing page.
PutKeyPolicyCommand
Attaches a key policy to the specified KMS key.
For more information about key policies, see Key Policies in the Key Management Service Developer Guide. For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the Identity and Access Management User Guide . For examples of adding a key policy in multiple programming languages, see Setting a key policy in the Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Required permissions: kms:PutKeyPolicy (key policy)
Related operations: GetKeyPolicy
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency .
Example Syntax
Use a bare-bones client and the command you need to make an API call.
import { KMSClient, PutKeyPolicyCommand } from "@aws-sdk/client-kms"; // ES Modules import
// const { KMSClient, PutKeyPolicyCommand } = require("@aws-sdk/client-kms"); // CommonJS import
const client = new KMSClient(config);
const input = { // PutKeyPolicyRequest
KeyId: "STRING_VALUE", // required
PolicyName: "STRING_VALUE",
Policy: "STRING_VALUE", // required
BypassPolicyLockoutSafetyCheck: true || false,
};
const command = new PutKeyPolicyCommand(input);
const response = await client.send(command);
// {};
Example Usage
PutKeyPolicyCommand Input
Parameter | Type | Description |
---|
Parameter | Type | Description |
---|---|---|
KeyId Required | string | undefined | Sets the key policy on the specified KMS key. Specify the key ID or key ARN of the KMS key. For example:
To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. |
Policy Required | string | undefined | The key policy to attach to the KMS key. The key policy must meet the following criteria:
A key policy document can include only the following characters:
For information about key policies, see Key policies in KMS in the Key Management Service Developer Guide.For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in the Identity and Access Management User Guide . |
BypassPolicyLockoutSafetyCheck | boolean | undefined | Skips ("bypasses") the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see Default key policy in the Key Management Service Developer Guide. Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the KMS key. |
PolicyName | string | undefined | The name of the key policy. If no policy name is specified, the default value is |
PutKeyPolicyCommand Output
Parameter | Type | Description |
---|
Parameter | Type | Description |
---|---|---|
$metadata Required | ResponseMetadata | Metadata pertaining to this request. |
Throws
Name | Fault | Details |
---|
Name | Fault | Details |
---|---|---|
DependencyTimeoutException | server | The system timed out while trying to fulfill the request. You can retry the request. |
InvalidArnException | client | The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. |
KMSInternalException | server | The request was rejected because an internal exception occurred. The request can be retried. |
KMSInvalidStateException | client | The request was rejected because the state of the specified resource is not valid for this request. This exceptions means one of the following:
|
LimitExceededException | client | The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide. |
MalformedPolicyDocumentException | client | The request was rejected because the specified policy is not syntactically or semantically correct. |
NotFoundException | client | The request was rejected because the specified entity or resource could not be found. |
UnsupportedOperationException | client | The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation. |
KMSServiceException | Base exception class for all service exceptions from KMS service. |