AWS Key Management Service
API Reference (API Version 2014-11-01)


Provides detailed information about the specified customer master key (CMK).

To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Request Syntax

{ "GrantTokens": [ "string" ], "KeyId": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.


In the following list, the required parameters are described first.


A unique identifier for the customer master key (CMK).

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When using an alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use the key ARN or alias ARN.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

  • Alias name: alias/ExampleAlias

  • Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To get the alias name and alias ARN, use ListAliases.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes


A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: No

Response Syntax

{ "KeyMetadata": { "Arn": "string", "AWSAccountId": "string", "CreationDate": number, "DeletionDate": number, "Description": "string", "Enabled": boolean, "ExpirationModel": "string", "KeyId": "string", "KeyManager": "string", "KeyState": "string", "KeyUsage": "string", "Origin": "string", "ValidTo": number } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


Metadata associated with the key.

Type: KeyMetadata object


For information about the errors that are common to all actions, see Common Errors.


The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500


The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400


The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400


The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400


The following examples are formatted for legibility.

Example Request

POST / HTTP/1.1 Host: Content-Length: 49 X-Amz-Target: TrentService.DescribeKey X-Amz-Date: 20170705T211529Z Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20170705/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=6bcb6a5ef9ee7585d83955e8a5c3f6d47cf581596208fc0e436fa1de26ef3f6a Content-Type: application/x-amz-json-1.1 {"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OK Server: Server Date: Wed, 05 Jul 2017 21:15:30 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 335 Connection: keep-alive x-amzn-RequestId: 13230ddb-61c7-11e7-af6f-c5b105d7a982 { "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1.499288695918E9, "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_KMS" } }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: