Working with Key Policies

Use the AWS SDK for Java and the following sample code to list, get, and set key policies for AWS KMS customer master keys (CMKs).

Topics

Listing Key Policy Names
Getting a Key Policy
Setting a Key Policy

Listing Key Policy Names

To list the names of key policies for a customer master key, use the ListKeyPolicies operation. Currently, the only key policy name it returns is default. For details about the Java implementation, see the listKeyPolicies method in the AWS SDK for Java API Reference.

This example uses the kmsClient client object that you created in Creating a Client.


// List key policy names
//
// Replace the fictitious key ARN with a valid key ID
String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";

ListKeyPoliciesRequest req = new ListKeyPoliciesRequest().withKeyId(keyId);
ListKeyPoliciesResult result = kmsClient.listKeyPolicies(req);

Getting a Key Policy

To get information about a particular key policy of a customer master key, use the GetKeyPolicy operation. For details about the Java implementation, see the getKeyPolicy method in the AWS SDK for Java API Reference.

GetKeyPolicy requires a policy name. You can use the ListKeyPolicies operation to get the policy name, but currently, the only policy name is default.

This example uses the kmsClient client object that you created in Creating a Client.


// Get the policy for a CMK
//
// Replace the following fictitious key ARN with a valid key ID
String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
String policyName = "default";

GetKeyPolicyRequest req = new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName(policyName);
GetKeyPolicyResult result = kmsClient.getKeyPolicy(req);

Setting a Key Policy

To establish or change a key policy for a CMK, use the PutKeyPolicy operation. For details about the Java implementation, see the putKeyPolicy method in the AWS SDK for Java API Reference.

PutKeyPolicy requires a policy name. You can use the ListKeyPolicies operation to get the policy name, but currently, the only policy name is default.

This example uses the kmsClient client object that you created in Creating a Client.


// Set a key policy for a CMK
//

// Replace the following fictitious key ARN with a valid key ID
String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
String policyName = "default";
String policy = "{" +
                "  \"Version\": \"2012-10-17\"," +
                "  \"Statement\": [{" +
                "    \"Sid\": \"Allow access for ExampleUser\"," +
                "    \"Effect\": \"Allow\"," +
                // Replace the following user ARN with one for a real user.
                "    \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," +
                "    \"Action\": [" +
                "      \"kms:Encrypt\"," +
                "      \"kms:GenerateDataKey*\"," +
                "      \"kms:Decrypt\"," +
                "      \"kms:DescribeKey\"," +
                "      \"kms:ReEncrypt*\"" +
                "    ]," +
                "    \"Resource\": \"*\"" +
                "  }]" +
                "}";
                
PutKeyPolicyRequest req = new PutKeyPolicyRequest().withKeyId(keyId).withPolicy(policy).withPolicyName(policyName);
kmsClient.putKeyPolicy(req);

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

« Previous Next »