- Java
-
For details, see the putKeyPolicy method in the AWS SDK for Java API Reference.
// Set a key policy for a CMK
//
// Replace the following example key ARN with a valid key ID or key ARN
String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
String policyName = "default";
String policy = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [{" +
" \"Sid\": \"Allow access for ExampleUser\"," +
" \"Effect\": \"Allow\"," +
// Replace the following example user ARN with a valid one
" \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," +
" \"Action\": [" +
" \"kms:Encrypt\"," +
" \"kms:GenerateDataKey*\"," +
" \"kms:Decrypt\"," +
" \"kms:DescribeKey\"," +
" \"kms:ReEncrypt*\"" +
" ]," +
" \"Resource\": \"*\"" +
" }]" +
"}";
PutKeyPolicyRequest req = new PutKeyPolicyRequest().withKeyId(keyId).withPolicy(policy).withPolicyName(policyName);
kmsClient.putKeyPolicy(req);
- C#
-
For details, see the PutKeyPolicy method in the AWS SDK for .NET.
// Set a key policy for a CMK
//
// Replace the following example key ARN with a valid key ID or key ARN
String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
String policyName = "default";
String policy = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [{" +
" \"Sid\": \"Allow access for ExampleUser\"," +
" \"Effect\": \"Allow\"," +
// Replace the following example user ARN with a valid one
" \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," +
" \"Action\": [" +
" \"kms:Encrypt\"," +
" \"kms:GenerateDataKey*\"," +
" \"kms:Decrypt\"," +
" \"kms:DescribeKey\"," +
" \"kms:ReEncrypt*\"" +
" ]," +
" \"Resource\": \"*\"" +
" }]" +
"}";
PutKeyPolicyRequest putKeyPolicyRequest = new PutKeyPolicyRequest()
{
KeyId = keyId,
Policy = policy,
PolicyName = policyName
};
kmsClient.PutKeyPolicy(putKeyPolicyRequest);
- Python
-
For details, see the put_key_policy method
in the AWS SDK for Python (Boto3).
# Set a key policy for a CMK
# Replace the following example key ARN with a valid key ID or key ARN
key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
policy_name = 'default'
policy = """
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Allow access for ExampleUser",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:user/ExampleUser"},
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:Decrypt",
"kms:DescribeKey",
"kms:ReEncrypt*"
],
"Resource": "*"
}]
}"""
response = kms_client.put_key_policy(
KeyId=key_id,
Policy=policy,
PolicyName=policy_name
)
- Ruby
-
For details, see the put_key_policy instance method in the AWS SDK for Ruby.
# Set a key policy for a CMK
# Replace the following example key ARN with a valid key ID or key ARN
key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
policy_name = 'default'
policy = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [{" +
" \"Sid\": \"Allow access for ExampleUser\"," +
" \"Effect\": \"Allow\"," +
# Replace the following example user ARN with a valid one
" \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ExampleUser\"}," +
" \"Action\": [" +
" \"kms:Encrypt\"," +
" \"kms:GenerateDataKey*\"," +
" \"kms:Decrypt\"," +
" \"kms:DescribeKey\"," +
" \"kms:ReEncrypt*\"" +
" ]," +
" \"Resource\": \"*\"" +
" }]" +
"}"
response = kmsClient.put_key_policy({
key_id: key_id,
policy: policy,
policy_name: policy_name
})
- PHP
-
For details, see the PutKeyPolicy method in the AWS SDK for PHP.
// Set a key policy for a CMK
//
// Replace the following example key ARN with a valid key ID or key ARN
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$policyName = "default";
$result = $KmsClient->putKeyPolicy([
'KeyId' => $keyId,
'PolicyName' => $policyName,
'Policy' => '{
"Version": "2012-10-17",
"Id": "custom-policy-2016-12-07",
"Statement": [
{ "Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal":
{ "AWS": "arn:aws:iam::111122223333:user/root" },
"Action": [ "kms:*" ],
"Resource": "*" },
{ "Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal":
{ "AWS": "arn:aws:iam::111122223333:user/ExampleUser" },
"Action": [
"kms:Encrypt*",
"kms:GenerateDataKey*",
"kms:Decrypt*",
"kms:DescribeKey*",
"kms:ReEncrypt*"
],
"Resource": "*" }
]
} '
]);
- Node.js
-
For details, see the putKeyPolicy property in the AWS SDK for Node.js.
// Set a key policy for a CMK
//
// Replace the following example key ARN with a valid key ID or key ARN
const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
const PolicyName = 'default';
const Policy = `{
"Version": "2012-10-17",
"Id": "custom-policy-2016-12-07",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/ExampleUser"
},
"Action": [
"kms:Encrypt*",
"kms:GenerateDataKey*",
"kms:Decrypt*",
"kms:DescribeKey*",
"kms:ReEncrypt*"
],
"Resource": "*"
}
]
}`; // The key policy document
kmsClient.putKeyPolicy({ KeyId, Policy, PolicyName }, (err, data) => {
...
});
- PowerShell
-
To set a key policy for a CMK, use the Write-KMSKeyPolicy cmdlet. This cmdlet doesn't return any output. To verify
that the command was effective, use the Get-KMSKeyPolicy
cmdlet.
The Policy
parameter takes a string. Enclose the string in single
quotes to make it a literal string. You don't have to use continuation characters
or
escape characters in the literal string.
# Set a key policy for a CMK
# Replace the following example key ARN with a valid key ID or key ARN
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'
$policyName = 'default'
$policy = '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/ExampleUser"
},
"Action": [
"kms:Encrypt*",
"kms:GenerateDataKey*",
"kms:Decrypt*",
"kms:DescribeKey*",
"kms:ReEncrypt*"
],
"Resource": "*"
}]
}'
Write-KMSKeyPolicy -KeyId $keyId -PolicyName $policyName -Policy $policy
To use the AWS KMS PowerShell cmdlets, install the AWS.Tools.KeyManagementService module. For more
information, see the AWS Tools for Windows PowerShell User Guide.