Provides detailed information about a KMS key. You can run
on a customer managed key
or an Amazon Web Services managed key
This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like
, that help you distinguish symmetric from asymmetric KMS keys. It also provides information that is particularly important to asymmetric keys, such as the key usage (encryption or signing) and the encryption algorithms or signing algorithms that the KMS key supports. For KMS keys in custom key stores, it includes information about the custom key store, such as the key store ID and the CloudHSM cluster ID. For multi-Region keys, it displays the primary key and all related replica keys.
does not return the following information:
- Aliases associated with the KMS key. To get this information, use ListAliases.
- Whether automatic key rotation is enabled on the KMS key. To get this information, use GetKeyRotationStatus. Also, some key states prevent a KMS key from being automatically rotated. For details, see How Automatic Key Rotation Works in Key Management Service Developer Guide.
- Tags on the KMS key. To get this information, use ListResourceTags.
- Key policies and grants on the KMS key. To get this information, use GetKeyPolicy and ListGrants.
If you call the
operation on a predefined Amazon Web Services alias
, that is, an Amazon Web Services alias with no key ID, KMS creates an Amazon Web Services managed key
. Then, it associates the alias with the new KMS key, and returns the
of the new KMS key in the response. Cross-account use
: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the
parameter. Required permissions
(key policy) Related operations: