Working with keys using the AWS KMS API and the AWS SDK for PHP Version 3
The primary resources in AWS Key Management Service (AWS KMS) are AWS KMS keys. You can use a KMS key to encrypt your data.
The following examples show how to:
-
Create a customer KMS key using CreateKey.
-
Generate a data key using GenerateDataKey.
-
View a KMS key using DescribeKey.
-
Get key IDs and key ARNS of KMS keys using ListKeys.
-
Enable KMS keys using EnableKey.
-
Disable KMS keys using DisableKey.
All the example code for the AWS SDK for PHP is available here on
GitHub
Credentials
Before running the example code, configure your AWS credentials, as described in Credentials. Then import the AWS SDK for PHP, as described in Basic usage.
For more information about using AWS Key Management Service (AWS KMS), see the AWS KMS Developer Guide.
Create a KMS key
To create a KMS key, use the CreateKey operation.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); //Creates a customer master key (CMK) in the caller's AWS account. $desc = "Key for protecting critical data"; try { $result = $KmsClient->createKey([ 'Description' => $desc, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
Generate a data key
To generate a data encryption key, use the GenerateDataKey operation. This operation returns plaintext and encrypted copies of the data key that it creates. Specify the AWS KMS key under which to generate the data key.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $keySpec = 'AES_256'; try { $result = $KmsClient->generateDataKey([ 'KeyId' => $keyId, 'KeySpec' => $keySpec, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
View a KMS key
To get detailed information about a KMS key, including the KMS key’s Amazon Resource Name (ARN) and key state, use the DescribeKey operation.
DescribeKey
doesn’t get aliases. To get aliases, use the ListAliases
operation.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->describeKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
Get the key ID and key ARNs of a KMS key
To get the ID and ARN of the KMS key, use the ListAliases operation.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $limit = 10; try { $result = $KmsClient->listKeys([ 'Limit' => $limit, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
Enable a KMS key
To enable a disabled KMS key, use the EnableKey operation.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->enableKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }
Disable a KMS key
To disable a KMS key, use the DisableKey operation. Disabling a KMS key prevents it from being used.
Imports
require 'vendor/autoload.php'; use Aws\Exception\AwsException;
Sample Code
$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->disableKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }