AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Provides detailed information about a KMS key. You can run DescribeKey
on a
customer
managed key or an Amazon
Web Services managed key.
This detailed information includes the key ARN, creation date (and deletion date,
if applicable), the key state, and the origin and expiration date (if any) of the
key material. It includes fields, like KeySpec
, that help you distinguish different
types of KMS keys. It also displays the key usage (encryption, signing, or generating
and verifying MACs) and the algorithms that the KMS key supports.
For multi-Region
keys, DescribeKey
displays the primary key and all related replica keys.
For KMS keys in CloudHSM
key stores, it includes information about the key store, such as the key store
ID and the CloudHSM cluster ID. For KMS keys in external
key stores, it includes the custom key store ID and the ID of the external key.
DescribeKey
does not return the following information:
Aliases associated with the KMS key. To get this information, use ListAliases.
Whether automatic key rotation is enabled on the KMS key. To get this information, use GetKeyRotationStatus. Also, some key states prevent a KMS key from being automatically rotated. For details, see How Automatic Key Rotation Works in the Key Management Service Developer Guide.
Tags on the KMS key. To get this information, use ListResourceTags.
Key policies and grants on the KMS key. To get this information, use GetKeyPolicy and ListGrants.
In general, DescribeKey
is a non-mutating operation. It returns data about
KMS keys, but doesn't change them. However, Amazon Web Services services use DescribeKey
to create Amazon
Web Services managed keys from a predefined Amazon Web Services alias with
no key ID.
Cross-account use: Yes. To perform this operation with a KMS key in a different
Amazon Web Services account, specify the key ARN or alias ARN in the value of the
KeyId
parameter.
Required permissions: kms:DescribeKey (key policy)
Related operations:
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.
This is an asynchronous operation using the standard naming convention for .NET 4.5 or higher. For .NET 3.5 the operation is implemented as a pair of methods using the standard naming convention of BeginDescribeKey and EndDescribeKey.
Namespace: Amazon.KeyManagementService
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z
public virtual Task<DescribeKeyResponse> DescribeKeyAsync( DescribeKeyRequest request, CancellationToken cancellationToken )
Container for the necessary parameters to execute the DescribeKey service method.
A cancellation token that can be used by other objects or threads to receive notice of cancellation.
Exception | Condition |
---|---|
DependencyTimeoutException | The system timed out while trying to fulfill the request. You can retry the request. |
InvalidArnException | The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. |
KMSInternalException | The request was rejected because an internal exception occurred. The request can be retried. |
NotFoundException | The request was rejected because the specified entity or resource could not be found. |
.NET:
Supported in: 8.0 and newer, Core 3.1
.NET Standard:
Supported in: 2.0
.NET Framework:
Supported in: 4.5 and newer