本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用密钥策略
本主题中的示例使用 AWS KMS API 查看和更改 AWS KMS keys 的密钥策略。
有关如何使用密钥政策、IAM policy 管理和授权对您的 KMS 密钥的访问的详细信息,请参阅 AWS KMS 的身份验证和访问控制。有关编写和格式化 JSON 策略文档的帮助,请参阅 IAM 用户指南中的 IAM JSON 策略参考。
列出密钥策略名称
要获取的密钥策略的名称AWS KMS key,请使用ListKeyPolicies操作。它返回的唯一密钥策略名称是 default。
在需要客户端对象的语言中,这些示例使用您在 创建客户端 中创建的 AWS KMS 客户端对象。
- Java
-
有关 Java 实现的详细信息,请参阅《AWS SDK for JavaAPI 参考》中的listKeyPolicies 方法。
// List key policies // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ListKeyPoliciesRequest req = new ListKeyPoliciesRequest().withKeyId(keyId); ListKeyPoliciesResult result = kmsClient.listKeyPolicies(req); - C#
-
有关详细信息,请参阅 AWS SDK for .NET 中的 ListKeyPolicies 方法。
// List key policies // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; ListKeyPoliciesRequest listKeyPoliciesRequest = new ListKeyPoliciesRequest() { KeyId = keyId }; ListKeyPoliciesResponse listKeyPoliciesResponse = kmsClient.ListKeyPolicies(listKeyPoliciesRequest); - Python
-
有关详细信息,请参阅 AWS SDK for Python (Boto3) 中的
list_key_policies方法。 # List key policies # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' response = kms_client.list_key_policies( KeyId=key_id ) - Ruby
-
有关详细信息,请参阅 AWS SDK for Ruby 中的
list_key_policies实例方法。# List key policies # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' response = kmsClient.list_key_policies({ key_id: key_id }) - PHP
-
有关详细信息,请参阅 AWS SDK for PHP 中的 ListKeyPolicies 方法。
// List key policies // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $result = $KmsClient->listKeyPolicies([ 'KeyId' => $keyId ]); - Node.js
-
有关详细信息,请参阅 Node.js AWS 软件开发工具包 JavaScript 中的listKeyPolicies 属性。
// List key policies // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; kmsClient.listKeyPolicies({ KeyId }, (err, data) => { ... }); - PowerShell
要列出默认密钥策略的名称,请使用 get-KMS cmdlet KeyPolicyList。
# List key policies # Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $response = Get-KMSKeyPolicyList -KeyId $keyId要使用 AWS KMS PowerShell cmdlet,请安装 aws.Tools。 KeyManagementService
模块。有关更多信息,请参阅 AWS Tools for Windows PowerShell 用户指南。
获取密钥策略
要获取的密钥策略AWS KMS key,请使用GetKeyPolicy操作。
GetKeyPolicy 需要策略名称。唯一有效的策略名称是 default。
在需要客户端对象的语言中,这些示例使用您在 创建客户端 中创建的 AWS KMS 客户端对象。
- Java
-
有关详细信息,请参阅《AWS SDK for JavaAPI 参考》中的getKeyPolicy 方法。
// Get the policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; GetKeyPolicyRequest req = new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName(policyName); GetKeyPolicyResult result = kmsClient.getKeyPolicy(req); - C#
-
有关详细信息,请参阅 AWS SDK for .NET 中的 GetKeyPolicy 方法。
// Get the policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; GetKeyPolicyRequest getKeyPolicyRequest = new GetKeyPolicyRequest() { KeyId = keyId, PolicyName = policyName }; GetKeyPolicyResponse getKeyPolicyResponse = kmsClient.GetKeyPolicy(getKeyPolicyRequest); - Python
-
有关详细信息,请参阅 AWS SDK for Python (Boto3) 中的
get_key_policy方法。 # Get the policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' response = kms_client.get_key_policy( KeyId=key_id, PolicyName=policy_name ) - Ruby
-
有关详细信息,请参阅 AWS SDK for Ruby 中的
get_key_policy实例方法。# Get the policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' response = kmsClient.get_key_policy({ key_id: key_id, policy_name: policy_name }) - PHP
-
有关详细信息,请参阅 AWS SDK for PHP 中的 GetKeyPolicy 方法。
// Get the policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; $result = $KmsClient->getKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName ]); - Node.js
有关详细信息,请参阅 Node.js AWS 软件开发工具包 JavaScript 中的getKeyPolicy 属性。
// Get the policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const PolicyName = 'default'; kmsClient.getKeyPolicy({ KeyId, PolicyName }, (err, data) => { ... });- PowerShell
要获取 KMS 密钥的密钥策略,请使用 get-KMS cmdlet KeyPolicy。此 cmdlet 以字符串(System.String)的形式返回密钥策略,您可以在 Wr it KeyPolicy e-KMS () 命令中使用该字符串。
PutKeyPolicy要将 JSON 字符串中的策略转换为PSCustomObject对象,请使用 ConvertFrom-JSON cmdlet。 # Get the policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $policyName = 'default' $response = Get-KMSKeyPolicy -KeyId $keyId -PolicyName $policyName要使用 AWS KMS PowerShell cmdlet,请安装 aws.Tools。 KeyManagementService
模块。有关更多信息,请参阅 AWS Tools for Windows PowerShell 用户指南。
设置密钥策略
要创建或替换 KMS 密钥的密钥策略,请使用PutKeyPolicy操作。
PutKeyPolicy 需要策略名称。唯一有效的策略名称是 default。
在需要客户端对象的语言中,这些示例使用您在 创建客户端 中创建的 AWS KMS 客户端对象。
- Java
-
有关详细信息,请参阅《AWS SDK for JavaAPI 参考》中的putKeyPolicy 方法。
// Set a key policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; String policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleRole\"," + " \"Effect\": \"Allow\"," + // Replace the following example user ARN with a valid one " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/ExampleKeyUserRole\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}"; PutKeyPolicyRequest req = new PutKeyPolicyRequest().withKeyId(keyId).withPolicy(policy).withPolicyName(policyName); kmsClient.putKeyPolicy(req); - C#
-
有关详细信息,请参阅 AWS SDK for .NET 中的 PutKeyPolicy 方法。
// Set a key policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String policyName = "default"; String policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + // Replace the following example user ARN with a valid one " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/ExampleKeyUserRole\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}"; PutKeyPolicyRequest putKeyPolicyRequest = new PutKeyPolicyRequest() { KeyId = keyId, Policy = policy, PolicyName = policyName }; kmsClient.PutKeyPolicy(putKeyPolicyRequest); - Python
-
有关详细信息,请参阅 AWS SDK for Python (Boto3) 中的
put_key_policy方法。 # Set a key policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' policy = """ { "Version": "2012-10-17", "Statement": [{ "Sid": "Allow access for ExampleUser", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:role/ExampleKeyUserRole"}, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey", "kms:ReEncrypt*" ], "Resource": "*" }] }""" response = kms_client.put_key_policy( KeyId=key_id, Policy=policy, PolicyName=policy_name ) - Ruby
-
有关详细信息,请参阅 AWS SDK for Ruby 中的
put_key_policy实例方法。# Set a key policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN key_id = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' policy_name = 'default' policy = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [{" + " \"Sid\": \"Allow access for ExampleUser\"," + " \"Effect\": \"Allow\"," + # Replace the following example user ARN with a valid one " \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/ExampleKeyUserRole\"}," + " \"Action\": [" + " \"kms:Encrypt\"," + " \"kms:GenerateDataKey*\"," + " \"kms:Decrypt\"," + " \"kms:DescribeKey\"," + " \"kms:ReEncrypt*\"" + " ]," + " \"Resource\": \"*\"" + " }]" + "}" response = kmsClient.put_key_policy({ key_id: key_id, policy: policy, policy_name: policy_name }) - PHP
-
有关详细信息,请参阅 AWS SDK for PHP 中的 PutKeyPolicy 方法。
// Set a key policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; $result = $KmsClient->putKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName, 'Policy' => '{ "Version": "2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/root" }, "Action": [ "kms:*" ], "Resource": "*" }, { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/ExampleKeyUserRole" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] } ' ]); - Node.js
有关详细信息,请参阅 Node.js AWS 软件开发工具包 JavaScript 中的putKeyPolicy 属性。
// Set a key policy for a KMS key // // Replace the following example key ARN with a valid key ID or key ARN const KeyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; const PolicyName = 'default'; const Policy = `{ "Version": "2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/ExampleKeyUserRole" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] }`; // The key policy document kmsClient.putKeyPolicy({ KeyId, Policy, PolicyName }, (err, data) => { ... });- PowerShell
要为 KMS 密钥设置密钥策略,请使用 Write-KMS KeyPolicy cmdlet。此 cmdlet 不返回任何输出。要验证该命令是否有效,请使用 get-KMS cmdlet KeyPolicy。
Policy参数接受一个字符串。用单引号将字符串括起来,使其成为文本字符串。您不必在文本字符串中使用延续字符或转义字符。# Set a key policy for a KMS key # Replace the following example key ARN with a valid key ID or key ARN $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' $policyName = 'default' $policy = '{ "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/ExampleKeyUserRole" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" }] }' Write-KMSKeyPolicy -KeyId $keyId -PolicyName $policyName -Policy $policy要使用 AWS KMS PowerShell cmdlet,请安装 aws.Tools。 KeyManagementService
模块。有关更多信息,请参阅 AWS Tools for Windows PowerShell 用户指南。
加密和解密数据密钥
处理授权