- Navigation GuideYou are on a Command (operation) page with structural examples. Use the navigation breadcrumb if you would like to return to the Client landing page.
GetKeyPolicyCommand
Gets a key policy attached to the specified KMS key.
Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Required permissions: kms:GetKeyPolicy (key policy)
Related operations: PutKeyPolicy
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency .
Example Syntax
Use a bare-bones client and the command you need to make an API call.
import { KMSClient, GetKeyPolicyCommand } from "@aws-sdk/client-kms"; // ES Modules import
// const { KMSClient, GetKeyPolicyCommand } = require("@aws-sdk/client-kms"); // CommonJS import
const client = new KMSClient(config);
const input = { // GetKeyPolicyRequest
KeyId: "STRING_VALUE", // required
PolicyName: "STRING_VALUE",
};
const command = new GetKeyPolicyCommand(input);
const response = await client.send(command);
// { // GetKeyPolicyResponse
// Policy: "STRING_VALUE",
// PolicyName: "STRING_VALUE",
// };
Example Usage
GetKeyPolicyCommand Input
Parameter | Type | Description |
---|
Parameter | Type | Description |
---|---|---|
KeyId Required | string | undefined | Gets the key policy for the specified KMS key. Specify the key ID or key ARN of the KMS key. For example:
To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. |
PolicyName | string | undefined | Specifies the name of the key policy. If no policy name is specified, the default value is |
GetKeyPolicyCommand Output
Parameter | Type | Description |
---|
Parameter | Type | Description |
---|---|---|
$metadata Required | ResponseMetadata | Metadata pertaining to this request. |
Policy | string | undefined | A key policy document in JSON format. |
PolicyName | string | undefined | The name of the key policy. The only valid value is |
Throws
Name | Fault | Details |
---|
Name | Fault | Details |
---|---|---|
DependencyTimeoutException | server | The system timed out while trying to fulfill the request. You can retry the request. |
InvalidArnException | client | The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. |
KMSInternalException | server | The request was rejected because an internal exception occurred. The request can be retried. |
KMSInvalidStateException | client | The request was rejected because the state of the specified resource is not valid for this request. This exceptions means one of the following:
|
NotFoundException | client | The request was rejected because the specified entity or resource could not be found. |
KMSServiceException | Base exception class for all service exceptions from KMS service. |