# AWS Key Management Service examples using the AWS SDK for PHP Version 3
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. For more information about AWS KMS, see the [Amazon KMS documentation](https://aws.amazon.com/documentation/kms/). Whether you are writing secure PHP applications or sending data to other AWS services, AWS KMS helps you maintain control over who can use your keys and gain access to your encrypted data.
All the example code for the AWS SDK for PHP Version 3 is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code).
**Topics**
+ [Working with keys](kms-example-keys.md)
+ [Encrypting and decrypting data keys](kms-example-encrypt.md)
+ [Working with key policies](kms-example-key-policy.md)
+ [Working with grants](kms-example-grants.md)
+ [Working with aliases](kms-example-alias.md)
# Working with keys using the AWS KMS API and the AWS SDK for PHP Version 3
The primary resources in AWS Key Management Service (AWS KMS) are [AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys). You can use a KMS key to encrypt your data.
The following examples show how to:
+ Create a customer KMS key using [CreateKey](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#createkey).
+ Generate a data key using [GenerateDataKey](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#generatedatakey).
+ View a KMS key using [DescribeKey](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#describekey).
+ Get key IDs and key ARNS of KMS keys using [ListKeys](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listkeys).
+ Enable KMS keys using [EnableKey](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#enablekey).
+ Disable KMS keys using [DisableKey](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#disablekey).
All the example code for the AWS SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code).
## Credentials
Before running the example code, configure your AWS credentials, as described in [Authenticating with AWS using AWS SDK for PHP Version 3](credentials.md). Then import the AWS SDK for PHP, as described in [Installing the AWS SDK for PHP Version 3](getting-started_installation.md).
For more information about using AWS Key Management Service (AWS KMS), see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/).
## Create a KMS key
To create a [KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys), use the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
//Creates a customer master key (CMK) in the caller's AWS account.
$desc = "Key for protecting critical data";
try {
$result = $KmsClient->createKey([
'Description' => $desc,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Generate a data key
To generate a data encryption key, use the [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) operation. This operation returns plaintext and encrypted copies of the data key that it creates. Specify the AWS KMS key under which to generate the data key.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$keySpec = 'AES_256';
try {
$result = $KmsClient->generateDataKey([
'KeyId' => $keyId,
'KeySpec' => $keySpec,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## View a KMS key
To get detailed information about a KMS key, including the KMS key’s Amazon Resource Name (ARN) and [key state](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html), use the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation.
`DescribeKey` doesn’t get aliases. To get aliases, use the [ListAliases](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) operation.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
try {
$result = $KmsClient->describeKey([
'KeyId' => $keyId,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Get the key ID and key ARNs of a KMS key
To get the ID and ARN of the KMS key, use the [ListAliases](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) operation.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$limit = 10;
try {
$result = $KmsClient->listKeys([
'Limit' => $limit,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Enable a KMS key
To enable a disabled KMS key, use the [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html) operation.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
try {
$result = $KmsClient->enableKey([
'KeyId' => $keyId,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Disable a KMS key
To disable a KMS key, use the [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) operation. Disabling a KMS key prevents it from being used.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
try {
$result = $KmsClient->disableKey([
'KeyId' => $keyId,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
# Encrypting and decrypting AWS KMS data keys using the AWS SDK for PHP Version 3
Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.
You can use an AWS Key Management Service's (AWS KMS) [AWS KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) to generate, encrypt, and decrypt data keys.
The following examples show how to:
+ Encrypt a data key using [Encrypt](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#encrypt).
+ Decrypt a data key using [Decrypt](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#decrypt).
+ Re-encrypt a data key with a new KMS key using [ReEncrypt](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#reencrypt).
All the example code for the AWS SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code).
## Credentials
Before running the example code, configure your AWS credentials, as described in [Authenticating with AWS using AWS SDK for PHP Version 3](credentials.md). Then import the AWS SDK for PHP, as described in [Installing the AWS SDK for PHP Version 3](getting-started_installation.md).
For more information about using AWS Key Management Service (AWS KMS), see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/).
## Encrypt
The [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) operation is designed to encrypt data keys, but it’s not frequently used. The [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) and [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) operations return encrypted data keys. You might use the `Encypt` method when you’re moving encrypted data to a new AWS Region and want to encrypt its data key by using a KMS key in the new Region.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$message = pack('c*', 1, 2, 3, 4, 5, 6, 7, 8, 9, 0);
try {
$result = $KmsClient->encrypt([
'KeyId' => $keyId,
'Plaintext' => $message,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Decrypt
To decrypt a data key, use the [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) operation.
The `ciphertextBlob` that you specify must be the value of the `CiphertextBlob` field from a [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html), [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html), or [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) response.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$ciphertext = 'Place your cipher text blob here';
try {
$result = $KmsClient->decrypt([
'CiphertextBlob' => $ciphertext,
]);
$plaintext = $result['Plaintext'];
var_dump($plaintext);
} catch (AwsException $e) {
// Output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Reencrypt
To decrypt an encrypted data key, and then immediately reencrypt the data key under a different KMS key, use the [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html) operation. The operations are performed entirely on the server side within AWS KMS, so they never expose your plaintext outside of AWS KMS.
The `ciphertextBlob` that you specify must be the value of the `CiphertextBlob` field from a [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html), [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html), or [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) response.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$ciphertextBlob = 'Place your cipher text blob here';
try {
$result = $KmsClient->reEncrypt([
'CiphertextBlob' => $ciphertextBlob,
'DestinationKeyId' => $keyId,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
# Working with AWS KMS key policies using the AWS SDK for PHP Version 3
When you create an [AWS KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys), you determine who can use and manage that KMS key. These permissions are contained in a document called the key policy. You can use the key policy to add, remove, or modify permissions at any time for a customer managed KMS key, but you cannot edit the key policy for an AWS managed KMS key. For more information, see [Authentication and access control for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html).
The following examples show how to:
+ List the names of key policies using [ListKeyPolicies](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listkeypolicies).
+ Get a key policy using [GetKeyPolicy](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#getkeypolicy).
+ Set a key policy using [PutKeyPolicy](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#putkeypolicy).
All the example code for the AWS SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code).
## Credentials
Before running the example code, configure your AWS credentials, as described in [Authenticating with AWS using AWS SDK for PHP Version 3](credentials.md). Then import the AWS SDK for PHP, as described in [Installing the AWS SDK for PHP Version 3](getting-started_installation.md).
For more information about using AWS Key Management Service (AWS KMS), see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/).
## List all key policies
To get the names of key policies for a KMS key, use the `ListKeyPolicies` operation.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$limit = 10;
try {
$result = $KmsClient->listKeyPolicies([
'KeyId' => $keyId,
'Limit' => $limit,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Retrieve a key policy
To get the key policy for a KMS key, use the `GetKeyPolicy` operation.
`GetKeyPolicy` requires a policy name. Unless you created a key policy when you created the KMS key, the only valid policy name is the default. Learn more about the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html) in the *AWS Key Management Service Developer Guide*.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$policyName = "default";
try {
$result = $KmsClient->getKeyPolicy([
'KeyId' => $keyId,
'PolicyName' => $policyName
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Set a key policy
To establish or change a key policy for a KMS key, use the `PutKeyPolicy` operation.
`PutKeyPolicy` requires a policy name. Unless you created a Key Policy when you created the KMS key, the only valid policy name is the default. Learn more about the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html) in the *AWS Key Management Service Developer Guide*.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$policyName = "default";
try {
$result = $KmsClient->putKeyPolicy([
'KeyId' => $keyId,
'PolicyName' => $policyName,
'Policy' => '{
"Version":"2012-10-17",
"Id": "custom-policy-2016-12-07",
"Statement": [
{ "Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal":
{ "AWS": "arn:aws:iam::111122223333:user/root" },
"Action": [ "kms:*" ],
"Resource": "*" },
{ "Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal":
{ "AWS": "arn:aws:iam::111122223333:user/ExampleUser" },
"Action": [
"kms:Encrypt*",
"kms:GenerateDataKey*",
"kms:Decrypt*",
"kms:DescribeKey*",
"kms:ReEncrypt*"
],
"Resource": "*" }
]
} '
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
# Working with grants using the AWS KMS API and the AWS SDK for PHP version 3
A grant is another mechanism for providing permissions. It is an alternative to the key policy. You can use grants to give long-term access that allows AWS principals to use your AWS Key Management Service (AWS KMS) customer-managed [AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys). For more information, see [Grants in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) in the *AWS Key Management Service Developer Guide*.
The following examples show how to:
+ Create a grant for a KMS key using [CreateGrant](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#creategrant).
+ View a grant for a KMS key using [ListGrants](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listgrants).
+ Retire a grant for a KMS key using [RetireGrant](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#retiregrant).
+ Revoke a grant for a KMS key using [RevokeGrant](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#revokegrant).
All the example code for the AWS SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code).
## Credentials
Before running the example code, configure your AWS credentials, as described in [Authenticating with AWS using AWS SDK for PHP Version 3](credentials.md). Then import the AWS SDK for PHP, as described in [Installing the AWS SDK for PHP Version 3](getting-started_installation.md).
For more information about using AWS Key Management Service (AWS KMS), see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/).
## Create a grant
To create a grant for an AWS KMS key, use the [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) operation.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$granteePrincipal = "arn:aws:iam::111122223333:user/Alice";
$operation = ['Encrypt', 'Decrypt']; // A list of operations that the grant allows.
try {
$result = $KmsClient->createGrant([
'GranteePrincipal' => $granteePrincipal,
'KeyId' => $keyId,
'Operations' => $operation
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## View a grant
To get detailed information about the grants on an AWS KMS key, use the [ListGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html) operation.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$limit = 10;
try {
$result = $KmsClient->listGrants([
'KeyId' => $keyId,
'Limit' => $limit,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Retire a grant
To retire a grant for an AWS KMS key, use the [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) operation. Retire a grant to clean up after you finish using it.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$grantToken = 'Place your grant token here';
try {
$result = $KmsClient->retireGrant([
'GrantToken' => $grantToken,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
//Can also identify grant to retire by a combination of the grant ID
//and the Amazon Resource Name (ARN) of the customer master key (CMK)
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$grantId = 'Unique identifier of the grant returned during CreateGrant operation';
try {
$result = $KmsClient->retireGrant([
'GrantId' => $grantToken,
'KeyId' => $keyId,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Revoke a grant
To revoke a grant to an AWS KMS key, use the [RevokeGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html) operation. You can revoke a grant to explicitly deny operations that depend on it.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$grantId = "grant1";
try {
$result = $KmsClient->revokeGrant([
'KeyId' => $keyId,
'GrantId' => $grantId,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
# Working with aliases using the AWS KMS API and the AWS SDK for PHP Version 3
AWS Key Management Service (AWS KMS) provides an optional display name for an [AWS KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) called an alias.
The following examples show how to:
+ Create an alias using [CreateAlias](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#createalias).
+ View an alias using [ListAliases](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listaliases).
+ Update an alias using [UpdateAlias](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#updatealias).
+ Delete an alias using [DeleteAlias](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-kms-2014-11-01.html#deletealias).
All the example code for the AWS SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code).
## Credentials
Before running the example code, configure your AWS credentials, as described in [Authenticating with AWS using AWS SDK for PHP Version 3](credentials.md). Then import the AWS SDK for PHP, as described in [Installing the AWS SDK for PHP Version 3](getting-started_installation.md).
For more information about using AWS Key Management Service (AWS KMS), see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/).
## Create an alias
To create an alias for a KMS key, use the [CreateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html) operation. The alias must be unique in the account and AWS Region. If you create an alias for a KMS key that already has an alias, `CreateAlias` creates another alias to the same KMS key. It doesn’t replace the existing alias.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$aliasName = "alias/projectKey1";
try {
$result = $KmsClient->createAlias([
'AliasName' => $aliasName,
'TargetKeyId' => $keyId,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## View an alias
To list all aliases in the caller's AWS account and AWS Region, use the [ListAliases](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html) operation.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$limit = 10;
try {
$result = $KmsClient->listAliases([
'Limit' => $limit,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Update an alias
To associate an existing alias with a different KMS key, use the [UpdateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateAlias.html) operation.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab';
$aliasName = "alias/projectKey1";
try {
$result = $KmsClient->updateAlias([
'AliasName' => $aliasName,
'TargetKeyId' => $keyId,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```
## Delete an alias
To delete an alias, use the [DeleteAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteAlias.html) operation. Deleting an alias has no effect on the underlying KMS key.
**Imports**
```
require 'vendor/autoload.php';
use Aws\Exception\AwsException;
```
**Sample Code**
```
$KmsClient = new Aws\Kms\KmsClient([
'profile' => 'default',
'version' => '2014-11-01',
'region' => 'us-east-2'
]);
$aliasName = "alias/projectKey1";
try {
$result = $KmsClient->deleteAlias([
'AliasName' => $aliasName,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
echo $e->getMessage();
echo "\n";
}
```