Use PutKeyPolicy with an Amazon SDK or CLI - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use PutKeyPolicy with an Amazon SDK or CLI

The following code examples show how to use PutKeyPolicy.

CLI
Amazon CLI

To change the key policy for a KMS key

The following put-key-policy example changes the key policy for a customer managed key.

To begin, create a key policy and save it in a local JSON file. In this example, the file is key_policy.json. You can also specify the key policy as a string value of the policy parameter.

The first statement in this key policy gives the Amazon account permission to use IAM policies to control access to the KMS key. The second statement gives the test-user user permission to run the describe-key and list-keys commands on the KMS key.

Contents of key_policy.json:

{
    "Version" : "2012-10-17",
    "Id" : "key-default-1",
    "Statement" : [
        {
            "Sid" : "Enable IAM User Permissions",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:root"
            },
            "Action" : "kms:*",
            "Resource" : "*"
        },
        {
            "Sid" : "Allow Use of Key",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:user/test-user"
            },
            "Action" : [
                "kms:DescribeKey",
                "kms:ListKeys"
            ],
            "Resource" : "*"
        }
    ]
}

To identify the KMS key, this example uses the key ID, but you can also use a key ARN. To specify the key policy, the command uses the policy parameter. To indicate that the policy is in a file, it uses the required file:// prefix. This prefix is required to identify files on all supported operating systems. Finally, the command uses the policy-name parameter with a value of default. If no policy name is specified, the default value is default. The only valid value is default.

aws kms put-key-policy \
    --policy-name default \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --policy file://key_policy.json

This command does not produce any output. To verify that the command was effective, use the get-key-policy command. The following example command gets the key policy for the same KMS key. The output parameter with a value of text returns a text format that is easy to read.

aws kms get-key-policy \
    --policy-name default \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
    --output text

Output:

{
    "Version" : "2012-10-17",
    "Id" : "key-default-1",
    "Statement" : [
        {
            "Sid" : "Enable IAM User Permissions",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:root"
            },
            "Action" : "kms:*",
            "Resource" : "*"
            },
            {
            "Sid" : "Allow Use of Key",
            "Effect" : "Allow",
            "Principal" : {
                "AWS" : "arn:aws:iam::111122223333:user/test-user"
            },
            "Action" : [ "kms:Describe", "kms:List" ],
            "Resource" : "*"
        }
    ]
}

For more information, see Changing a Key Policy in the Amazon Key Management Service Developer Guide.

  • For API details, see PutKeyPolicy in Amazon CLI Command Reference.

Python
SDK for Python (Boto3)
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository. 

class KeyPolicy:
    def __init__(self, kms_client):
        self.kms_client = kms_client


    def set_policy(self, key_id, policy):
        """
        Sets the policy of a key. Setting a policy entirely overwrites the existing
        policy, so care is taken to add a statement to the existing list of statements
        rather than simply writing a new policy.

        :param key_id: The ARN or ID of the key to set the policy to.
        :param policy: The existing policy of the key.
        """
        principal = input(
            "Enter the ARN of an IAM role to set as the principal on the policy: "
        )
        if key_id != "" and principal != "":
            # The updated policy replaces the existing policy. Add a new statement to
            # the list along with the original policy statements.
            policy["Statement"].append(
                {
                    "Sid": "Allow access for ExampleRole",
                    "Effect": "Allow",
                    "Principal": {"AWS": principal},
                    "Action": [
                        "kms:Encrypt",
                        "kms:GenerateDataKey*",
                        "kms:Decrypt",
                        "kms:DescribeKey",
                        "kms:ReEncrypt*",
                    ],
                    "Resource": "*",
                }
            )
            try:
                self.kms_client.put_key_policy(
                    KeyId=key_id, PolicyName="default", Policy=json.dumps(policy)
                )
            except ClientError as err:
                logger.error(
                    "Couldn't set policy for key %s. Here's why %s",
                    key_id,
                    err.response["Error"]["Message"],
                )
            else:
                print(f"Set policy for key {key_id}.")
        else:
            print("Skipping set policy demo.")

  • For API details, see PutKeyPolicy in Amazon SDK for Python (Boto3) API Reference.

For a complete list of Amazon SDK developer guides and code examples, see Using Amazon KMS with an Amazon SDK. This topic also includes information about getting started and details about previous SDK versions.