Working with Amazon KMS key policies using the Amazon SDK for PHP Version 3 - Amazon SDK for PHP
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with Amazon KMS key policies using the Amazon SDK for PHP Version 3

When you create an Amazon KMS key, you determine who can use and manage that KMS key. These permissions are contained in a document called the key policy. You can use the key policy to add, remove, or modify permissions at any time for a customer managed KMS key, but you cannot edit the key policy for an Amazon managed KMS key. For more information, see Authentication and access control for Amazon KMS.

The following examples show how to:

All the example code for the Amazon SDK for PHP is available here on GitHub.

Credentials

Before running the example code, configure your Amazon credentials, as described in Credentials. Then import the Amazon SDK for PHP, as described in Basic usage.

For more information about using Amazon Key Management Service (Amazon KMS), see the Amazon KMS Developer Guide.

List all key policies

To get the names of key policies for a KMS key, use the ListKeyPolicies operation.

Imports

require 'vendor/autoload.php'; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $limit = 10; try { $result = $KmsClient->listKeyPolicies([ 'KeyId' => $keyId, 'Limit' => $limit, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Retrieve a key policy

To get the key policy for a KMS key, use the GetKeyPolicy operation.

GetKeyPolicy requires a policy name. Unless you created a key policy when you created the KMS key, the only valid policy name is the default. Learn more about the Default key policy in the Amazon Key Management Service Developer Guide.

Imports

require 'vendor/autoload.php'; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; try { $result = $KmsClient->getKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Set a key policy

To establish or change a key policy for a KMS key, use the PutKeyPolicy operation.

PutKeyPolicy requires a policy name. Unless you created a Key Policy when you created the KMS key, the only valid policy name is the default. Learn more about the Default key policy in the Amazon Key Management Service Developer Guide.

Imports

require 'vendor/autoload.php'; use Aws\Exception\AwsException;

Sample Code

$KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; try { $result = $KmsClient->putKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName, 'Policy' => '{ "Version": "2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/root" }, "Action": [ "kms:*" ], "Resource": "*" }, { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] } ' ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }