# Amazon Key Management Service examples using the Amazon SDK for PHP Version 3 Amazon Key Management Service Amazon Key Management Service (Amazon KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. For more information about Amazon KMS, see the [Amazon KMS documentation](http://www.amazonaws.cn/documentation/kms/). Whether you are writing secure PHP applications or sending data to other Amazon services, Amazon KMS helps you maintain control over who can use your keys and gain access to your encrypted data. All the example code for the Amazon SDK for PHP Version 3 is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code). **Topics** + [Working with keys](kms-example-keys.md) + [Encrypting and decrypting data keys](kms-example-encrypt.md) + [Working with key policies](kms-example-key-policy.md) + [Working with grants](kms-example-grants.md) + [Working with aliases](kms-example-alias.md) # Working with keys using the Amazon KMS API and the Amazon SDK for PHP Version 3 Working with keys The primary resources in Amazon Key Management Service (Amazon KMS) are [Amazon KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#kms_keys). You can use a KMS key to encrypt your data. The following examples show how to: + Create a customer KMS key using [CreateKey](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#createkey). + Generate a data key using [GenerateDataKey](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#generatedatakey). + View a KMS key using [DescribeKey](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#describekey). + Get key IDs and key ARNS of KMS keys using [ListKeys](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listkeys). + Enable KMS keys using [EnableKey](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#enablekey). + Disable KMS keys using [DisableKey](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#disablekey). All the example code for the Amazon SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code). ## Credentials Before running the example code, configure your Amazon credentials, as described in [Authenticating with Amazon using Amazon SDK for PHP Version 3](credentials.md). Then import the Amazon SDK for PHP, as described in [Installing the Amazon SDK for PHP Version 3](getting-started_installation.md). For more information about using Amazon Key Management Service (Amazon KMS), see the [Amazon KMS Developer Guide](https://docs.amazonaws.cn/kms/latest/developerguide/). ## Create a KMS key To create a [KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#kms_keys), use the [CreateKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_CreateKey.html) operation. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); //Creates a customer master key (CMK) in the caller's AWS account. $desc = "Key for protecting critical data"; try { $result = $KmsClient->createKey([ 'Description' => $desc, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Generate a data key To generate a data encryption key, use the [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html) operation. This operation returns plaintext and encrypted copies of the data key that it creates. Specify the Amazon KMS key under which to generate the data key. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $keySpec = 'AES_256'; try { $result = $KmsClient->generateDataKey([ 'KeyId' => $keyId, 'KeySpec' => $keySpec, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## View a KMS key To get detailed information about a KMS key, including the KMS key’s Amazon Resource Name (ARN) and [key state](https://docs.amazonaws.cn/kms/latest/developerguide/key-state.html), use the [DescribeKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_DescribeKey.html) operation. `DescribeKey` doesn’t get aliases. To get aliases, use the [ListAliases](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListKeys.html) operation. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->describeKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Get the key ID and key ARNs of a KMS key To get the ID and ARN of the KMS key, use the [ListAliases](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListKeys.html) operation. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $limit = 10; try { $result = $KmsClient->listKeys([ 'Limit' => $limit, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Enable a KMS key To enable a disabled KMS key, use the [EnableKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_EnableKey.html) operation. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->enableKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Disable a KMS key To disable a KMS key, use the [DisableKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_DisableKey.html) operation. Disabling a KMS key prevents it from being used. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; try { $result = $KmsClient->disableKey([ 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` # Encrypting and decrypting Amazon KMS data keys using the Amazon SDK for PHP Version 3 Encrypting and decrypting data keys Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys. You can use an Amazon Key Management Service's (Amazon KMS) [Amazon KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#kms_keys) to generate, encrypt, and decrypt data keys. The following examples show how to: + Encrypt a data key using [Encrypt](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#encrypt). + Decrypt a data key using [Decrypt](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#decrypt). + Re-encrypt a data key with a new KMS key using [ReEncrypt](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#reencrypt). All the example code for the Amazon SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code). ## Credentials Before running the example code, configure your Amazon credentials, as described in [Authenticating with Amazon using Amazon SDK for PHP Version 3](credentials.md). Then import the Amazon SDK for PHP, as described in [Installing the Amazon SDK for PHP Version 3](getting-started_installation.md). For more information about using Amazon Key Management Service (Amazon KMS), see the [Amazon KMS Developer Guide](https://docs.amazonaws.cn/kms/latest/developerguide/). ## Encrypt The [Encrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Encrypt.html) operation is designed to encrypt data keys, but it’s not frequently used. The [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html) and [GenerateDataKeyWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) operations return encrypted data keys. You might use the `Encypt` method when you’re moving encrypted data to a new Amazon Region and want to encrypt its data key by using a KMS key in the new Region. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $message = pack('c*', 1, 2, 3, 4, 5, 6, 7, 8, 9, 0); try { $result = $KmsClient->encrypt([ 'KeyId' => $keyId, 'Plaintext' => $message, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Decrypt To decrypt a data key, use the [Decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html) operation. The `ciphertextBlob` that you specify must be the value of the `CiphertextBlob` field from a [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html), [GenerateDataKeyWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html), or [Encrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Encrypt.html) response. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $ciphertext = 'Place your cipher text blob here'; try { $result = $KmsClient->decrypt([ 'CiphertextBlob' => $ciphertext, ]); $plaintext = $result['Plaintext']; var_dump($plaintext); } catch (AwsException $e) { // Output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Reencrypt To decrypt an encrypted data key, and then immediately reencrypt the data key under a different KMS key, use the [ReEncrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_ReEncrypt.html) operation. The operations are performed entirely on the server side within Amazon KMS, so they never expose your plaintext outside of Amazon KMS. The `ciphertextBlob` that you specify must be the value of the `CiphertextBlob` field from a [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html), [GenerateDataKeyWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html), or [Encrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Encrypt.html) response. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $ciphertextBlob = 'Place your cipher text blob here'; try { $result = $KmsClient->reEncrypt([ 'CiphertextBlob' => $ciphertextBlob, 'DestinationKeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` # Working with Amazon KMS key policies using the Amazon SDK for PHP Version 3 Working with key policies When you create an [Amazon KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#kms_keys), you determine who can use and manage that KMS key. These permissions are contained in a document called the key policy. You can use the key policy to add, remove, or modify permissions at any time for a customer managed KMS key, but you cannot edit the key policy for an Amazon managed KMS key. For more information, see [Authentication and access control for Amazon KMS](https://docs.amazonaws.cn/kms/latest/developerguide/control-access.html). The following examples show how to: + List the names of key policies using [ListKeyPolicies](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listkeypolicies). + Get a key policy using [GetKeyPolicy](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#getkeypolicy). + Set a key policy using [PutKeyPolicy](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#putkeypolicy). All the example code for the Amazon SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code). ## Credentials Before running the example code, configure your Amazon credentials, as described in [Authenticating with Amazon using Amazon SDK for PHP Version 3](credentials.md). Then import the Amazon SDK for PHP, as described in [Installing the Amazon SDK for PHP Version 3](getting-started_installation.md). For more information about using Amazon Key Management Service (Amazon KMS), see the [Amazon KMS Developer Guide](https://docs.amazonaws.cn/kms/latest/developerguide/). ## List all key policies To get the names of key policies for a KMS key, use the `ListKeyPolicies` operation. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $limit = 10; try { $result = $KmsClient->listKeyPolicies([ 'KeyId' => $keyId, 'Limit' => $limit, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Retrieve a key policy To get the key policy for a KMS key, use the `GetKeyPolicy` operation. `GetKeyPolicy` requires a policy name. Unless you created a key policy when you created the KMS key, the only valid policy name is the default. Learn more about the [Default key policy](https://docs.amazonaws.cn/kms/latest/developerguide/key-policy-default.html) in the *Amazon Key Management Service Developer Guide*. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; try { $result = $KmsClient->getKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Set a key policy To establish or change a key policy for a KMS key, use the `PutKeyPolicy` operation. `PutKeyPolicy` requires a policy name. Unless you created a Key Policy when you created the KMS key, the only valid policy name is the default. Learn more about the [Default key policy](https://docs.amazonaws.cn/kms/latest/developerguide/key-policy-default.html) in the *Amazon Key Management Service Developer Guide*. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $policyName = "default"; try { $result = $KmsClient->putKeyPolicy([ 'KeyId' => $keyId, 'PolicyName' => $policyName, 'Policy' => '{ "Version":"2012-10-17", "Id": "custom-policy-2016-12-07", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/root" }, "Action": [ "kms:*" ], "Resource": "*" }, { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": [ "kms:Encrypt*", "kms:GenerateDataKey*", "kms:Decrypt*", "kms:DescribeKey*", "kms:ReEncrypt*" ], "Resource": "*" } ] } ' ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` # Working with grants using the Amazon KMS API and the Amazon SDK for PHP version 3 Working with grants A grant is another mechanism for providing permissions. It is an alternative to the key policy. You can use grants to give long-term access that allows Amazon principals to use your Amazon Key Management Service (Amazon KMS) customer-managed [Amazon KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#kms_keys). For more information, see [Grants in Amazon KMS](https://docs.amazonaws.cn/kms/latest/developerguide/grants.html) in the *Amazon Key Management Service Developer Guide*. The following examples show how to: + Create a grant for a KMS key using [CreateGrant](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#creategrant). + View a grant for a KMS key using [ListGrants](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listgrants). + Retire a grant for a KMS key using [RetireGrant](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#retiregrant). + Revoke a grant for a KMS key using [RevokeGrant](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#revokegrant). All the example code for the Amazon SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code). ## Credentials Before running the example code, configure your Amazon credentials, as described in [Authenticating with Amazon using Amazon SDK for PHP Version 3](credentials.md). Then import the Amazon SDK for PHP, as described in [Installing the Amazon SDK for PHP Version 3](getting-started_installation.md). For more information about using Amazon Key Management Service (Amazon KMS), see the [Amazon KMS Developer Guide](https://docs.amazonaws.cn/kms/latest/developerguide/). ## Create a grant To create a grant for an Amazon KMS key, use the [CreateGrant](https://docs.amazonaws.cn/kms/latest/APIReference/API_CreateGrant.html) operation. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $granteePrincipal = "arn:aws:iam::111122223333:user/Alice"; $operation = ['Encrypt', 'Decrypt']; // A list of operations that the grant allows. try { $result = $KmsClient->createGrant([ 'GranteePrincipal' => $granteePrincipal, 'KeyId' => $keyId, 'Operations' => $operation ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## View a grant To get detailed information about the grants on an Amazon KMS key, use the [ListGrants](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListGrants.html) operation. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $limit = 10; try { $result = $KmsClient->listGrants([ 'KeyId' => $keyId, 'Limit' => $limit, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Retire a grant To retire a grant for an Amazon KMS key, use the [RetireGrant](https://docs.amazonaws.cn/kms/latest/APIReference/API_RetireGrant.html) operation. Retire a grant to clean up after you finish using it. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $grantToken = 'Place your grant token here'; try { $result = $KmsClient->retireGrant([ 'GrantToken' => $grantToken, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } //Can also identify grant to retire by a combination of the grant ID //and the Amazon Resource Name (ARN) of the customer master key (CMK) $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $grantId = 'Unique identifier of the grant returned during CreateGrant operation'; try { $result = $KmsClient->retireGrant([ 'GrantId' => $grantToken, 'KeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Revoke a grant To revoke a grant to an Amazon KMS key, use the [RevokeGrant](https://docs.amazonaws.cn/kms/latest/APIReference/API_RevokeGrant.html) operation. You can revoke a grant to explicitly deny operations that depend on it. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $grantId = "grant1"; try { $result = $KmsClient->revokeGrant([ 'KeyId' => $keyId, 'GrantId' => $grantId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` # Working with aliases using the Amazon KMS API and the Amazon SDK for PHP Version 3 Working with aliases Amazon Key Management Service (Amazon KMS) provides an optional display name for an [Amazon KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#kms_keys) called an alias. The following examples show how to: + Create an alias using [CreateAlias](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#createalias). + View an alias using [ListAliases](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#listaliases). + Update an alias using [UpdateAlias](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#updatealias). + Delete an alias using [DeleteAlias](https://docs.amazonaws.cn/aws-sdk-php/v3/api/api-kms-2014-11-01.html#deletealias). All the example code for the Amazon SDK for PHP is available [here on GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code). ## Credentials Before running the example code, configure your Amazon credentials, as described in [Authenticating with Amazon using Amazon SDK for PHP Version 3](credentials.md). Then import the Amazon SDK for PHP, as described in [Installing the Amazon SDK for PHP Version 3](getting-started_installation.md). For more information about using Amazon Key Management Service (Amazon KMS), see the [Amazon KMS Developer Guide](https://docs.amazonaws.cn/kms/latest/developerguide/). ## Create an alias To create an alias for a KMS key, use the [CreateAlias](https://docs.amazonaws.cn/kms/latest/APIReference/API_CreateAlias.html) operation. The alias must be unique in the account and Amazon Region. If you create an alias for a KMS key that already has an alias, `CreateAlias` creates another alias to the same KMS key. It doesn’t replace the existing alias. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $aliasName = "alias/projectKey1"; try { $result = $KmsClient->createAlias([ 'AliasName' => $aliasName, 'TargetKeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## View an alias To list all aliases in the caller's Amazon Web Services account and Amazon Web Services Region, use the [ListAliases](https://docs.amazonaws.cn/kms/latest/APIReference/API_ListAliases.html) operation. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $limit = 10; try { $result = $KmsClient->listAliases([ 'Limit' => $limit, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Update an alias To associate an existing alias with a different KMS key, use the [UpdateAlias](https://docs.amazonaws.cn/kms/latest/APIReference/API_UpdateAlias.html) operation. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $keyId = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab'; $aliasName = "alias/projectKey1"; try { $result = $KmsClient->updateAlias([ 'AliasName' => $aliasName, 'TargetKeyId' => $keyId, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ``` ## Delete an alias To delete an alias, use the [DeleteAlias](https://docs.amazonaws.cn/kms/latest/APIReference/API_DeleteAlias.html) operation. Deleting an alias has no effect on the underlying KMS key. **Imports** ``` require 'vendor/autoload.php'; use Aws\Exception\AwsException; ``` **Sample Code** ``` $KmsClient = new Aws\Kms\KmsClient([ 'profile' => 'default', 'version' => '2014-11-01', 'region' => 'us-east-2' ]); $aliasName = "alias/projectKey1"; try { $result = $KmsClient->deleteAlias([ 'AliasName' => $aliasName, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; } ```