| Server IP : 195.201.23.43 / Your IP : 3.15.0.42 Web Server : Apache System : Linux webserver2.vercom.be 5.4.0-192-generic #212-Ubuntu SMP Fri Jul 5 09:47:39 UTC 2024 x86_64 User : kdecoratie ( 1041) PHP Version : 7.1.33-63+ubuntu20.04.1+deb.sury.org+1 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals, MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /lib/python3/dist-packages/awscli/examples/kms/ |
Upload File : |
**To change the key policy for a customer master key (CMK)**
The following ``put-key-policy`` example changes the key policy for a customer managed CMK.
To begin, create a key policy and save it in a local JSON file. In this example, the file is ``key_policy.json``. You can also specify the key policy as a string value of the ``policy`` parameter.
The first statement in this key policy gives the AWS account permission to use IAM policies to control access to the CMK. The second statement gives the ``test-user`` user permission to run the ``describe-key`` and ``list-keys`` commands on the CMK.
Contents of ``key_policy.json``::
{
"Version" : "2012-10-17",
"Id" : "key-default-1",
"Statement" : [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : "kms:",
"Resource" : "*"
},
{
"Sid" : "Allow Use of Key",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:user/test-user"
},
"Action" : [
"kms:DescribeKey",
"kms:ListKeys"
],
"Resource" : "*"
}
]
}
To identify the CMK, this example uses the key ID, but you can also usa key ARN. To specify the key policy, the command uses the ``policy`` parameter. To indicate that the policy is in a file, it uses the required ``file://`` prefix. This prefix is required to identify files on all supported operating systems. Finally, the command uses the ``policy-name`` parameter with a value of ``default``. This parameter is required, even though ``default`` is the only valid value. ::
aws kms put-key-policy \
--policy-name default \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--policy file://key_policy.json
This command does not produce any output. To verify that the command was effective, use the ``get-key-policy`` command. The following example command gets the key policy for the same CMK. The ``output`` parameter with a value of ``text`` returns a text format that is easy to read. ::
aws kms get-key-policy \
--policy-name default \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--output text
Output::
{
"Version" : "2012-10-17",
"Id" : "key-default-1",
"Statement" : [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : "kms:",
"Resource" : "*"
},
{
"Sid" : "Allow Use of Key",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:user/test-user"
},
"Action" : [ "kms:Describe", "kms:List" ],
"Resource" : "*"
}
]
}
For more information, see `Changing a Key Policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html>`__ in the *AWS Key Management Service Developer Guide*.
Private