:doc:`KMS <../../kms>` / Client / describe_key

************
describe_key
************



.. py:method:: KMS.Client.describe_key(**kwargs)

  

  Provides detailed information about a KMS key. You can run ``DescribeKey`` on a `customer managed key <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-mgn-key>`__ or an `Amazon Web Services managed key <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key>`__.

   

  This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like ``KeySpec``, that help you distinguish different types of KMS keys. It also displays the key usage (encryption, signing, or generating and verifying MACs) and the algorithms that the KMS key supports.

   

  For `multi-Region keys <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html>`__, ``DescribeKey`` displays the primary key and all related replica keys. For KMS keys in `CloudHSM key stores <https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html>`__, it includes information about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in `external key stores <https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html>`__, it includes the custom key store ID and the ID of the external key.

   

  ``DescribeKey`` does not return the following information:

   

  
  * Aliases associated with the KMS key. To get this information, use  ListAliases.
   
  * Whether automatic key rotation is enabled on the KMS key. To get this information, use  GetKeyRotationStatus. Also, some key states prevent a KMS key from being automatically rotated. For details, see `How key rotation works <https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works>`__ in the *Key Management Service Developer Guide*.
   
  * Tags on the KMS key. To get this information, use  ListResourceTags.
   
  * Key policies and grants on the KMS key. To get this information, use  GetKeyPolicy and  ListGrants.
  

   

  In general, ``DescribeKey`` is a non-mutating operation. It returns data about KMS keys, but doesn't change them. However, Amazon Web Services services use ``DescribeKey`` to create `Amazon Web Services managed keys <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key>`__ from a *predefined Amazon Web Services alias* with no key ID.

   

  **Cross-account use**: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the ``KeyId`` parameter.

   

  **Required permissions**: `kms\:DescribeKey <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html>`__ (key policy)

   

  **Related operations:**

   

  
  *  GetKeyPolicy
   
  *  GetKeyRotationStatus
   
  *  ListAliases
   
  *  ListGrants
   
  *  ListKeys
   
  *  ListResourceTags
   
  *  ListRetirableGrants
  

   

  **Eventual consistency**: The KMS API follows an eventual consistency model. For more information, see `KMS eventual consistency <https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency>`__.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey>`_  


  **Request Syntax**
  ::

    response = client.describe_key(
        KeyId='string',
        GrantTokens=[
            'string',
        ]
    )
    
  :type KeyId: string
  :param KeyId: **[REQUIRED]** 

    Describes the specified KMS key.

     

    If you specify a predefined Amazon Web Services alias (an Amazon Web Services alias with no key ID), KMS associates the alias with an `Amazon Web Services managed key <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-key>`__ and returns its ``KeyId`` and ``Arn`` in the response.

     

    To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. When using an alias name, prefix it with ``"alias/"``. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN or alias ARN.

     

    For example:

     

    
    * Key ID: ``1234abcd-12ab-34cd-56ef-1234567890ab``
     
    * Key ARN: ``arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab``
     
    * Alias name: ``alias/ExampleAlias``
     
    * Alias ARN: ``arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias``
    

     

    To get the key ID and key ARN for a KMS key, use  ListKeys or  DescribeKey. To get the alias name and alias ARN, use  ListAliases.

    

  
  :type GrantTokens: list
  :param GrantTokens: 

    A list of grant tokens.

     

    Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved *eventual consistency*. For more information, see `Grant token <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token>`__ and `Using a grant token <https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html>`__ in the *Key Management Service Developer Guide*.

    

  
    - *(string) --* 

    

  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'KeyMetadata': {
              'AWSAccountId': 'string',
              'KeyId': 'string',
              'Arn': 'string',
              'CreationDate': datetime(2015, 1, 1),
              'Enabled': True|False,
              'Description': 'string',
              'KeyUsage': 'SIGN_VERIFY'|'ENCRYPT_DECRYPT'|'GENERATE_VERIFY_MAC'|'KEY_AGREEMENT',
              'KeyState': 'Creating'|'Enabled'|'Disabled'|'PendingDeletion'|'PendingImport'|'PendingReplicaDeletion'|'Unavailable'|'Updating',
              'DeletionDate': datetime(2015, 1, 1),
              'ValidTo': datetime(2015, 1, 1),
              'Origin': 'AWS_KMS'|'EXTERNAL'|'AWS_CLOUDHSM'|'EXTERNAL_KEY_STORE',
              'CustomKeyStoreId': 'string',
              'CloudHsmClusterId': 'string',
              'ExpirationModel': 'KEY_MATERIAL_EXPIRES'|'KEY_MATERIAL_DOES_NOT_EXPIRE',
              'KeyManager': 'AWS'|'CUSTOMER',
              'CustomerMasterKeySpec': 'RSA_2048'|'RSA_3072'|'RSA_4096'|'ECC_NIST_P256'|'ECC_NIST_P384'|'ECC_NIST_P521'|'ECC_SECG_P256K1'|'SYMMETRIC_DEFAULT'|'HMAC_224'|'HMAC_256'|'HMAC_384'|'HMAC_512'|'SM2',
              'KeySpec': 'RSA_2048'|'RSA_3072'|'RSA_4096'|'ECC_NIST_P256'|'ECC_NIST_P384'|'ECC_NIST_P521'|'ECC_SECG_P256K1'|'SYMMETRIC_DEFAULT'|'HMAC_224'|'HMAC_256'|'HMAC_384'|'HMAC_512'|'SM2'|'ML_DSA_44'|'ML_DSA_65'|'ML_DSA_87'|'ECC_NIST_EDWARDS25519',
              'EncryptionAlgorithms': [
                  'SYMMETRIC_DEFAULT'|'RSAES_OAEP_SHA_1'|'RSAES_OAEP_SHA_256'|'SM2PKE',
              ],
              'SigningAlgorithms': [
                  'RSASSA_PSS_SHA_256'|'RSASSA_PSS_SHA_384'|'RSASSA_PSS_SHA_512'|'RSASSA_PKCS1_V1_5_SHA_256'|'RSASSA_PKCS1_V1_5_SHA_384'|'RSASSA_PKCS1_V1_5_SHA_512'|'ECDSA_SHA_256'|'ECDSA_SHA_384'|'ECDSA_SHA_512'|'SM2DSA'|'ML_DSA_SHAKE_256'|'ED25519_SHA_512'|'ED25519_PH_SHA_512',
              ],
              'KeyAgreementAlgorithms': [
                  'ECDH',
              ],
              'MultiRegion': True|False,
              'MultiRegionConfiguration': {
                  'MultiRegionKeyType': 'PRIMARY'|'REPLICA',
                  'PrimaryKey': {
                      'Arn': 'string',
                      'Region': 'string'
                  },
                  'ReplicaKeys': [
                      {
                          'Arn': 'string',
                          'Region': 'string'
                      },
                  ]
              },
              'PendingDeletionWindowInDays': 123,
              'MacAlgorithms': [
                  'HMAC_SHA_224'|'HMAC_SHA_256'|'HMAC_SHA_384'|'HMAC_SHA_512',
              ],
              'XksKeyConfiguration': {
                  'Id': 'string'
              },
              'CurrentKeyMaterialId': 'string'
          }
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **KeyMetadata** *(dict) --* 

        Metadata associated with the key.

        
        

        - **AWSAccountId** *(string) --* 

          The twelve-digit account ID of the Amazon Web Services account that owns the KMS key.

          
        

        - **KeyId** *(string) --* 

          The globally unique identifier for the KMS key.

          
        

        - **Arn** *(string) --* 

          The Amazon Resource Name (ARN) of the KMS key. For examples, see `Key Management Service (KMS) <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms>`__ in the Example ARNs section of the *Amazon Web Services General Reference*.

          
        

        - **CreationDate** *(datetime) --* 

          The date and time when the KMS key was created.

          
        

        - **Enabled** *(boolean) --* 

          Specifies whether the KMS key is enabled. When ``KeyState`` is ``Enabled`` this value is true, otherwise it is false.

          
        

        - **Description** *(string) --* 

          The description of the KMS key.

          
        

        - **KeyUsage** *(string) --* 

          The `cryptographic operations <https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations>`__ for which you can use the KMS key.

          
        

        - **KeyState** *(string) --* 

          The current status of the KMS key.

           

          For more information about how key state affects the use of a KMS key, see `Key states of KMS keys <https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html>`__ in the *Key Management Service Developer Guide*.

          
        

        - **DeletionDate** *(datetime) --* 

          The date and time after which KMS deletes this KMS key. This value is present only when the KMS key is scheduled for deletion, that is, when its ``KeyState`` is ``PendingDeletion``.

           

          When the primary key in a multi-Region key is scheduled for deletion but still has replica keys, its key state is ``PendingReplicaDeletion`` and the length of its waiting period is displayed in the ``PendingDeletionWindowInDays`` field.

          
        

        - **ValidTo** *(datetime) --* 

          The earliest time at which any imported key material permanently associated with this KMS key expires. When a key material expires, KMS deletes the key material and the KMS key becomes unusable. This value is present only for KMS keys whose ``Origin`` is ``EXTERNAL`` and the ``ExpirationModel`` is ``KEY_MATERIAL_EXPIRES``, otherwise this value is omitted.

          
        

        - **Origin** *(string) --* 

          The source of the key material for the KMS key. When this value is ``AWS_KMS``, KMS created the key material. When this value is ``EXTERNAL``, the key material was imported or the KMS key doesn't have any key material. When this value is ``AWS_CLOUDHSM``, the key material was created in the CloudHSM cluster associated with a custom key store.

          
        

        - **CustomKeyStoreId** *(string) --* 

          A unique identifier for the `custom key store <https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html>`__ that contains the KMS key. This field is present only when the KMS key is created in a custom key store.

          
        

        - **CloudHsmClusterId** *(string) --* 

          The cluster ID of the CloudHSM cluster that contains the key material for the KMS key. When you create a KMS key in an CloudHSM `custom key store <https://docs.aws.amazon.com/kms/latest/developerguide/key-store-overview.html>`__, KMS creates the key material for the KMS key in the associated CloudHSM cluster. This field is present only when the KMS key is created in an CloudHSM key store.

          
        

        - **ExpirationModel** *(string) --* 

          Specifies whether the KMS key's key material expires. This value is present only when ``Origin`` is ``EXTERNAL``, otherwise this value is omitted.

          
        

        - **KeyManager** *(string) --* 

          The manager of the KMS key. KMS keys in your Amazon Web Services account are either customer managed or Amazon Web Services managed. For more information about the difference, see `KMS keys <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys>`__ in the *Key Management Service Developer Guide*.

          
        

        - **CustomerMasterKeySpec** *(string) --* 

          Instead, use the ``KeySpec`` field.

           

          The ``KeySpec`` and ``CustomerMasterKeySpec`` fields have the same value. We recommend that you use the ``KeySpec`` field in your code. However, to avoid breaking changes, KMS supports both fields.

          
        

        - **KeySpec** *(string) --* 

          Describes the type of key material in the KMS key.

          
        

        - **EncryptionAlgorithms** *(list) --* 

          The encryption algorithms that the KMS key supports. You cannot use the KMS key with other encryption algorithms within KMS.

           

          This value is present only when the ``KeyUsage`` of the KMS key is ``ENCRYPT_DECRYPT``.

          
          

          - *(string) --* 
      
        

        - **SigningAlgorithms** *(list) --* 

          The signing algorithms that the KMS key supports. You cannot use the KMS key with other signing algorithms within KMS.

           

          This field appears only when the ``KeyUsage`` of the KMS key is ``SIGN_VERIFY``.

          
          

          - *(string) --* 
      
        

        - **KeyAgreementAlgorithms** *(list) --* 

          The key agreement algorithm used to derive a shared secret.

          
          

          - *(string) --* 
      
        

        - **MultiRegion** *(boolean) --* 

          Indicates whether the KMS key is a multi-Region ( ``True``) or regional ( ``False``) key. This value is ``True`` for multi-Region primary and replica keys and ``False`` for regional KMS keys.

           

          For more information about multi-Region keys, see `Multi-Region keys in KMS <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html>`__ in the *Key Management Service Developer Guide*.

          
        

        - **MultiRegionConfiguration** *(dict) --* 

          Lists the primary and replica keys in same multi-Region key. This field is present only when the value of the ``MultiRegion`` field is ``True``.

           

          For more information about any listed KMS key, use the  DescribeKey operation.

           

          
          * ``MultiRegionKeyType`` indicates whether the KMS key is a ``PRIMARY`` or ``REPLICA`` key.
           
          * ``PrimaryKey`` displays the key ARN and Region of the primary key. This field displays the current KMS key if it is the primary key.
           
          * ``ReplicaKeys`` displays the key ARNs and Regions of all replica keys. This field includes the current KMS key if it is a replica key.
          

          
          

          - **MultiRegionKeyType** *(string) --* 

            Indicates whether the KMS key is a ``PRIMARY`` or ``REPLICA`` key.

            
          

          - **PrimaryKey** *(dict) --* 

            Displays the key ARN and Region of the primary key. This field includes the current KMS key if it is the primary key.

            
            

            - **Arn** *(string) --* 

              Displays the key ARN of a primary or replica key of a multi-Region key.

              
            

            - **Region** *(string) --* 

              Displays the Amazon Web Services Region of a primary or replica key in a multi-Region key.

              
        
          

          - **ReplicaKeys** *(list) --* 

            displays the key ARNs and Regions of all replica keys. This field includes the current KMS key if it is a replica key.

            
            

            - *(dict) --* 

              Describes the primary or replica key in a multi-Region key.

              
              

              - **Arn** *(string) --* 

                Displays the key ARN of a primary or replica key of a multi-Region key.

                
              

              - **Region** *(string) --* 

                Displays the Amazon Web Services Region of a primary or replica key in a multi-Region key.

                
          
        
      
        

        - **PendingDeletionWindowInDays** *(integer) --* 

          The waiting period before the primary key in a multi-Region key is deleted. This waiting period begins when the last of its replica keys is deleted. This value is present only when the ``KeyState`` of the KMS key is ``PendingReplicaDeletion``. That indicates that the KMS key is the primary key in a multi-Region key, it is scheduled for deletion, and it still has existing replica keys.

           

          When a single-Region KMS key or a multi-Region replica key is scheduled for deletion, its deletion date is displayed in the ``DeletionDate`` field. However, when the primary key in a multi-Region key is scheduled for deletion, its waiting period doesn't begin until all of its replica keys are deleted. This value displays that waiting period. When the last replica key in the multi-Region key is deleted, the ``KeyState`` of the scheduled primary key changes from ``PendingReplicaDeletion`` to ``PendingDeletion`` and the deletion date appears in the ``DeletionDate`` field.

          
        

        - **MacAlgorithms** *(list) --* 

          The message authentication code (MAC) algorithm that the HMAC KMS key supports.

           

          This value is present only when the ``KeyUsage`` of the KMS key is ``GENERATE_VERIFY_MAC``.

          
          

          - *(string) --* 
      
        

        - **XksKeyConfiguration** *(dict) --* 

          Information about the external key that is associated with a KMS key in an external key store.

           

          For more information, see `External key <https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key>`__ in the *Key Management Service Developer Guide*.

          
          

          - **Id** *(string) --* 

            The ID of the external key in its external key manager. This is the ID that the external key store proxy uses to identify the external key.

            
      
        

        - **CurrentKeyMaterialId** *(string) --* 

          Identifies the current key material. This value is present for symmetric encryption keys with ``AWS_KMS`` or ``EXTERNAL`` origin. These KMS keys support automatic or on-demand key rotation and can have multiple key materials associated with them. KMS uses the current key material for both encryption and decryption, and the non-current key material for decryption operations only.

          
    
  
  **Exceptions**
  
  *   :py:class:`KMS.Client.exceptions.NotFoundException`

  
  *   :py:class:`KMS.Client.exceptions.InvalidArnException`

  
  *   :py:class:`KMS.Client.exceptions.DependencyTimeoutException`

  
  *   :py:class:`KMS.Client.exceptions.KMSInternalException`

  

  **Examples**

  The following example gets metadata for a symmetric encryption KMS key.
  ::

    response = client.describe_key(
        # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
        KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
    )
    
    print(response)

  
  Expected Output:
  ::

    {
        # An object that contains information about the specified KMS key.
        'KeyMetadata': {
            'AWSAccountId': '111122223333',
            'Arn': 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
            'CreationDate': datetime(2017, 7, 5, 14, 4, 55, 2, 186, 0),
            'CustomerMasterKeySpec': 'SYMMETRIC_DEFAULT',
            'Description': '',
            'Enabled': True,
            'EncryptionAlgorithms': [
                'SYMMETRIC_DEFAULT',
            ],
            'KeyId': '1234abcd-12ab-34cd-56ef-1234567890ab',
            'KeyManager': 'CUSTOMER',
            'KeySpec': 'SYMMETRIC_DEFAULT',
            'KeyState': 'Enabled',
            'KeyUsage': 'ENCRYPT_DECRYPT',
            'MultiRegion': False,
            'Origin': 'AWS_KMS',
        },
        'ResponseMetadata': {
            '...': '...',
        },
    }

  

  The following example gets metadata for an asymmetric RSA KMS key used for signing and verification.
  ::

    response = client.describe_key(
        # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
        KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
    )
    
    print(response)

  
  Expected Output:
  ::

    {
        # An object that contains information about the specified KMS key.
        'KeyMetadata': {
            'AWSAccountId': '111122223333',
            'Arn': 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
            'CreationDate': 1571767572.317,
            'CustomerMasterKeySpec': 'RSA_2048',
            'Description': '',
            'Enabled': False,
            'KeyId': '1234abcd-12ab-34cd-56ef-1234567890ab',
            'KeyManager': 'CUSTOMER',
            'KeySpec': 'RSA_2048',
            'KeyState': 'Disabled',
            'KeyUsage': 'SIGN_VERIFY',
            'MultiRegion': False,
            'Origin': 'AWS_KMS',
            'SigningAlgorithms': [
                'RSASSA_PKCS1_V1_5_SHA_256',
                'RSASSA_PKCS1_V1_5_SHA_384',
                'RSASSA_PKCS1_V1_5_SHA_512',
                'RSASSA_PSS_SHA_256',
                'RSASSA_PSS_SHA_384',
                'RSASSA_PSS_SHA_512',
            ],
        },
        'ResponseMetadata': {
            '...': '...',
        },
    }

  

  The following example gets metadata for a multi-Region replica key. This multi-Region key is a symmetric encryption key. DescribeKey returns information about the primary key and all of its replicas.
  ::

    response = client.describe_key(
        # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
        KeyId='arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
    )
    
    print(response)

  
  Expected Output:
  ::

    {
        # An object that contains information about the specified KMS key.
        'KeyMetadata': {
            'AWSAccountId': '111122223333',
            'Arn': 'arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
            'CreationDate': 1586329200.918,
            'CustomerMasterKeySpec': 'SYMMETRIC_DEFAULT',
            'Description': '',
            'Enabled': True,
            'EncryptionAlgorithms': [
                'SYMMETRIC_DEFAULT',
            ],
            'KeyId': 'mrk-1234abcd12ab34cd56ef1234567890ab',
            'KeyManager': 'CUSTOMER',
            'KeyState': 'Enabled',
            'KeyUsage': 'ENCRYPT_DECRYPT',
            'MultiRegion': True,
            'MultiRegionConfiguration': {
                'MultiRegionKeyType': 'PRIMARY',
                'PrimaryKey': {
                    'Arn': 'arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
                    'Region': 'us-west-2',
                },
                'ReplicaKeys': [
                    {
                        'Arn': 'arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
                        'Region': 'eu-west-1',
                    },
                    {
                        'Arn': 'arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
                        'Region': 'ap-northeast-1',
                    },
                    {
                        'Arn': 'arn:aws:kms:sa-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
                        'Region': 'sa-east-1',
                    },
                ],
            },
            'Origin': 'AWS_KMS',
        },
        'ResponseMetadata': {
            '...': '...',
        },
    }

  

  The following example gets the metadata of an HMAC KMS key. 
  ::

    response = client.describe_key(
        # An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
        KeyId='arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
    )
    
    print(response)

  
  Expected Output:
  ::

    {
        # An object that contains information about the specified KMS key.
        'KeyMetadata': {
            'AWSAccountId': '123456789012',
            'Arn': 'arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab',
            'CreationDate': 1566160362.664,
            'CustomerMasterKeySpec': 'HMAC_256',
            'Description': 'Development test key',
            'Enabled': True,
            'KeyId': '1234abcd-12ab-34cd-56ef-1234567890ab',
            'KeyManager': 'CUSTOMER',
            'KeyState': 'Enabled',
            'KeyUsage': 'GENERATE_VERIFY_MAC',
            'MacAlgorithms': [
                'HMAC_SHA_256',
            ],
            'MultiRegion': False,
            'Origin': 'AWS_KMS',
        },
        'ResponseMetadata': {
            '...': '...',
        },
    }

  