:doc:`KMS <../../kms>` / Client / get_key_policy

**************
get_key_policy
**************



.. py:method:: KMS.Client.get_key_policy(**kwargs)

  

  Gets a key policy attached to the specified KMS key.

   

  **Cross-account use**: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

   

  **Required permissions**: `kms\:GetKeyPolicy <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html>`__ (key policy)

   

  **Related operations**: `PutKeyPolicy <https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html>`__

   

  **Eventual consistency**: The KMS API follows an eventual consistency model. For more information, see `KMS eventual consistency <https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency>`__.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy>`_  


  **Request Syntax**
  ::

    response = client.get_key_policy(
        KeyId='string',
        PolicyName='string'
    )
    
  :type KeyId: string
  :param KeyId: **[REQUIRED]** 

    Gets the key policy for the specified KMS key.

     

    Specify the key ID or key ARN of the KMS key.

     

    For example:

     

    
    * Key ID: ``1234abcd-12ab-34cd-56ef-1234567890ab``
     
    * Key ARN: ``arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab``
    

     

    To get the key ID and key ARN for a KMS key, use  ListKeys or  DescribeKey.

    

  
  :type PolicyName: string
  :param PolicyName: 

    Specifies the name of the key policy. If no policy name is specified, the default value is ``default``. The only valid name is ``default``. To get the names of key policies, use  ListKeyPolicies.

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'Policy': 'string',
          'PolicyName': 'string'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **Policy** *(string) --* 

        A key policy document in JSON format.

        
      

      - **PolicyName** *(string) --* 

        The name of the key policy. The only valid value is ``default``.

        
  
  **Exceptions**
  
  *   :py:class:`KMS.Client.exceptions.NotFoundException`

  
  *   :py:class:`KMS.Client.exceptions.InvalidArnException`

  
  *   :py:class:`KMS.Client.exceptions.DependencyTimeoutException`

  
  *   :py:class:`KMS.Client.exceptions.KMSInternalException`

  
  *   :py:class:`KMS.Client.exceptions.KMSInvalidStateException`

  

  **Examples**

  The following example retrieves the key policy for the specified KMS key.
  ::

    response = client.get_key_policy(
        # The identifier of the KMS key whose key policy you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
        KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
        # The name of the key policy to retrieve.
        PolicyName='default',
    )
    
    print(response)

  
  Expected Output:
  ::

    {
        # The key policy document.
        'Policy': '{\n  "Version" : "2012-10-17",\n  "Id" : "key-default-1",\n  "Statement" : [ {\n    "Sid" : "Enable IAM User Permissions",\n    "Effect" : "Allow",\n    "Principal" : {\n      "AWS" : "arn:aws:iam::111122223333:root"\n    },\n    "Action" : "kms:*",\n    "Resource" : "*"\n  } ]\n}',
        'ResponseMetadata': {
            '...': '...',
        },
    }

  