ikan Uploader :
Directory : /usr/share/doc/awscli/examples/kms/
Upload File : |
| Current File : //usr/share/doc/awscli/examples/kms/put-key-policy.rst |
**To change the key policy for a customer master key (CMK)**
The following ``put-key-policy`` example changes the key policy for a customer managed CMK.
To begin, create a key policy and save it in a local JSON file. In this example, the file is ``key_policy.json``. You can also specify the key policy as a string value of the ``policy`` parameter.
The first statement in this key policy gives the AWS account permission to use IAM policies to control access to the CMK. The second statement gives the ``test-user`` user permission to run the ``describe-key`` and ``list-keys`` commands on the CMK.
Contents of ``key_policy.json``::
{
"Version" : "2012-10-17",
"Id" : "key-default-1",
"Statement" : [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : "kms:",
"Resource" : "*"
},
{
"Sid" : "Allow Use of Key",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:user/test-user"
},
"Action" : [
"kms:DescribeKey",
"kms:ListKeys"
],
"Resource" : "*"
}
]
}
To identify the CMK, this example uses the key ID, but you can also usa key ARN. To specify the key policy, the command uses the ``policy`` parameter. To indicate that the policy is in a file, it uses the required ``file://`` prefix. This prefix is required to identify files on all supported operating systems. Finally, the command uses the ``policy-name`` parameter with a value of ``default``. This parameter is required, even though ``default`` is the only valid value. ::
aws kms put-key-policy \
--policy-name default \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--policy file://key_policy.json
This command does not produce any output. To verify that the command was effective, use the ``get-key-policy`` command. The following example command gets the key policy for the same CMK. The ``output`` parameter with a value of ``text`` returns a text format that is easy to read. ::
aws kms get-key-policy \
--policy-name default \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--output text
Output::
{
"Version" : "2012-10-17",
"Id" : "key-default-1",
"Statement" : [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : "kms:",
"Resource" : "*"
},
{
"Sid" : "Allow Use of Key",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:user/test-user"
},
"Action" : [ "kms:Describe", "kms:List" ],
"Resource" : "*"
}
]
}
For more information, see `Changing a Key Policy <https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html>`__ in the *AWS Key Management Service Developer Guide*.
Kontol Shell Bypass