Example of calling an operation of KMS - - Alibaba Cloud Documentation Center

This topic provides an example on how to call an operation to query the details of a key.

View API documentation

To query the details of a KMS key, call the DescribeKey operation. For more information, see DescribeKey. For more information about the data and permissions that are required to call this operation, see API documentation.

Create a RAM user and grant permissions to the RAM user

Identity

You can call this operation by using an Alibaba Cloud account, a Resource Access Management (RAM) user, or a RAM role. For information about the differences between the identities, see Overview. In this topic, a RAM user is used as an example.

You can log on to the RAM console, create a RAM user and grant only the permissions to call operations to the RAM user, and then record the AccessKey pair. For information about how to create a RAM user, see Create a RAM user.

Authorization

On the Users page of the RAM console, find the RAM user that you want to manage and click Add Permissions in the Actions column.
In the Policy section, enter the keyword AliyunKMS and select the FullAccess policy.
Note
- KMS provides the following system policies:
  - AliyunKMSCryptoAdminAccess: the permission to manage keys in KMS
  - AliyunKMSCryptoUserAccess: the permission to use KMS keys for cryptographic operations
  - AliyunKMSFullAccess: the full permissions on KMS resources
  - AliyunKMSReadOnlyAccess: the read-only permission on KMS resources
  - AliyunKMSSecretAdminAccess: the permission to manage secrets in KMS
  - AliyunKMSSecretUserAccess: the permission to retrieve secrets in KMS
- For more information about how to create a custom policy, see Custom policies.
Click Grant permissions to complete the authorization.

Credentials

By default, an AccessKey pair is generated when you create a RAM user. You can also go to the details page of the RAM user. On the Authentication tab, click Create AccessKey to create an AccessKey pair. For more information, see Create an AccessKey pair.

Call the operation

The following example shows how to call the operation in Python.

Prepare a Python environment

Download and install Python.
For more information about how to download Python 3, visit Python 3.
Check the version of Python.
- Linux and macOS
  Open the terminal and run the python --version command.
- Windows
  - In the Python installation directory, double-click python.exe.
  - Start the Command Prompt.
    Press Win+R to open the Run dialog box, enter python, and then click OK.

Configure environment variables

In this example, environment variables are configured to manage the AccessKey pair. This prevents security risks that are caused by hard coding the AccessKey pair into your business code. The method that is used to configure environment variables varies based on the operating system. For more information, see Configure environment variables in Linux, macOS, and Windows.

Install dependencies

Note

We recommend that you install the latest version of the SDK. For more information about the latest version, see KMS SDK.

pip install alibabacloud_credentials
pip install alibabacloud_kms20160120==xx.xx.xx
pip install alibabacloud_tea_console

Download the sample code

Call the DescribeKey operation in OpenAPI Explorer.
Set the KeyId parameter to key-hzz62f1cb66fa42qo****. Then, click Initiate Call.
Click the SDK Sample Code tab. Then, go to the Languages section and click Python.
The system provides the sample code of KMS SDK for Python.
Click Download Project to download the sample code package.
Decompress the sample code package on your computer and access the alibabacloud_sample directory.

Run the sample code

Run the following command:

python sample.py

You can obtain the following output:

{
  "KeyMetadata": {
    "CreationDate": "2022-08-09T02:50:14Z",
    "Description": "",
    "KeyId": "key-hzz62f1cb66fa42qo****",
    "KeySpec": "Aliyun_AES_256",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT/DECRYPT",
    "PrimaryKeyVersion": "key-hzz62f1cb66fa42qo****-nksr4****",
    "DeleteDate": "",
    "Creator": "119285303511****",
    "Arn": "acs:kms:cn-hangzhou:119285303511****:key/key-hzz62f1cb66fa42qo****",
    "Origin": "",
    "MaterialExpireTime": "",
    "ProtectionLevel": "SOFTWARE",
    "LastRotationDate": "2023-08-02T08:36:53Z",
    "AutomaticRotation": "Disabled",
    "KeyStoreId": "kst-hzz62ee817bvyyr5x****",
    "DeletionProtection": "Enabled",
    "DKMSInstanceId": "kst-hzz62ee817bvyyr5x****"
  },
  "RequestId": "7b6c6946-97ca-4e03-a312-28f9e8873c21"
}