<!--Generated by WRITEME on 2023-10-13 17:49:16.067025 (UTC)-->
# AWS KMS code examples for the SDK for Python

## Overview

Shows how to use the AWS SDK for Python (Boto3) to work with AWS Key Management Service (AWS KMS).

<!--custom.overview.start-->
<!--custom.overview.end-->

*AWS KMS is an encryption and key management service scaled for the cloud.*

## ⚠ Important

* Running this code might result in charges to your AWS account. For more details, see [AWS Pricing](https://aws.amazon.com/pricing/?aws-products-pricing.sort-by=item.additionalFields.productNameLowercase&aws-products-pricing.sort-order=asc&awsf.Free%20Tier%20Type=*all&awsf.tech-category=*all) and [Free Tier](https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc&awsf.Free%20Tier%20Types=*all&awsf.Free%20Tier%20Categories=*all).
* Running the tests might result in charges to your AWS account.
* We recommend that you grant your code least privilege. At most, grant only the minimum permissions required to perform the task. For more information, see [Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege).
* This code is not tested in every AWS Region. For more information, see [AWS Regional Services](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services).

<!--custom.important.start-->
<!--custom.important.end-->

## Code examples

### Prerequisites

For prerequisites, see the [README](../../README.md#Prerequisites) in the `python` folder.

Install the packages required by these examples by running the following in a virtual environment:

```
python -m pip install -r requirements.txt
```

<!--custom.prerequisites.start-->
<!--custom.prerequisites.end-->

### Single actions

Code excerpts that show you how to call individual service functions.

* [Create a grant for a key](grant_management.py#L26) (`CreateGrant`)
* [Create a key](key_management.py#L27) (`CreateKey`)
* [Create an alias for a key](alias_management.py#L70) (`CreateAlias`)
* [Decrypt ciphertext](key_encryption.py#L45) (`Decrypt`)
* [Delete an alias](alias_management.py#L143) (`DeleteAlias`)
* [Describe a key](key_management.py#L74) (`DescribeKey`)
* [Disable a key](key_management.py#L111) (`DisableKey`)
* [Enable a key](key_management.py#L20) (`EnableKey`)
* [Encrypt text using a key](key_encryption.py#L25) (`Encrypt`)
* [Generate a plaintext data key for client-side encryption](key_management.py#L93) (`GenerateDataKey`)
* [Get a policy for a key](key_policies.py#L44) (`GetKeyPolicy`)
* [List aliases for a key](alias_management.py#L92) (`ListAliases`)
* [List grants for a key](grant_management.py#L53) (`ListGrants`)
* [List keys](key_management.py#L51) (`ListKeys`)
* [List policies for a key](key_policies.py#L27) (`ListKeyPolicies`)
* [Recencrypt ciphertext from one key to another](key_encryption.py#L68) (`ReEncrypt`)
* [Retire a grant for a key](grant_management.py#L75) (`RetireGrant`)
* [Revoke a grant for a key](grant_management.py#L92) (`RevokeGrant`)
* [Schedule deletion of a key](key_management.py#L139) (`ScheduleKeyDeletion`)
* [Set the policy for a key](key_policies.py#L68) (`PutKeyPolicy`)
* [Update the key referred to by an alias](alias_management.py#L119) (`UpdateAlias`)

### Scenarios

Code examples that show you how to accomplish a specific task by calling multiple
functions within the same service.

* [Encrypt and decrypt text](key_encryption.py)
* [Manage keys](key_management.py)

## Run the examples

### Instructions


<!--custom.instructions.start-->
<!--custom.instructions.end-->


#### Encrypt and decrypt text

This example shows you how to do the following:

* Encrypt plain text by using a KMS key.
* Decrypt ciphertext by using a KMS key.
* Reencrypt ciphertext by using a second KMS key.

<!--custom.scenario_prereqs.kms_Scenario_KeyEncryption.start-->
<!--custom.scenario_prereqs.kms_Scenario_KeyEncryption.end-->

Start the example by running the following at a command prompt:

```
python key_encryption.py
```


<!--custom.scenarios.kms_Scenario_KeyEncryption.start-->
<!--custom.scenarios.kms_Scenario_KeyEncryption.end-->

#### Manage keys

This example shows you how to do the following:

* Create a KMS key.
* List KMS keys for your account and get details about them.
* Enable and disable KMS keys.
* Generate a symmetric data key that can be used for client-side encryption.
* Delete KMS keys.

<!--custom.scenario_prereqs.kms_Scenario_KeyManagement.start-->
<!--custom.scenario_prereqs.kms_Scenario_KeyManagement.end-->

Start the example by running the following at a command prompt:

```
python key_management.py
```


<!--custom.scenarios.kms_Scenario_KeyManagement.start-->
<!--custom.scenarios.kms_Scenario_KeyManagement.end-->

### Tests

⚠ Running tests might result in charges to your AWS account.


To find instructions for running these tests, see the [README](../../README.md#Tests)
in the `python` folder.


<!--custom.tests.start-->
<!--custom.tests.end-->

## Additional resources

* [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)
* [AWS KMS API Reference](https://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html)
* [SDK for Python AWS KMS reference](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html)

<!--custom.resources.start-->
<!--custom.resources.end-->

---

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

SPDX-License-Identifier: Apache-2.0