Description

The key policy to attach to the CMK.

If you specify a policy and do not set BypassPolicyLockoutSafetyCheck to true, the policy must meet the following criteria:

It must allow the principal making the CreateKey request to make a subsequent

PutKeyPolicy request on the CMK. This reduces the likelihood that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) section in the AWS Key Management Service Developer Guide.

The principal(s) specified in the key policy must exist and be visible

to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before specifying the new principal in a key policy because the new principal might not immediately be visible to AWS KMS. For more information, see Changes that I make are not always immediately visible (http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) in the IAM User Guide.

If you do not specify a policy, AWS KMS attaches a default key policy

to the CMK. For more information, see Default Key Policy (http://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) in the AWS Key Management Service Developer Guide.

The policy size limit is 32 KiB (32768 bytes).

Policy is referenced in 1 repository

github.com/aws/aws-sdk-go