KMS / Client / disable_key

disable_key

KMS.Client.disable_key(**kwargs)

Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for cryptographic operations.

The KMS key that you use for this operation must be in a compatible key state. For more information about how key state affects the use of a KMS key, see Key states of KMS keys in the Key Management Service Developer Guide .

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:DisableKey (key policy)

Related operations: EnableKey

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

See also: AWS API Documentation

Request Syntax

response = client.disable_key(
    KeyId='string'
)

Parameters:

KeyId (string) –

[REQUIRED]

Identifies the KMS key to disable.

Specify the key ID or key ARN of the KMS key.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.

Returns:

None

Exceptions

• KMS.Client.exceptions.NotFoundException

• KMS.Client.exceptions.InvalidArnException

• KMS.Client.exceptions.DependencyTimeoutException

• KMS.Client.exceptions.KMSInternalException

• KMS.Client.exceptions.KMSInvalidStateException

Examples

The following example disables the specified KMS key.

response = client.disable_key(
    # The identifier of the KMS key to disable. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
)

print(response)

Expected Output:

{
    'ResponseMetadata': {
        '...': '...',
    },
}