AWS CLI Command Reference

[ aws . kms ]

cancel-key-deletion

Description

Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS key is Disabled . To enable the KMS key, use EnableKey .

For more information about scheduling and canceling deletion of a KMS key, see Deleting KMS keys in the Key Management Service Developer Guide .

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide .

Cross-account use : No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions : kms:CancelKeyDeletion (key policy)

Related operations : ScheduleKeyDeletion

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  cancel-key-deletion
--key-id <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--key-id (string)

Identifies the KMS key whose deletion is being canceled.

Specify the key ID or key ARN of the KMS key.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey .

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

To cancel the scheduled deletion of a customer managed CMK

The following cancel-key-deletion example cancels the scheduled deletion of a customer managed CMK and re-enables the CMK so you can use it in cryptographic operations.

The first command in the example uses the cancel-key-deletion command to cancel the scheduled deletion of the CMK. It uses the --key-id parameter to identify the CMK. This example uses a key ID value, but you can use either the key ID or the key ARN of the CMK.

To re-enable the CMK, use the enable-key command. To identify the CMK, use the --key-id parameter. This example uses a key ID value, but you can use either the key ID or the key ARN of the CMK.

aws kms cancel-key-deletion \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

The cancel-key-deletion response returns the key ARN of the CMK whose deletion was canceled.

{
    "KeyId": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}

When the cancel-key-deletion command succeeds, the scheduled deletion is canceled. However, the key state of the CMK is Disabled, so you can’t use the CMK in cryptographic operations. To restore its functionality, you must re-enable the CMK.

aws kms enable-key \
    --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

The enable-key operation does not return a response. To verify that the CMK is re-enabled and there is no deletion date associated with the CMK, use the describe-key operation.

For more information, see Scheduling and Canceling Key Deletion in the AWS Key Management Service Developer Guide.

Output

KeyId -> (string)

The Amazon Resource Name (key ARN ) of the KMS key whose deletion is canceled.

© Copyright 2018, Amazon Web Services. Created using Sphinx.