How to get External KMS Keys using BOTO3?


I am writing a python script which will iterate through the AWS accounts and fetch all Encryption key details. In BOTO3 i can see only AWS_KMS key api. My question is how can I fetch information of the Imported Keys from external KMS using BOTO3?

2 Answers


you can try using which contains an Origin field containing information about a key being external: 'Origin': 'AWS_KMS'|'EXTERNAL'|'AWS_CLOUDHSM'|'EXTERNAL_KEY_STORE'.

See below example:

import boto3
kms_client = boto3.client('kms')
keyList = kms_client.list_keys()

for key in keyList['Keys']:
    key_id = key['KeyId']
    info = kms_client.describe_key(KeyId=key_id)
    if info['KeyMetadata']['Origin'] == 'EXTERNAL':
        print('Do your magic’)

Hope it helps.

profile picture
answered a year ago
Accepted Answer

To double down on what Alatech said , u can use this as a sample code(I quickly typed in my editor so please take this as your starting point )

import boto3

# create an instance of the boto3 KMS client
kms_client = boto3.client('kms')

# call the list_keys() method to fetch all the external keys
response = kms_client.list_keys()

# extract the external key ids from the response
key_ids = [key['KeyId'] for key in response['Keys'] if not key['Origin'] == 'AWS_KMS']

# print the external key ids
profile pictureAWS
answered a year ago
  • Thanks guys, this will help

  • I tried running your piece of code, but there is no "Origin" field am getting.

  • Ala tech here. It is because you have to call the describe key method as I mentioned in my below answer . Above code just list the keys, of course it won’t work ;)

  • Ala is correct, the code is just a starting point and you need to include additional(or replace what I provided) calls from the documentation he added. I will try to find time to incorporate them for you over the weekend

  • Added example below

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions