diff --git a/kms/src/get_cryptokey_policy.php b/kms/src/get_cryptokey_policy.php
new file mode 100644
index 0000000000..7aef569f90
--- /dev/null
+++ b/kms/src/get_cryptokey_policy.php
@@ -0,0 +1,58 @@
+<?php
+/**
+ * Copyright 2019 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/kms/README.md
+ */
+
+
+// Include Google Cloud dependendencies using Composer
+require_once __DIR__ . '/../vendor/autoload.php';
+
+if (count($argv) != 5) {
+    return printf("Usage: php %s PROJECT_ID LOCATION_ID KEYRING_ID CRYPTOKEY_ID\n", basename(__FILE__));
+}
+list($_, $projectId, $locationId, $keyRingId, $cryptoKeyId) = $argv;
+
+# [START kms_get_cryptokey_policy]
+use Google\Cloud\Kms\V1\KeyManagementServiceClient;
+
+/** Uncomment and populate these variables in your code */
+// $projectId = 'The Google project ID';
+// $locationId = 'The location ID of the crypto key. Can be "global", "us-west1", etc.';
+// $keyRingId = 'The KMS key ring ID';
+// $cryptoKeyId = 'The KMS key ID';
+
+$kms = new KeyManagementServiceClient();
+
+// The resource name of the Crypto Key.
+$cryptoKeyName = $kms->cryptoKeyName($projectId, $locationId, $keyRingId, $cryptoKeyId);
+
+// Get the Crypto Key Policy and print it.
+$cryptoKeyPolicy = $kms->getIamPolicy($cryptoKeyName);
+
+foreach ($cryptoKeyPolicy->getBindings() as $binding) {
+    printf("Role: %s\nMembers:\n", $binding->getRole());
+
+    foreach ($binding->getMembers() as $member) {
+        printf("  %s\n", $member);
+    }
+    print("\n");
+}
+# [END kms_get_cryptokey_policy]
diff --git a/kms/src/get_keyring_policy.php b/kms/src/get_keyring_policy.php
new file mode 100644
index 0000000000..54ab039de2
--- /dev/null
+++ b/kms/src/get_keyring_policy.php
@@ -0,0 +1,57 @@
+<?php
+/**
+ * Copyright 2019 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/master/kms/README.md
+ */
+
+
+// Include Google Cloud dependendencies using Composer
+require_once __DIR__ . '/../vendor/autoload.php';
+
+if (count($argv) != 4) {
+    return printf("Usage: php %s PROJECT_ID LOCATION_ID KEYRING_ID\n", basename(__FILE__));
+}
+list($_, $projectId, $locationId, $keyRingId) = $argv;
+
+# [START kms_get_keyring_policy]
+use Google\Cloud\Kms\V1\KeyManagementServiceClient;
+
+/** Uncomment and populate these variables in your code */
+// $projectId = 'The Google project ID';
+// $locationId = 'The location ID of the crypto key. Can be "global", "us-west1", etc.';
+// $keyRingId = 'The KMS key ring ID';
+
+$kms = new KeyManagementServiceClient();
+
+// The resource name of the Key Ring.
+$keyRingName = $kms->keyRingName($projectId, $locationId, $keyRingId);
+
+// Get the Key Ring Policy and print it.
+$keyRingPolicy = $kms->getIamPolicy($keyRingName);
+
+foreach ($keyRingPolicy->getBindings() as $binding) {
+    printf("Role: %s\nMembers:\n", $binding->getRole());
+
+    foreach ($binding->getMembers() as $member) {
+        printf("  %s\n", $member);
+    }
+    print("\n");
+}
+# [END kms_get_keyring_policy]
diff --git a/kms/test/kmsTest.php b/kms/test/kmsTest.php
index 247f67bf82..4591a7c4a7 100644
--- a/kms/test/kmsTest.php
+++ b/kms/test/kmsTest.php
@@ -24,6 +24,7 @@ class kmsTest extends \PHPUnit_Framework_TestCase
     use TestTrait;
 
     private static $locationId = 'global';
+    private static $userEmail = 'betterbrent@google.com';
     private static $encryptedFile;
     private static $tempRing;
     private static $tempKey;
@@ -81,17 +82,15 @@ public function testDecrypt()
 
     public function testAddUserToKeyRing()
     {
-        $userEmail = 'betterbrent@google.com';
-
         $output = $this->runSnippet('add_member_to_keyring_policy', [
             self::$ring,
-            'user:' . $userEmail,
+            'user:' . self::$userEmail,
             'roles/cloudkms.cryptoKeyEncrypterDecrypter'
         ]);
 
         $this->assertContains(sprintf(
             'Member user:%s added to policy for keyRing %s' . PHP_EOL,
-            $userEmail,
+            self::$userEmail,
             self::$ring
         ), $output);
     }
@@ -99,37 +98,45 @@ public function testAddUserToKeyRing()
     /**
      * @depends testAddUserToKeyRing
      */
-    public function testRemoveUserFromKeyRing()
+    public function testGetKeyRingPolicy()
     {
-        $userEmail = 'betterbrent@google.com';
+        $output = $this->runSnippet('get_keyring_policy', [
+            self::$ring,
+        ]);
+
+        $this->assertContains('user:' . self::$userEmail, $output);
+    }
 
+    /**
+     * @depends testAddUserToKeyRing
+     */
+    public function testRemoveUserFromKeyRing()
+    {
         $output = $this->runSnippet('remove_member_from_keyring_policy', [
             self::$ring,
-            'user:' . $userEmail,
+            'user:' . self::$userEmail,
             'roles/cloudkms.cryptoKeyEncrypterDecrypter'
         ]);
 
         $this->assertContains(sprintf(
             'Member user:%s removed from policy for keyRing %s' . PHP_EOL,
-            $userEmail,
+            self::$userEmail,
             self::$ring
         ), $output);
     }
 
     public function testAddUserToCryptoKey()
     {
-        $userEmail = 'betterbrent@google.com';
-
         $output = $this->runSnippet('add_member_to_cryptokey_policy', [
             self::$ring,
             self::$key,
-            'user:' . $userEmail,
+            'user:' . self::$userEmail,
             'roles/cloudkms.cryptoKeyEncrypterDecrypter'
         ]);
 
         $this->assertContains(sprintf(
             'Member user:%s added to policy for cryptoKey %s in keyRing %s' . PHP_EOL,
-            $userEmail,
+            self::$userEmail,
             self::$key,
             self::$ring
         ), $output);
@@ -138,20 +145,31 @@ public function testAddUserToCryptoKey()
     /**
      * @depends testAddUserToCryptoKey
      */
-    public function testRemoveUserFromCryptoKey()
+    public function testGetCryptoKeyPolicy()
     {
-        $userEmail = 'betterbrent@google.com';
+        $output = $this->runSnippet('get_cryptokey_policy', [
+            self::$ring,
+            self::$key,
+        ]);
+
+        $this->assertContains('user:' . self::$userEmail, $output);
+    }
 
+    /**
+     * @depends testAddUserToCryptoKey
+     */
+    public function testRemoveUserFromCryptoKey()
+    {
         $output = $this->runSnippet('remove_member_from_cryptokey_policy', [
             self::$ring,
             self::$key,
-            'user:' . $userEmail,
+            'user:' . self::$userEmail,
             'roles/cloudkms.cryptoKeyEncrypterDecrypter'
         ]);
 
         $this->assertContains(sprintf(
             'Member user:%s removed from policy for cryptoKey %s in keyRing %s' . PHP_EOL,
-            $userEmail,
+            self::$userEmail,
             self::$key,
             self::$ring
         ), $output);