Class: Aws::KMS::Types::CreateGrantRequest

Inherits:
Struct
  • Object
show all
Includes:
Structure
Defined in:
lib/aws-sdk-kms/types.rb

Overview

Note:

When making an API call, you may pass CreateGrantRequest data as a hash:

{
  key_id: "KeyIdType", # required
  grantee_principal: "PrincipalIdType", # required
  retiring_principal: "PrincipalIdType",
  operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
  constraints: {
    encryption_context_subset: {
      "EncryptionContextKey" => "EncryptionContextValue",
    },
    encryption_context_equals: {
      "EncryptionContextKey" => "EncryptionContextValue",
    },
  },
  grant_tokens: ["GrantTokenType"],
  name: "GrantNameType",
}

See Also:

Instance Attribute Summary collapse

Instance Attribute Details

#constraintsTypes::GrantConstraints

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see [Encryption Context] in the *AWS Key Management Service Developer Guide*.

[1]: docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html

Returns:



327
328
329
330
331
332
333
334
335
336
 
# File 'lib/aws-sdk-kms/types.rb', line 327

class CreateGrantRequest < Struct.new(
  :key_id,
  :grantee_principal,
  :retiring_principal,
  :operations,
  :constraints,
  :grant_tokens,
  :name)
  include Aws::Structure
end

#grant_tokensArray<String>

A list of grant tokens.

For more information, see [Grant Tokens] in the *AWS Key Management Service Developer Guide*.

[1]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token

Returns:

  • (Array<String>) 


327
328
329
330
331
332
333
334
335
336
 
# File 'lib/aws-sdk-kms/types.rb', line 327

class CreateGrantRequest < Struct.new(
  :key_id,
  :grantee_principal,
  :retiring_principal,
  :operations,
  :constraints,
  :grant_tokens,
  :name)
  include Aws::Structure
end

#grantee_principalString

The principal that is given permission to perform the operations that the grant permits.

To specify the principal, use the [Amazon Resource Name (ARN)] of an AWS principal. Valid AWS principals include AWS accounts (root), IAM users, IAM roles, federated users, and assumed role users. For examples of the ARN syntax to use for specifying a principal, see

AWS Identity and Access Management (IAM)][2

in the Example ARNs

section of the *AWS General Reference*.

[1]: docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html [2]: docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam

Returns:

  • (String) 


327
328
329
330
331
332
333
334
335
336
 
# File 'lib/aws-sdk-kms/types.rb', line 327

class CreateGrantRequest < Struct.new(
  :key_id,
  :grantee_principal,
  :retiring_principal,
  :operations,
  :constraints,
  :grant_tokens,
  :name)
  include Aws::Structure
end

#key_idString

The unique identifier for the customer master key (CMK) that the grant applies to.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

For example:

  • Key ID: ‘1234abcd-12ab-34cd-56ef-1234567890ab`

  • Key ARN: ‘arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

Returns:

  • (String) 


327
328
329
330
331
332
333
334
335
336
 
# File 'lib/aws-sdk-kms/types.rb', line 327

class CreateGrantRequest < Struct.new(
  :key_id,
  :grantee_principal,
  :retiring_principal,
  :operations,
  :constraints,
  :grant_tokens,
  :name)
  include Aws::Structure
end

#nameString

A friendly name for identifying the grant. Use this value to prevent unintended creation of duplicate grants when retrying this request.

When this value is absent, all ‘CreateGrant` requests result in a new grant with a unique `GrantId` even if all the supplied parameters are identical. This can result in unintended duplicates when you retry the `CreateGrant` request.

When this value is present, you can retry a ‘CreateGrant` request with identical parameters; if the grant already exists, the original `GrantId` is returned without creating a new grant. Note that the returned grant token is unique with every `CreateGrant` request, even when a duplicate `GrantId` is returned. All grant tokens obtained in this way can be used interchangeably.

Returns:

  • (String) 


327
328
329
330
331
332
333
334
335
336
 
# File 'lib/aws-sdk-kms/types.rb', line 327

class CreateGrantRequest < Struct.new(
  :key_id,
  :grantee_principal,
  :retiring_principal,
  :operations,
  :constraints,
  :grant_tokens,
  :name)
  include Aws::Structure
end

#operationsArray<String>

A list of operations that the grant permits.

Returns:

  • (Array<String>) 


327
328
329
330
331
332
333
334
335
336
 
# File 'lib/aws-sdk-kms/types.rb', line 327

class CreateGrantRequest < Struct.new(
  :key_id,
  :grantee_principal,
  :retiring_principal,
  :operations,
  :constraints,
  :grant_tokens,
  :name)
  include Aws::Structure
end

#retiring_principalString

The principal that is given permission to retire the grant by using RetireGrant operation.

To specify the principal, use the [Amazon Resource Name (ARN)] of an AWS principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and assumed role users. For examples of the ARN syntax to use for specifying a principal, see [AWS Identity and Access Management (IAM)] in the Example ARNs section of the *AWS General Reference*.

[1]: docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html [2]: docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam

Returns:

  • (String) 


327
328
329
330
331
332
333
334
335
336
 
# File 'lib/aws-sdk-kms/types.rb', line 327

class CreateGrantRequest < Struct.new(
  :key_id,
  :grantee_principal,
  :retiring_principal,
  :operations,
  :constraints,
  :grant_tokens,
  :name)
  include Aws::Structure
end