Class: Aws::KMS::Types::GrantConstraints

Inherits:
Struct
  • Object
show all
Includes:
Structure
Defined in:
lib/aws-sdk-kms/types.rb

Overview

Note:

When making an API call, you may pass GrantConstraints data as a hash:

{
  encryption_context_subset: {
    "EncryptionContextKey" => "EncryptionContextValue",
  },
  encryption_context_equals: {
    "EncryptionContextKey" => "EncryptionContextValue",
  },
}

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see [Encryption Context] in the *AWS Key Management Service Developer Guide*.

Grant constraints apply only to operations that accept encryption context as input. For example, the ‘ DescribeKey ` operation does not accept encryption context as input. A grant that allows the `DescribeKey` operation does so regardless of the grant constraints. In constrast, the ` Encrypt ` operation accepts encryption context as input. A grant that allows the `Encrypt` operation does so only when the encryption context of the `Encrypt` operation satisfies the grant constraints.

[1]: docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html

Instance Attribute Summary collapse

Instance Attribute Details

#encryption_context_equalsHash<String,String>

A list of key-value pairs that must be present in the encryption context of certain subsequent operations that the grant allows. When certain subsequent operations allowed by the grant include encryption context that matches this list, the grant allows the operation. Otherwise, the grant does not allow the operation.

Returns:

  • (Hash<String,String>)


1623
1624
1625
1626
1627
# File 'lib/aws-sdk-kms/types.rb', line 1623

class GrantConstraints < Struct.new(
  :encryption_context_subset,
  :encryption_context_equals)
  include Aws::Structure
end

#encryption_context_subsetHash<String,String>

A list of key-value pairs, all of which must be present in the encryption context of certain subsequent operations that the grant allows. When certain subsequent operations allowed by the grant include encryption context that matches this list or is a superset of this list, the grant allows the operation. Otherwise, the grant does not allow the operation.

Returns:

  • (Hash<String,String>)


1623
1624
1625
1626
1627
# File 'lib/aws-sdk-kms/types.rb', line 1623

class GrantConstraints < Struct.new(
  :encryption_context_subset,
  :encryption_context_equals)
  include Aws::Structure
end