Menu
AWS Key Management Service
API Reference (API Version 2014-11-01)

GrantConstraints

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context in the AWS Key Management Service Developer Guide.

Grant constraints apply only to operations that accept encryption context as input. For example, the DescribeKey operation does not accept encryption context as input. A grant that allows the DescribeKey operation does so regardless of the grant constraints. In constrast, the Encrypt operation accepts encryption context as input. A grant that allows the Encrypt operation does so only when the encryption context of the Encrypt operation satisfies the grant constraints.

Contents

Note

In the following list, the required parameters are described first.

EncryptionContextEquals

A list of key-value pairs that must be present in the encryption context of certain subsequent operations that the grant allows. When certain subsequent operations allowed by the grant include encryption context that matches this list, the grant allows the operation. Otherwise, the grant does not allow the operation.

Type: String to string map

Required: No

EncryptionContextSubset

A list of key-value pairs, all of which must be present in the encryption context of certain subsequent operations that the grant allows. When certain subsequent operations allowed by the grant include encryption context that matches this list or is a superset of this list, the grant allows the operation. Otherwise, the grant does not allow the operation.

Type: String to string map

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

On this page: