Menu
AWS Key Management Service
Developer Guide

Working with Grants

This topic discusses how to create, retire, revoke, and list grants on AWS KMS customer master keys (CMKs).

Creating a Grant

To create a grant for an AWS KMS customer master key, use the CreateGrant operation. For details about the Java implementation, see the createGrant method in the AWS SDK for Java API Reference.

Copy
// Create a grant // // Replace the following fictitious key ARN with a valid key ID String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String granteePrincipal = "arn:aws:iam::111122223333:user/Alice"; String operation = GrantOperation.Encrypt; CreateGrantRequest req = new CreateGrantRequest(); req.setKeyId(keyId); req.setGranteePrincipal(granteePrincipal); req.setOperation(operation); CreateGrantResult result = kms.createGrant(req);

Retiring a Grant

To retire a grant for an AWS KMS customer master key, use the RetireGrant operation. You should retire a grant to clean up after you are done using it. For details about the Java implementation, see the retireGrant method in the AWS SDK for Java API Reference.

Copy
// Retire a grant // String grantToken = Place your grant token here; RetireGrantRequest req = new RetireGrantRequest().withGrantToken(grantToken); kms.retireGrant(req);

Revoking a Grant

To revoke a grant to an AWS KMS customer master key, use the RevokeGrant operation. You can revoke a grant to explicitly deny operations that depend on it. For details about the Java implementation, see the revokeGrant method in the AWS SDK for Java API Reference.

Copy
// Revoke a grant on a CMK // // Replace the following fictitious key ARN with a valid key ID String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String grantId = "grant1"; RevokeGrantRequest req = new RevokeGrantRequest().withKeyId(keyId).withGrantId(grantId); kms.revokeGrant(req);

Get Information about Grants

To get detailed information about the grants on an AWS KMS customer master key, use the ListGrants operation. For details about the Java implementation, see the listGrants method in the AWS SDK for Java API Reference.

Copy
// Listing grants on a CMK // // Replace the following fictitious key ARN with a valid key ID String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; Integer limit = 10; String marker = null; ListGrantsRequest req = new ListGrantsRequest().withKeyId(keyId).withMarker(marker).withLimit(limit); ListGrantsResult result = kms.listGrants(req);