Menu
AWS Key Management Service
Developer Guide

Working with Grants

This topic discusses how to create, retire, revoke, and list grants.

Creating a Grant

Call the CreateGrant function to create a grant.

Copy
// Creating a grant // // Input Parameters: // The function takes up to six parameters. // KeyId - Unique identifier for the key. This can be an ARN, an alias, or a globally unique value. // GranteePrincipal - Principal given permission to use the key identified by the KeyId parameter // RetiringPrincipal - Principal given permission to retire the grant // Operations - List of operations permitted by the grant // Constraints - The conditions under which the actions specified by the Operations parameter are allowed // GrantTokens - List of grant tokens // // Return Values: // The function returns two values. // GrantToken - Signed and encrypted string value that contains all of the information needed to create the grant // GrantID - Globally unique identifier of the grant // // Replace the following string with a real key ID. String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String granteePrincipal = "arn:aws:iam::111122223333:user/Alice"; String operation = GrantOperation.Encrypt; CreateGrantRequest req = new CreateGrantRequest(); req.setKeyId(keyId); req.setGranteePrincipal(granteePrincipal); req.setOperation(operation); CreateGrantResult result = kms.createGrant(req);

Retiring a Grant

Call the RetireGrant function to retire a grant. You should retire a grant to clean up after you are done using it.

Copy
// Retiring a grant // // Input Parameters: // GrantToken - unique grant identifier // // Return Values: // The function does not return a value. // String grantToken = Place your grant token here; RetireGrantRequest req = new RetireGrantRequest().withGrantToken(grantToken); kms.retireGrant(req);

Revoking Grants

Call the RevokeGrant function to revoke a grant. You should revoke a grant to deny operations that depend on it.

Copy
// Revoking a grant // // Input Parameters: // KeyId - Unique identifier for the key // GrantId - Unique identifier for the grant // // Return Values: // The function does not return a value. // // Replace the following string with a real key ID. String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; String grantId = "grant1"; RevokeGrantRequest req = new RevokeGrantRequest().withKeyId(keyId).withGrantId(grantId); kms.revokeGrant(req);

Listing Grants

Call the ListGrants function to list all of the grants on a given key.

Copy
// Listing grants // // Input Parameters: // The function takes three parameters. // KeyId - Unique identifier for the key // Limit - Specify this parameter only when paginating results to indicate the // maximum number of grants you want listed in the response. If there are // additional grants beyond the maximum you specify, the Truncated // response element will be set to true. // Marker - Use this parameter only when paginating results, and only in a subsequent // request after you've received a response where the results are truncated. // Set it to the value of the NextMarker in the response you // just received. // // Return Values: // The function returns a list of grants for the key. // // Replace the following string with a real key ID. String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; Integer limit = 10; String marker = null; ListGrantsRequest req = new ListGrantsRequest().withKeyId(keyId).withMarker(marker).withLimit(limit); ListGrantsResult result = kms.listGrants(req);