Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a
grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The
CreateGrant operation returns both values.
This operation can be called by the
retiring principal for a grant, by the
grantee principal if the grant allows the
RetireGrant operation, and by the Amazon Web Services account in which the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, see
Retiring and revoking grants in the
Key Management Service Developer Guide.
For detailed information about grants, including grant terminology, see
Grants in KMS in the
Key Management Service Developer Guide. For examples of working with grants in several programming languages, see
Programming grants.
Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.
Required permissions: Permission to retire a grant is determined primarily by the grant. For details, see
Retiring and revoking grants in the
Key Management Service Developer Guide.
Related operations:Eventual consistency: The KMS API follows an eventual consistency model. For more information, see
KMS eventual consistency.