You are viewing documentation for version 3 of the AWS SDK for Ruby. Version 2 documentation can be found here.

Class: Aws::KMS::Types::GrantConstraints

Inherits:
Struct
  • Object
show all
Defined in:
gems/aws-sdk-kms/lib/aws-sdk-kms/types.rb

Overview

Note:

When making an API call, you may pass GrantConstraints data as a hash:

{
  encryption_context_subset: {
    "EncryptionContextKey" => "EncryptionContextValue",
  },
  encryption_context_equals: {
    "EncryptionContextKey" => "EncryptionContextValue",
  },
}

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context in the AWS Key Management Service Developer Guide.

Grant constraints apply only to operations that accept encryption context as input. For example, the DescribeKey operation does not accept encryption context as input. A grant that allows the DescribeKey operation does so regardless of the grant constraints. In constrast, the Encrypt operation accepts encryption context as input. A grant that allows the Encrypt operation does so only when the encryption context of the Encrypt operation satisfies the grant constraints.

Instance Attribute Summary collapse

Instance Attribute Details

#encryption_context_equalsHash<String,String>

A list of key-value pairs that must be present in the encryption context of certain subsequent operations that the grant allows. When certain subsequent operations allowed by the grant include encryption context that matches this list, the grant allows the operation. Otherwise, the grant does not allow the operation.

Returns:

  • (Hash<String,String>)


1255
1256
1257
1258
1259
# File 'gems/aws-sdk-kms/lib/aws-sdk-kms/types.rb', line 1255

class GrantConstraints < Struct.new(
  :encryption_context_subset,
  :encryption_context_equals)
  include Aws::Structure
end

#encryption_context_subsetHash<String,String>

A list of key-value pairs, all of which must be present in the encryption context of certain subsequent operations that the grant allows. When certain subsequent operations allowed by the grant include encryption context that matches this list or is a superset of this list, the grant allows the operation. Otherwise, the grant does not allow the operation.

Returns:

  • (Hash<String,String>)


1255
1256
1257
1258
1259
# File 'gems/aws-sdk-kms/lib/aws-sdk-kms/types.rb', line 1255

class GrantConstraints < Struct.new(
  :encryption_context_subset,
  :encryption_context_equals)
  include Aws::Structure
end