Jump to Content

New API Documentation - Developer Preview Available

We are excited to announce the developer preview of our new API documentation for AWS SDK for JavaScript v3. Please follow instructions on the landing page to leave us your feedback.

Class ListRetirableGrantsCommandProtected

Returns information about all grants in the Amazon Web Services account and Region that have the specified retiring principal.

You can specify any principal in your Amazon Web Services account. The grants that are returned include grants for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this operation to determine which grants you may retire. To retire a grant, use the RetireGrant operation.

For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide . For examples of working with grants in several programming languages, see Programming grants.

Cross-account use: You must specify a principal in your Amazon Web Services account. However, this operation can return grants in any Amazon Web Services account. You do not need kms:ListRetirableGrants permission (or any other additional permission) in any Amazon Web Services account other than your own.

Required permissions: kms:ListRetirableGrants (IAM policy) in your Amazon Web Services account.

Related operations:

Example

Use a bare-bones client and the command you need to make an API call.

import { KMSClient, ListRetirableGrantsCommand } from "@aws-sdk/client-kms"; // ES Modules import
// const { KMSClient, ListRetirableGrantsCommand } = require("@aws-sdk/client-kms"); // CommonJS import
const client = new KMSClient(config);
const input = { // ListRetirableGrantsRequest
Limit: Number("int"),
Marker: "STRING_VALUE",
RetiringPrincipal: "STRING_VALUE", // required
};
const command = new ListRetirableGrantsCommand(input);
const response = await client.send(command);
// { // ListGrantsResponse
// Grants: [ // GrantList
// { // GrantListEntry
// KeyId: "STRING_VALUE",
// GrantId: "STRING_VALUE",
// Name: "STRING_VALUE",
// CreationDate: new Date("TIMESTAMP"),
// GranteePrincipal: "STRING_VALUE",
// RetiringPrincipal: "STRING_VALUE",
// IssuingAccount: "STRING_VALUE",
// Operations: [ // GrantOperationList
// "Decrypt" || "Encrypt" || "GenerateDataKey" || "GenerateDataKeyWithoutPlaintext" || "ReEncryptFrom" || "ReEncryptTo" || "Sign" || "Verify" || "GetPublicKey" || "CreateGrant" || "RetireGrant" || "DescribeKey" || "GenerateDataKeyPair" || "GenerateDataKeyPairWithoutPlaintext" || "GenerateMac" || "VerifyMac",
// ],
// Constraints: { // GrantConstraints
// EncryptionContextSubset: { // EncryptionContextType
// "<keys>": "STRING_VALUE",
// },
// EncryptionContextEquals: {
// "<keys>": "STRING_VALUE",
// },
// },
// },
// ],
// NextMarker: "STRING_VALUE",
// Truncated: true || false,
// };

Param

ListRetirableGrantsCommandInput

Returns

ListRetirableGrantsCommandOutput

See

Throws

DependencyTimeoutException (server fault)

The system timed out while trying to fulfill the request. You can retry the request.

Throws

InvalidArnException (client fault)

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

Throws

InvalidMarkerException (client fault)

The request was rejected because the marker that specifies where pagination should next begin is not valid.

Throws

KMSInternalException (server fault)

The request was rejected because an internal exception occurred. The request can be retried.

Throws

NotFoundException (client fault)

The request was rejected because the specified entity or resource could not be found.

Throws

KMSServiceException

Base exception class for all service exceptions from KMS service.

Example

To list grants that the specified principal can retire

// The following example lists the grants that the specified principal (identity) can retire.
const input = {
"RetiringPrincipal": "arn:aws:iam::111122223333:role/ExampleRole"
};
const command = new ListRetirableGrantsCommand(input);
const response = await client.send(command);
/* response ==
{
"Grants": [
{
"CreationDate": "2016-12-07T11:09:35-08:00",
"GrantId": "0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60",
"GranteePrincipal": "arn:aws:iam::111122223333:role/ExampleRole",
"IssuingAccount": "arn:aws:iam::444455556666:root",
"KeyId": "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Operations": [
"Decrypt",
"Encrypt"
],
"RetiringPrincipal": "arn:aws:iam::111122223333:role/ExampleRole"
}
],
"Truncated": false
}
*/
// example id: to-list-grants-that-the-specified-principal-can-retire-1481140499620

Hierarchy

Constructors

Properties

Methods