KmsGrantConfiguration - IAM Access Analyzer


A proposed grant configuration for a KMS key. For more information, see CreateGrant.



The principal that is given permission to perform the operations that the grant permits.

Type: String

Required: Yes


The AWS account under which the grant was issued. The account is used to propose AWS KMS grants issued by accounts other than the owner of the key.

Type: String

Required: Yes


A list of operations that the grant permits.

Type: Array of strings

Valid Values: CreateGrant | Decrypt | DescribeKey | Encrypt | GenerateDataKey | GenerateDataKeyPair | GenerateDataKeyPairWithoutPlaintext | GenerateDataKeyWithoutPlaintext | GetPublicKey | ReEncryptFrom | ReEncryptTo | RetireGrant | Sign | Verify

Required: Yes


Use this structure to propose allowing cryptographic operations in the grant only when the operation request includes the specified encryption context.

Type: KmsGrantConstraints object

Required: No


The principal that is given permission to retire the grant by using RetireGrant operation.

Type: String

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: