Package software.amazon.awscdk.services.kms

Class KeyGrants

java.lang.Object

software.amazon.jsii.JsiiObject

software.amazon.awscdk.services.kms.KeyGrants

All Implemented Interfaces:

software.amazon.jsii.JsiiSerializable

@Generated(value="jsii-pacmak/1.127.0 (build 2117ad5)",
           date="2026-03-02T12:05:11.354Z")
@Stability(Stable)
public class KeyGrants
extends software.amazon.jsii.JsiiObject

Collection of grant methods for an IKey.

Example:

 IPrincipal principal;
 IKeyRef key;
 // can be either an L1 or L2
 KeyGrants.fromKey(key).sign(principal);
 

Nested Class Summary

Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject

software.amazon.jsii.JsiiObject.InitializationMode

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	KeyGrants(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	KeyGrants(software.amazon.jsii.JsiiObjectRef objRef)

Method Summary

Modifier and Type	Method	Description
Grant	actions(IGrantable grantee, String... actions)	Grant the indicated permissions on this key to the given principal.
Grant	admin(IGrantable grantee)	Grant admins permissions using this key to the given principal.
Grant	decrypt(IGrantable grantee)	Grant decryption permissions using this key to the given principal.
Grant	encrypt(IGrantable grantee)	Grant encryption permissions using this key to the given principal.
Grant	encryptDecrypt(IGrantable grantee)	Grant encryption and decryption permissions using this key to the given principal.
static KeyGrants	fromKey(IKeyRef resource)	Creates grants for an IKeyRef.
static KeyGrants	fromKey(IKeyRef resource, Boolean trustAccountIdentities)	Creates grants for an IKeyRef.
Grant	generateMac(IGrantable grantee)	Grant permissions to generating MACs to the given principal.
protected IKeyRef	getResource()
Grant	sign(IGrantable grantee)	Grant sign permissions using this key to the given principal.
Grant	signVerify(IGrantable grantee)	Grant sign and verify permissions using this key to the given principal.
Grant	verify(IGrantable grantee)	Grant verify permissions using this key to the given principal.
Grant	verifyMac(IGrantable grantee)	Grant permissions to verifying MACs to the given principal.

Methods inherited from class software.amazon.jsii.JsiiObject

jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Constructor Details

KeyGrants

protected KeyGrants(software.amazon.jsii.JsiiObjectRef objRef)

KeyGrants

protected KeyGrants(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

Method Details

fromKey

@Stability(Stable)
@NotNull
public static KeyGrants fromKey(@NotNull
 IKeyRef resource,
 @Nullable
 Boolean trustAccountIdentities)

Creates grants for an IKeyRef.

Parameters:

resource - This parameter is required.

trustAccountIdentities -

fromKey

@Stability(Stable)
@NotNull
public static KeyGrants fromKey(@NotNull
 IKeyRef resource)

Creates grants for an IKeyRef.

Parameters:

resource - This parameter is required.

actions

@Stability(Stable)
@NotNull
public Grant actions(@NotNull
 IGrantable grantee,
 @NotNull
 String... actions)

Grant the indicated permissions on this key to the given principal.

This modifies both the principal's policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won't work.

Parameters:

grantee - This parameter is required.

actions - This parameter is required.

admin

@Stability(Stable)
@NotNull
public Grant admin(@NotNull
 IGrantable grantee)

Grant admins permissions using this key to the given principal.

Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).

Parameters:

grantee - This parameter is required.

decrypt

@Stability(Stable)
@NotNull
public Grant decrypt(@NotNull
 IGrantable grantee)

Grant decryption permissions using this key to the given principal.

Parameters:

grantee - This parameter is required.

encrypt

@Stability(Stable)
@NotNull
public Grant encrypt(@NotNull
 IGrantable grantee)

Grant encryption permissions using this key to the given principal.

Parameters:

grantee - This parameter is required.

encryptDecrypt

@Stability(Stable)
@NotNull
public Grant encryptDecrypt(@NotNull
 IGrantable grantee)

Grant encryption and decryption permissions using this key to the given principal.

Parameters:

grantee - This parameter is required.

generateMac

@Stability(Stable)
@NotNull
public Grant generateMac(@NotNull
 IGrantable grantee)

Grant permissions to generating MACs to the given principal.

Parameters:

grantee - This parameter is required.

sign

@Stability(Stable)
@NotNull
public Grant sign(@NotNull
 IGrantable grantee)

Grant sign permissions using this key to the given principal.

Parameters:

grantee - This parameter is required.

signVerify

@Stability(Stable)
@NotNull
public Grant signVerify(@NotNull
 IGrantable grantee)

Grant sign and verify permissions using this key to the given principal.

Parameters:

grantee - This parameter is required.

verify

@Stability(Stable)
@NotNull
public Grant verify(@NotNull
 IGrantable grantee)

Grant verify permissions using this key to the given principal.

Parameters:

grantee - This parameter is required.

verifyMac

@Stability(Stable)
@NotNull
public Grant verifyMac(@NotNull
 IGrantable grantee)

Grant permissions to verifying MACs to the given principal.

Parameters:

grantee - This parameter is required.

getResource

@Stability(Stable)
@NotNull
protected IKeyRef getResource()