KeyGrants

class aws_cdk.aws_kms.KeyGrants(*args: Any, **kwargs)

Bases: object

Collection of grant methods for an IKey.

ExampleMetadata:

infused

Example:

# principal: iam.IPrincipal
# key: kms.IKeyRef
# can be either an L1 or L2

kms.KeyGrants.from_key(key).sign(principal)

Methods

actions(grantee, *actions)

Grant the indicated permissions on this key to the given principal.

This modifies both the principal’s policy as well as the resource policy, since the default CloudFormation setup for KMS keys is that the policy must not be empty and so default grants won’t work.

Parameters:

• grantee (IGrantable)

• actions (str)

Return type:

Grant

admin(grantee)

Grant admins permissions using this key to the given principal.

Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions to use the key in cryptographic operations (e.g., encrypt, decrypt).

Parameters:

grantee (IGrantable)

Return type:

Grant

decrypt(grantee)

Grant decryption permissions using this key to the given principal.

Parameters:

grantee (IGrantable)

Return type:

Grant

encrypt(grantee)

Grant encryption permissions using this key to the given principal.

Parameters:

grantee (IGrantable)

Return type:

Grant

encrypt_decrypt(grantee)

Grant encryption and decryption permissions using this key to the given principal.

Parameters:

grantee (IGrantable)

Return type:

Grant

generate_mac(grantee)

Grant permissions to generating MACs to the given principal.

Parameters:

grantee (IGrantable)

Return type:

Grant

sign(grantee)

Grant sign permissions using this key to the given principal.

Parameters:

grantee (IGrantable)

Return type:

Grant

sign_verify(grantee)

Grant sign and verify permissions using this key to the given principal.

Parameters:

grantee (IGrantable)

Return type:

Grant

verify(grantee)

Grant verify permissions using this key to the given principal.

Parameters:

grantee (IGrantable)

Return type:

Grant

verify_mac(grantee)

Grant permissions to verifying MACs to the given principal.

Parameters:

grantee (IGrantable)

Return type:

Grant

Static Methods

classmethod from_key(resource, trust_account_identities=None)

Creates grants for an IKeyRef.

Parameters:

• resource (IKeyRef)

• trust_account_identities (Optional[bool])

Return type:

KeyGrants