Note: You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . kms ]



Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token , or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation returns both values.

This operation can be called by the retiring principal for a grant, by the grantee principal if the grant allows the RetireGrant operation, and by the Amazon Web Services account in which the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, see Retiring and revoking grants in the Key Management Service Developer Guide .

For detailed information about grants, including grant terminology, see Grants in KMS in the * Key Management Service Developer Guide * . For examples of working with grants in several programming languages, see Programming grants .

Cross-account use : Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.

Required permissions: :Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide .

Related operations:

  • CreateGrant
  • ListGrants
  • ListRetirableGrants
  • RevokeGrant

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


[--grant-token <value>]
[--key-id <value>]
[--grant-id <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--grant-token (string)

Identifies the grant to be retired. You can use a grant token to identify a new grant even before it has achieved eventual consistency.

Only the CreateGrant operation returns a grant token. For details, see Grant token and Eventual consistency in the Key Management Service Developer Guide .

--key-id (string)

The key ARN KMS key associated with the grant. To find the key ARN, use the ListKeys operation.

For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab

--grant-id (string)

Identifies the grant to retire. To get the grant ID, use CreateGrant , ListGrants , or ListRetirableGrants .

  • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


To retire a grant on a customer master key

The following retire-grant example deletes a grant from a CMK.

The following example command specifies the grant-id and the key-id parameters. The value of the key-id parameter must be the Amazon Resource Name (ARN) of the CMK.

aws kms retire-grant \
    --grant-id 1234a2345b8a4e350500d432bccf8ecd6506710e1391880c4f7f7140160c9af3 \
    --key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

This command produces no output. To confirm that the grant was retired, use the list-grants command.

For more information, see Using Grants in the AWS Key Management Service Developer Guide.