Table Of Contents


User Guide

First time using the AWS CLI? See the User Guide for help getting started.

Note: You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . kms ]



Retires a grant. To clean up, you can retire a grant when you're done using it. You should revoke a grant when you intend to actively deny operations that depend on it. The following are permitted to call this API:

  • The AWS account (root user) under which the grant was created
  • The RetiringPrincipal , if present in the grant
  • The GranteePrincipal , if RetireGrant is an operation specified in the grant

You must identify the grant to retire by its grant token or by a combination of the grant ID and the Amazon Resource Name (ARN) of the customer master key (CMK). A grant token is a unique variable-length base64-encoded string. A grant ID is a 64 character unique identifier of a grant. The CreateGrant operation returns both.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


[--grant-token <value>]
[--key-id <value>]
[--grant-id <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--grant-token (string)

Token that identifies the grant to be retired.

--key-id (string)

The Amazon Resource Name (ARN) of the CMK associated with the grant.

For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab

--grant-id (string)

Unique identifier of the grant to retire. The grant ID is returned in the response to a CreateGrant operation.

  • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


To retire a grant on a customer master key

The following retire-grant example deletes a grant from a CMK.

The following example command specifies the grant-id and the key-id parameters. The value of the key-id parameter must be the Amazon Resource Name (ARN) of the CMK.

aws kms retire-grant \
    --grant-id 1234a2345b8a4e350500d432bccf8ecd6506710e1391880c4f7f7140160c9af3 \
    --key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

This command produces no output. To confirm that the grant was retired, use the list-grants command.

For more information, see Using Grants in the AWS Key Management Service Developer Guide.