AWS SDK Version 3 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Returns information about all grants in the Amazon Web Services account and Region that have the specified retiring principal.

You can specify any principal in your Amazon Web Services account. The grants that are returned include grants for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this operation to determine which grants you may retire. To retire a grant, use the RetireGrant operation.

For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide. For examples of working with grants in several programming languages, see Programming grants.

Cross-account use: You must specify a principal in your Amazon Web Services account. However, this operation can return grants in any Amazon Web Services account. You do not need kms:ListRetirableGrants permission (or any other additional permission) in any Amazon Web Services account other than your own.

Required permissions: kms:ListRetirableGrants (IAM policy) in your Amazon Web Services account.

Related operations:

Note:

For .NET Core this operation is only available in asynchronous form. Please refer to ListRetirableGrantsAsync.

Namespace: Amazon.KeyManagementService
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z

Syntax

C#
public virtual ListRetirableGrantsResponse ListRetirableGrants(
         ListRetirableGrantsRequest request
)
Parameters
request
Type: Amazon.KeyManagementService.Model.ListRetirableGrantsRequest

Container for the necessary parameters to execute the ListRetirableGrants service method.

Return Value
The response from the ListRetirableGrants service method, as returned by KeyManagementService.

Exceptions

ExceptionCondition
DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry the request.
InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
InvalidMarkerException The request was rejected because the marker that specifies where pagination should next begin is not valid.
KMSInternalException The request was rejected because an internal exception occurred. The request can be retried.
NotFoundException The request was rejected because the specified entity or resource could not be found.

Examples

The following example lists the grants that the specified principal (identity) can retire.

To list grants that the specified principal can retire


var client = new AmazonKeyManagementServiceClient();
var response = client.ListRetirableGrants(new ListRetirableGrantsRequest 
{
    RetiringPrincipal = "arn:aws:iam::111122223333:role/ExampleRole" // The retiring principal whose grants you want to list. Use the Amazon Resource Name (ARN) of a principal such as an AWS account (root), IAM user, federated user, or assumed role user.
});

List<GrantListEntry> grants = response.Grants; // A list of grants that the specified principal can retire.
bool truncated = response.Truncated; // A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not.

            

Version Information

.NET Framework:
Supported in: 4.5, 4.0, 3.5

See Also