publicstatic async Task Main()
{var client = new AmazonKeyManagementServiceClient();
// The identity that is given permission to perform the operations// specified in the grant.var grantee = "arn:aws:iam::111122223333:role/ExampleRole";
// The identifier of the AWS KMS key to which the grant applies. You// can use the key ID or the Amazon Resource Name (ARN) of the KMS key.var keyId = "7c9eccc2-38cb-4c4f-9db3-766ee8dd3ad4";
var request = new CreateGrantRequest
{
GranteePrincipal = grantee,
KeyId = keyId,
// A list of operations that the grant allows.
Operations = newList<string>
{"Encrypt",
"Decrypt",
},
};
var response = await client.CreateGrantAsync(request);
string grantId = response.GrantId; // The unique identifier of the grant.string grantToken = response.GrantToken; // The grant token.
Console.WriteLine($"Id: {grantId}, Token: {grantToken}");
}
}
如需 API 詳細資訊,請參閱 AWS SDK for .NET API 參考中的 CreateGrant。
/**
* Grants permissions to a specified principal on a customer master key (CMK) asynchronously.
*
* @param keyId The unique identifier for the customer master key (CMK) that the grant applies to.
* @param granteePrincipal The principal that is given permission to perform the operations that the grant permits on the CMK.
* @return A {@link CompletableFuture} that, when completed, contains the ID of the created grant.
* @throws RuntimeException If an error occurs during the grant creation process.
*/public CompletableFuture<String> grantKeyAsync(String keyId, String granteePrincipal){
List<GrantOperation> grantPermissions = List.of(
GrantOperation.ENCRYPT,
GrantOperation.DECRYPT,
GrantOperation.DESCRIBE_KEY
);
CreateGrantRequest grantRequest = CreateGrantRequest.builder()
.keyId(keyId)
.name("grant1")
.granteePrincipal(granteePrincipal)
.operations(grantPermissions)
.build();
CompletableFuture<CreateGrantResponse> responseFuture = getAsyncClient().createGrant(grantRequest);
responseFuture.whenComplete((response, ex) -> {if (ex == null) {
logger.info("Grant created successfully with ID: " + response.grantId());
} else{if (ex instanceof KmsException kmsEx) {thrownew RuntimeException("Failed to create grant: " + kmsEx.getMessage(), kmsEx);
} else{thrownew RuntimeException("An unexpected error occurred: " + ex.getMessage(), ex);
}
}
});
return responseFuture.thenApply(CreateGrantResponse::grantId);
}
如需 API 詳細資訊,請參閱 AWS SDK for Java 2.x API 參考中的 CreateGrant。
classGrantManager:def__init__(self, kms_client):
self.kms_client = kms_client
@classmethoddeffrom_client(cls) -> "GrantManager":"""
Creates a GrantManager instance with a default KMS client.
:return: An instance of GrantManager initialized with the default KMS client.
"""
kms_client = boto3.client("kms")
return cls(kms_client)
defcreate_grant(
self, key_id: str, principal: str, operations: [str]
) -> dict[str, str]:"""
Creates a grant for a key that lets a principal generate a symmetric data
encryption key.
:param key_id: The ARN or ID of the key.
:param principal: The principal to grant permission to.
:param operations: The operations to grant permission for.
:return: The grant that is created.
"""try:
return self.kms_client.create_grant(
KeyId=key_id,
GranteePrincipal=principal,
Operations=operations,
)
except ClientError as err:
logger.error(
"Couldn't create a grant on key %s. Here's why: %s",
key_id,
err.response["Error"]["Message"],
)
raise
如需 API 詳細資訊,請參閱 SDK AWS for Python (Boto3) API 參考中的 CreateGrant。
publicstatic async Task Main()
{var client = new AmazonKeyManagementServiceClient();
// The identity that is given permission to perform the operations// specified in the grant.var grantee = "arn:aws:iam::111122223333:role/ExampleRole";
// The identifier of the AWS KMS key to which the grant applies. You// can use the key ID or the Amazon Resource Name (ARN) of the KMS key.var keyId = "7c9eccc2-38cb-4c4f-9db3-766ee8dd3ad4";
var request = new CreateGrantRequest
{
GranteePrincipal = grantee,
KeyId = keyId,
// A list of operations that the grant allows.
Operations = newList<string>
{"Encrypt",
"Decrypt",
},
};
var response = await client.CreateGrantAsync(request);
string grantId = response.GrantId; // The unique identifier of the grant.string grantToken = response.GrantToken; // The grant token.
Console.WriteLine($"Id: {grantId}, Token: {grantToken}");
}
}
如需 API 詳細資訊,請參閱 AWS SDK for .NET API 參考中的 CreateGrant。