Menu
Sign In to the Console
AWS Key Management Service
Developer Guide

Working with Grants

This topic discusses how to create, retire, revoke, and list grants.

Topics

Creating a Grant

Call the CreateGrant function to create a grant.

// Creating a grant
//
// Input Parameters:
//   The function takes up to six parameters.
//     KeyId              - Unique identifier for the key. This can be an ARN, an alias, or a globally unique value.
//     GranteePrincipal   - Principal given permission to use the key identified by the KeyId parameter
//     RetiringPrincipal  - Principal given permission to retire the grant
//     Operations         - List of operations permitted by the grant
//     Constraints        - The conditions under which the actions specified by the Operations parameter are allowed
//     GrantTokens        - List of grant tokens
//
// Return Values:
//   The function returns two values.
//     GrantToken         - Signed and encrypted string value that contains all of the information needed to create the grant
//     GrantID            - Globally unique identifier of the grant
//
// Replace the following string with a real key ID.
String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
String granteePrincipal = "arn:aws:iam::111122223333:user/Alice";
String operation = GrantOperation.Encrypt;

CreateGrantRequest req = new CreateGrantRequest();
req.setKeyId(keyId);
req.setGranteePrincipal(granteePrincipal);
req.setOperation(operation);

CreateGrantResult result = kms.createGrant(req);

Retiring a Grant

Call the RetireGrant function to retire a grant. You should retire a grant to clean up after you are done using it.

// Retiring a grant
//
// Input Parameters:
//   GrantToken - unique grant identifier
//
// Return Values:
//   The function does not return a value.
//
String grantToken = Place your grant token here;

RetireGrantRequest req = new RetireGrantRequest().withGrantToken(grantToken);
kms.retireGrant(req);

Revoking Grants

Call the RevokeGrant function to revoke a grant. You should revoke a grant to deny operations that depend on it.

// Revoking a grant
//
// Input Parameters:
//   KeyId   - Unique identifier for the key
//   GrantId - Unique identifier for the grant
//
// Return Values:
//   The function does not return a value.
//
// Replace the following string with a real key ID.
String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
String grantId = "grant1";

RevokeGrantRequest req = new RevokeGrantRequest().withKeyId(keyId).withGrantId(grantId);
kms.revokeGrant(req);

Listing Grants

Call the ListGrants function to list all of the grants on a given key.

// Listing grants
//
// Input Parameters:
//   The function takes three parameters.
//     KeyId    - Unique identifier for the key
//     Limit    - Specify this parameter only when paginating results to indicate the 
//                maximum number of grants you want listed in the response. If there are 
//                additional grants beyond the maximum you specify, the Truncated 
//                response element will be set to true.
//     Marker   - Use this parameter only when paginating results, and only in a subsequent
//                request after you've received a response where the results are truncated. 
//                Set it to the value of the NextMarker in the response you 
//                just received.
//
// Return Values:
//   The function returns a list of grants for the key.
//
// Replace the following string with a real key ID.
String keyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab";
Integer limit = 10;
String marker = null;

ListGrantsRequest req = new ListGrantsRequest().withKeyId(keyId).withMarker(marker).withLimit(limit);
ListGrantsResult result = kms.listGrants(req);