| Server IP : 52.223.31.75 / Your IP : 172.31.32.98 [ Web Server : Apache/2.4.66 () OpenSSL/1.0.2k-fips PHP/7.4.33 System : Linux ip-172-31-14-81.eu-central-1.compute.internal 4.14.281-212.502.amzn2.x86_64 #1 SMP Thu May 26 09:52:17 UTC 2022 x86_64 User : apache ( 48) PHP Version : 7.4.33 Disable Function : NONE Domains : 4 Domains MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : OFF Directory : /usr/lib/python2.7/site-packages/awscli/examples/kms/ |
Upload File : |
**To create a grant**
The following ``create-grant`` example creates a grant that allows the ``exampleUser`` user to use the ``decrypt`` command on the ``1234abcd-12ab-34cd-56ef-1234567890ab`` example CMK. The retiring principal is the ``adminRole`` role. The grant uses the ``EncryptionContextSubset`` grant constraint to allow this permission only when the encryption context in the ``decrypt`` request includes the "Department": "IT" key-value pair. ::
aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grantee-principal arn:aws:iam::123456789012:user/exampleUser \
--operations Decrypt \
--constraints EncryptionContextSubset={Department=IT} \
--retiring-principal arn:aws:iam::123456789012:role/adminRole
The output of this command includes the ID of the new grant and a grant token. You can use the ID and token to identify the grant to other AWS KMS CLI commands, including ``retire-grant`` and ``revoke-grant``. ::
{
"GrantId": "1a2b3c4d2f5e69f440bae30eaec9570bb1fb7358824f9ddfa1aa5a0dab1a59b2",
"GrantToken": "<grant token here>"
}
To view detailed information about the grant, use the ``list-grants`` command.
For more information, see `Using Grants <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html>`__ in the *AWS Key Management Service Developer Guide*.