Learn R Programming
paws.security.identity (version 0.1.12)

kms_retire_grant: Retires a grant

Description

Retires a grant. To clean up, you can retire a grant when you're done using it. You should revoke a grant when you intend to actively deny operations that depend on it. The following are permitted to call this API:

  • The AWS account (root user) under which the grant was created

  • The RetiringPrincipal, if present in the grant

  • The GranteePrincipal, if retire_grant is an operation specified in the grant

You must identify the grant to retire by its grant token or by a combination of the grant ID and the Amazon Resource Name (ARN) of the customer master key (CMK). A grant token is a unique variable-length base64-encoded string. A grant ID is a 64 character unique identifier of a grant. The create_grant operation returns both.

Cross-account use: Yes. You can retire a grant on a CMK in a different AWS account.

Required permissions:: Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see Using grants in the AWS Key Management Service Developer Guide.

Related operations:

  • create_grant

  • list_grants

  • list_retirable_grants

  • revoke_grant

Usage

kms_retire_grant(GrantToken, KeyId, GrantId)

Value

An empty list.

Arguments

GrantToken

Token that identifies the grant to be retired.

KeyId

The Amazon Resource Name (ARN) of the CMK associated with the grant.

For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab

GrantId

Unique identifier of the grant to retire. The grant ID is returned in the response to a create_grant operation.

  • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123

Request syntax

svc$retire_grant(
  GrantToken = "string",
  KeyId = "string",
  GrantId = "string"
)

Examples

Run this code
if (FALSE) {
# The following example retires a grant.
svc$retire_grant(
  GrantId = "0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60",
  KeyId = "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab"
)
}

Run the code above in your browser using DataLab