Skip to content

Retire Grant

kms_retire_grant R Documentation

Deletes a grant

Description

Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The create_grant operation returns both values.

This operation can be called by the retiring principal for a grant, by the grantee principal if the grant allows the retire_grant operation, and by the Amazon Web Services account in which the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated.

For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide . For examples of creating grants in several programming languages, see Use CreateGrant with an Amazon Web Services SDK or CLI.

Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.

Required permissions: Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.

Related operations:

  • create_grant

  • list_grants

  • list_retirable_grants

  • revoke_grant

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Usage

kms_retire_grant(GrantToken, KeyId, GrantId, DryRun)

Arguments

GrantToken

Identifies the grant to be retired. You can use a grant token to identify a new grant even before it has achieved eventual consistency.

Only the create_grant operation returns a grant token. For details, see Grant token and Eventual consistency in the Key Management Service Developer Guide.
KeyId

The key ARN KMS key associated with the grant. To find the key ARN, use the list_keys operation.

For example: ⁠arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab⁠
GrantId

Identifies the grant to retire. To get the grant ID, use create_grant, list_grants, or list_retirable_grants.

  • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123
DryRun

Checks if your request will succeed. DryRun is an optional parameter.

To learn more about how to use this parameter, see Testing your permissions in the Key Management Service Developer Guide.

Value

An empty list.

Request syntax

svc$retire_grant(
  GrantToken = "string",
  KeyId = "string",
  GrantId = "string",
  DryRun = TRUE|FALSE
)

Examples

## Not run: 
# The following example retires a grant.
svc$retire_grant(
  GrantId = "0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60",
  KeyId = "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab"
)

## End(Not run)