pulumi-aws-kotlin/com.pulumi.aws.kms.kotlin/Grant

Grant

Provides a resource-based access control mechanism for a KMS customer master key.

Example Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.kms.Grant;
import com.pulumi.aws.kms.GrantArgs;
import com.pulumi.aws.kms.inputs.GrantConstraintArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var key = new Key("key");
        var role = new Role("role", RoleArgs.builder()
            .assumeRolePolicy("""
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
            """)
            .build());
        var grant = new Grant("grant", GrantArgs.builder()
            .keyId(key.keyId())
            .granteePrincipal(role.arn())
            .operations(
                "Encrypt",
                "Decrypt",
                "GenerateDataKey")
            .constraints(GrantConstraintArgs.builder()
                .encryptionContextEquals(Map.of("Department", "Finance"))
                .build())
            .build());
    }
}

Import

KMS Grants can be imported using the Key ID and Grant ID separated by a colon (:), e.g.,

$ pulumi import aws:kms/grant:Grant test 1234abcd-12ab-34cd-56ef-1234567890ab:abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514

Properties

constraints

val constraints: Output<List<GrantConstraint>>?

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

grantCreationTokens

val grantCreationTokens: Output<List<String>>?

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

granteePrincipal

val granteePrincipal: Output<String>

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.

grantId

val grantId: Output<String>

The unique identifier for the grant.

grantToken

val grantToken: Output<String>

The grant token for the created grant. For more information, see Grant Tokens.

val id: Output<String>

keyId

val keyId: Output<String>

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

name

val name: Output<String>

A friendly name for identifying the grant.

operations

val operations: Output<List<String>>

A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, or GenerateDataKeyPairWithoutPlaintext.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

retireOnDelete

val retireOnDelete: Output<Boolean>?

If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

retiringPrincipal

val retiringPrincipal: Output<String>?

The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.

urn

val urn: Output<String>