pulumi-aws-kotlin/com.pulumi.aws.kms.kotlin/GrantArgs

GrantArgs

data class GrantArgs(val constraints: Output<List<GrantConstraintArgs>>? = null, val grantCreationTokens: Output<List<String>>? = null, val granteePrincipal: Output<String>? = null, val keyId: Output<String>? = null, val name: Output<String>? = null, val operations: Output<List<String>>? = null, val retireOnDelete: Output<Boolean>? = null, val retiringPrincipal: Output<String>? = null) : ConvertibleToJava<GrantArgs>

Provides a resource-based access control mechanism for a KMS customer master key.

Note: All arguments including the grant token will be stored in the raw state as plain-text.

Import

Using pulumi import, import KMS Grants using the Key ID and Grant ID separated by a colon (:). For example:

$ pulumi import aws:kms/grant:Grant test 1234abcd-12ab-34cd-56ef-1234567890ab:abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(constraints: Output<List<GrantConstraintArgs>>? = null, grantCreationTokens: Output<List<String>>? = null, granteePrincipal: Output<String>? = null, keyId: Output<String>? = null, name: Output<String>? = null, operations: Output<List<String>>? = null, retireOnDelete: Output<Boolean>? = null, retiringPrincipal: Output<String>? = null)

Properties

Link copied to clipboard
val constraints: Output<List<GrantConstraintArgs>>? = null

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

Link copied to clipboard
val grantCreationTokens: Output<List<String>>? = null

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

Link copied to clipboard
val granteePrincipal: Output<String>? = null

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.

Link copied to clipboard
val keyId: Output<String>? = null

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

Link copied to clipboard
val name: Output<String>? = null

A friendly name for identifying the grant.

Link copied to clipboard
val operations: Output<List<String>>? = null

A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, or GenerateDataKeyPairWithoutPlaintext.

Link copied to clipboard
val retireOnDelete: Output<Boolean>? = null

If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

Link copied to clipboard
val retiringPrincipal: Output<String>? = null

The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the providers's state may not always be refreshed to reflect what is true in AWS.

Functions

Link copied to clipboard
open override fun toJava(): GrantArgs