| Copyright | (c) 2013-2021 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
| Stability | auto-generated |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | None |
Amazonka.KMS.RetireGrant
Description
Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation returns both values.
This operation can be called by the retiring principal for a grant, by
the grantee principal if the grant allows the RetireGrant operation,
and by the Amazon Web Services account (root user) in which the grant is
created. It can also be called by principals to whom permission for
retiring a grant is delegated. For details, see
Retiring and revoking grants
in the Key Management Service Developer Guide.
For detailed information about grants, including grant terminology, see Using grants in the /Key Management Service Developer Guide/ . For examples of working with grants in several programming languages, see Programming grants.
Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.
Required permissions::Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.
Related operations:
- CreateGrant
- ListGrants
- ListRetirableGrants
- RevokeGrant
Synopsis
- data RetireGrant = RetireGrant' {}
- newRetireGrant :: RetireGrant
- retireGrant_keyId :: Lens' RetireGrant (Maybe Text)
- retireGrant_grantId :: Lens' RetireGrant (Maybe Text)
- retireGrant_grantToken :: Lens' RetireGrant (Maybe Text)
- data RetireGrantResponse = RetireGrantResponse' {
- newRetireGrantResponse :: RetireGrantResponse
Creating a Request
data RetireGrant Source #
See: newRetireGrant smart constructor.
Constructors
| RetireGrant' | |
Fields
| |
Instances
newRetireGrant :: RetireGrant Source #
Create a value of RetireGrant with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:keyId:RetireGrant', retireGrant_keyId - The key ARN KMS key associated with the grant. To find the key ARN, use
the ListKeys operation.
For example:
arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab
$sel:grantId:RetireGrant', retireGrant_grantId - Identifies the grant to retire. To get the grant ID, use CreateGrant,
ListGrants, or ListRetirableGrants.
- Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123
$sel:grantToken:RetireGrant', retireGrant_grantToken - Identifies the grant to be retired. You can use a grant token to
identify a new grant even before it has achieved eventual consistency.
Only the CreateGrant operation returns a grant token. For details, see Grant token and Eventual consistency in the Key Management Service Developer Guide.
Request Lenses
retireGrant_keyId :: Lens' RetireGrant (Maybe Text) Source #
The key ARN KMS key associated with the grant. To find the key ARN, use the ListKeys operation.
For example:
arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab
retireGrant_grantId :: Lens' RetireGrant (Maybe Text) Source #
Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants.
- Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123
retireGrant_grantToken :: Lens' RetireGrant (Maybe Text) Source #
Identifies the grant to be retired. You can use a grant token to identify a new grant even before it has achieved eventual consistency.
Only the CreateGrant operation returns a grant token. For details, see Grant token and Eventual consistency in the Key Management Service Developer Guide.
Destructuring the Response
data RetireGrantResponse Source #
See: newRetireGrantResponse smart constructor.
Constructors
| RetireGrantResponse' | |
Instances
| Eq RetireGrantResponse Source # | |
Defined in Amazonka.KMS.RetireGrant Methods (==) :: RetireGrantResponse -> RetireGrantResponse -> Bool # (/=) :: RetireGrantResponse -> RetireGrantResponse -> Bool # | |
| Read RetireGrantResponse Source # | |
Defined in Amazonka.KMS.RetireGrant Methods readsPrec :: Int -> ReadS RetireGrantResponse # readList :: ReadS [RetireGrantResponse] # | |
| Show RetireGrantResponse Source # | |
Defined in Amazonka.KMS.RetireGrant Methods showsPrec :: Int -> RetireGrantResponse -> ShowS # show :: RetireGrantResponse -> String # showList :: [RetireGrantResponse] -> ShowS # | |
| Generic RetireGrantResponse Source # | |
Defined in Amazonka.KMS.RetireGrant Associated Types type Rep RetireGrantResponse :: Type -> Type # Methods from :: RetireGrantResponse -> Rep RetireGrantResponse x # to :: Rep RetireGrantResponse x -> RetireGrantResponse # | |
| NFData RetireGrantResponse Source # | |
Defined in Amazonka.KMS.RetireGrant Methods rnf :: RetireGrantResponse -> () # | |
| type Rep RetireGrantResponse Source # | |
newRetireGrantResponse :: RetireGrantResponse Source #
Create a value of RetireGrantResponse with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.