libZSservicesZSamazonka-kmsZSamazonka-kms
Copyright(c) 2013-2021 Brendan Hay
LicenseMozilla Public License, v. 2.0.
MaintainerBrendan Hay <brendan.g.hay+amazonka@gmail.com>
Stabilityauto-generated
Portabilitynon-portable (GHC extensions)
Safe HaskellNone

Amazonka.KMS.RetireGrant

Description

Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation returns both values.

This operation can be called by the retiring principal for a grant, by the grantee principal if the grant allows the RetireGrant operation, and by the Amazon Web Services account (root user) in which the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.

For detailed information about grants, including grant terminology, see Using grants in the /Key Management Service Developer Guide/ . For examples of working with grants in several programming languages, see Programming grants.

Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.

Required permissions::Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.

Related operations:

  • CreateGrant
  • ListGrants
  • ListRetirableGrants
  • RevokeGrant
Synopsis

Creating a Request

data RetireGrant Source #

See: newRetireGrant smart constructor.

Constructors

RetireGrant' 

Fields

  • keyId :: Maybe Text

    The key ARN KMS key associated with the grant. To find the key ARN, use the ListKeys operation.

    For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab

  • grantId :: Maybe Text

    Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants.

    • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123
  • grantToken :: Maybe Text

    Identifies the grant to be retired. You can use a grant token to identify a new grant even before it has achieved eventual consistency.

    Only the CreateGrant operation returns a grant token. For details, see Grant token and Eventual consistency in the Key Management Service Developer Guide.

Instances

Instances details
Eq RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

Read RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

Show RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

Generic RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

Associated Types

type Rep RetireGrant :: Type -> Type #

NFData RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

Methods

rnf :: RetireGrant -> () #

Hashable RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

ToJSON RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

AWSRequest RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

Associated Types

type AWSResponse RetireGrant #

ToHeaders RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

Methods

toHeaders :: RetireGrant -> [Header] #

ToPath RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

ToQuery RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

type Rep RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

type Rep RetireGrant = D1 ('MetaData "RetireGrant" "Amazonka.KMS.RetireGrant" "libZSservicesZSamazonka-kmsZSamazonka-kms" 'False) (C1 ('MetaCons "RetireGrant'" 'PrefixI 'True) (S1 ('MetaSel ('Just "keyId") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Text)) :*: (S1 ('MetaSel ('Just "grantId") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Text)) :*: S1 ('MetaSel ('Just "grantToken") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Text)))))
type AWSResponse RetireGrant Source # 
Instance details

Defined in Amazonka.KMS.RetireGrant

newRetireGrant :: RetireGrant Source #

Create a value of RetireGrant with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:keyId:RetireGrant', retireGrant_keyId - The key ARN KMS key associated with the grant. To find the key ARN, use the ListKeys operation.

For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab

$sel:grantId:RetireGrant', retireGrant_grantId - Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants.

  • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123

$sel:grantToken:RetireGrant', retireGrant_grantToken - Identifies the grant to be retired. You can use a grant token to identify a new grant even before it has achieved eventual consistency.

Only the CreateGrant operation returns a grant token. For details, see Grant token and Eventual consistency in the Key Management Service Developer Guide.

Request Lenses

retireGrant_keyId :: Lens' RetireGrant (Maybe Text) Source #

The key ARN KMS key associated with the grant. To find the key ARN, use the ListKeys operation.

For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab

retireGrant_grantId :: Lens' RetireGrant (Maybe Text) Source #

Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants.

  • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123

retireGrant_grantToken :: Lens' RetireGrant (Maybe Text) Source #

Identifies the grant to be retired. You can use a grant token to identify a new grant even before it has achieved eventual consistency.

Only the CreateGrant operation returns a grant token. For details, see Grant token and Eventual consistency in the Key Management Service Developer Guide.

Destructuring the Response

data RetireGrantResponse Source #

See: newRetireGrantResponse smart constructor.

Constructors

RetireGrantResponse' 

newRetireGrantResponse :: RetireGrantResponse Source #

Create a value of RetireGrantResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.