{-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DuplicateRecordFields #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE StrictData #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE NoImplicitPrelude #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Amazonka.KMS.CreateGrant -- Copyright : (c) 2013-2021 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay+amazonka@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Adds a grant to a KMS key. -- -- A /grant/ is a policy instrument that allows Amazon Web Services -- principals to use KMS keys in cryptographic operations. It also can -- allow them to view a KMS key (DescribeKey) and create and manage grants. -- When authorizing access to a KMS key, grants are considered along with -- key policies and IAM policies. Grants are often used for temporary -- permissions because you can create one, use its permissions, and delete -- it without changing your key policies or IAM policies. -- -- For detailed information about grants, including grant terminology, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html Using grants> -- in the //Key Management Service Developer Guide// . For examples of -- working with grants in several programming languages, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html Programming grants>. -- -- The @CreateGrant@ operation returns a @GrantToken@ and a @GrantId@. -- -- - When you create, retire, or revoke a grant, there might be a brief -- delay, usually less than five minutes, until the grant is available -- throughout KMS. This state is known as /eventual consistency/. Once -- the grant has achieved eventual consistency, the grantee principal -- can use the permissions in the grant without identifying the grant. -- -- However, to use the permissions in the grant immediately, use the -- @GrantToken@ that @CreateGrant@ returns. For details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token> -- in the //Key Management Service Developer Guide// . -- -- - The @CreateGrant@ operation also returns a @GrantId@. You can use -- the @GrantId@ and a key identifier to identify the grant in the -- RetireGrant and RevokeGrant operations. To find the grant ID, use -- the ListGrants or ListRetirableGrants operations. -- -- The KMS key that you use for this operation must be in a compatible key -- state. For details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html Key state: Effect on your KMS key> -- in the /Key Management Service Developer Guide/. -- -- __Cross-account use__: Yes. To perform this operation on a KMS key in a -- different Amazon Web Services account, specify the key ARN in the value -- of the @KeyId@ parameter. -- -- __Required permissions__: -- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:CreateGrant> -- (key policy) -- -- __Related operations:__ -- -- - ListGrants -- -- - ListRetirableGrants -- -- - RetireGrant -- -- - RevokeGrant module Amazonka.KMS.CreateGrant ( -- * Creating a Request CreateGrant (..), newCreateGrant, -- * Request Lenses createGrant_retiringPrincipal, createGrant_grantTokens, createGrant_constraints, createGrant_name, createGrant_keyId, createGrant_granteePrincipal, createGrant_operations, -- * Destructuring the Response CreateGrantResponse (..), newCreateGrantResponse, -- * Response Lenses createGrantResponse_grantId, createGrantResponse_grantToken, createGrantResponse_httpStatus, ) where import qualified Amazonka.Core as Core import Amazonka.KMS.Types import qualified Amazonka.Lens as Lens import qualified Amazonka.Prelude as Prelude import qualified Amazonka.Request as Request import qualified Amazonka.Response as Response -- | /See:/ 'newCreateGrant' smart constructor. data CreateGrant = CreateGrant' { -- | The principal that has permission to use the RetireGrant operation to -- retire the grant. -- -- To specify the principal, use the -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Name (ARN)> -- of an Amazon Web Services principal. Valid Amazon Web Services -- principals include Amazon Web Services accounts (root), IAM users, -- federated users, and assumed role users. For examples of the ARN syntax -- to use for specifying a principal, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam Amazon Web Services Identity and Access Management (IAM)> -- in the Example ARNs section of the /Amazon Web Services General -- Reference/. -- -- The grant determines the retiring principal. Other principals might have -- permission to retire the grant or revoke the grant. For details, see -- RevokeGrant and -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete Retiring and revoking grants> -- in the /Key Management Service Developer Guide/. CreateGrant -> Maybe Text retiringPrincipal :: Prelude.Maybe Prelude.Text, -- | A list of grant tokens. -- -- Use a grant token when your permission to call this operation comes from -- a new grant that has not yet achieved /eventual consistency/. For more -- information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token> -- and -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token> -- in the /Key Management Service Developer Guide/. CreateGrant -> Maybe [Text] grantTokens :: Prelude.Maybe [Prelude.Text], -- | Specifies a grant constraint. -- -- KMS supports the @EncryptionContextEquals@ and @EncryptionContextSubset@ -- grant constraints. Each constraint value can include up to 8 encryption -- context pairs. The encryption context value in each constraint cannot -- exceed 384 characters. -- -- These grant constraints allow the permissions in the grant only when the -- encryption context in the request matches (@EncryptionContextEquals@) or -- includes (@EncryptionContextSubset@) the encryption context specified in -- this structure. For information about grant constraints, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints Using grant constraints> -- in the /Key Management Service Developer Guide/. For more information -- about encryption context, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context Encryption Context> -- in the //Key Management Service Developer Guide// . -- -- The encryption context grant constraints are supported only on -- operations that include an encryption context. You cannot use an -- encryption context grant constraint for cryptographic operations with -- asymmetric KMS keys or for management operations, such as DescribeKey or -- RetireGrant. CreateGrant -> Maybe GrantConstraints constraints :: Prelude.Maybe GrantConstraints, -- | A friendly name for the grant. Use this value to prevent the unintended -- creation of duplicate grants when retrying this request. -- -- When this value is absent, all @CreateGrant@ requests result in a new -- grant with a unique @GrantId@ even if all the supplied parameters are -- identical. This can result in unintended duplicates when you retry the -- @CreateGrant@ request. -- -- When this value is present, you can retry a @CreateGrant@ request with -- identical parameters; if the grant already exists, the original -- @GrantId@ is returned without creating a new grant. Note that the -- returned grant token is unique with every @CreateGrant@ request, even -- when a duplicate @GrantId@ is returned. All grant tokens for the same -- grant ID can be used interchangeably. CreateGrant -> Maybe Text name :: Prelude.Maybe Prelude.Text, -- | Identifies the KMS key for the grant. The grant gives principals -- permission to use this KMS key. -- -- Specify the key ID or key ARN of the KMS key. To specify a KMS key in a -- different Amazon Web Services account, you must use the key ARN. -- -- For example: -- -- - Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@ -- -- - Key ARN: -- @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@ -- -- To get the key ID and key ARN for a KMS key, use ListKeys or -- DescribeKey. CreateGrant -> Text keyId :: Prelude.Text, -- | The identity that gets the permissions specified in the grant. -- -- To specify the principal, use the -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Name (ARN)> -- of an Amazon Web Services principal. Valid Amazon Web Services -- principals include Amazon Web Services accounts (root), IAM users, IAM -- roles, federated users, and assumed role users. For examples of the ARN -- syntax to use for specifying a principal, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam Amazon Web Services Identity and Access Management (IAM)> -- in the Example ARNs section of the /Amazon Web Services General -- Reference/. CreateGrant -> Text granteePrincipal :: Prelude.Text, -- | A list of operations that the grant permits. -- -- The operation must be supported on the KMS key. For example, you cannot -- create a grant for a symmetric KMS key that allows the Sign operation, -- or a grant for an asymmetric KMS key that allows the GenerateDataKey -- operation. If you try, KMS returns a @ValidationError@ exception. For -- details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations Grant operations> -- in the /Key Management Service Developer Guide/. CreateGrant -> [GrantOperation] operations :: [GrantOperation] } deriving (CreateGrant -> CreateGrant -> Bool (CreateGrant -> CreateGrant -> Bool) -> (CreateGrant -> CreateGrant -> Bool) -> Eq CreateGrant forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: CreateGrant -> CreateGrant -> Bool $c/= :: CreateGrant -> CreateGrant -> Bool == :: CreateGrant -> CreateGrant -> Bool $c== :: CreateGrant -> CreateGrant -> Bool Prelude.Eq, ReadPrec [CreateGrant] ReadPrec CreateGrant Int -> ReadS CreateGrant ReadS [CreateGrant] (Int -> ReadS CreateGrant) -> ReadS [CreateGrant] -> ReadPrec CreateGrant -> ReadPrec [CreateGrant] -> Read CreateGrant forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [CreateGrant] $creadListPrec :: ReadPrec [CreateGrant] readPrec :: ReadPrec CreateGrant $creadPrec :: ReadPrec CreateGrant readList :: ReadS [CreateGrant] $creadList :: ReadS [CreateGrant] readsPrec :: Int -> ReadS CreateGrant $creadsPrec :: Int -> ReadS CreateGrant Prelude.Read, Int -> CreateGrant -> ShowS [CreateGrant] -> ShowS CreateGrant -> String (Int -> CreateGrant -> ShowS) -> (CreateGrant -> String) -> ([CreateGrant] -> ShowS) -> Show CreateGrant forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [CreateGrant] -> ShowS $cshowList :: [CreateGrant] -> ShowS show :: CreateGrant -> String $cshow :: CreateGrant -> String showsPrec :: Int -> CreateGrant -> ShowS $cshowsPrec :: Int -> CreateGrant -> ShowS Prelude.Show, (forall x. CreateGrant -> Rep CreateGrant x) -> (forall x. Rep CreateGrant x -> CreateGrant) -> Generic CreateGrant forall x. Rep CreateGrant x -> CreateGrant forall x. CreateGrant -> Rep CreateGrant x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep CreateGrant x -> CreateGrant $cfrom :: forall x. CreateGrant -> Rep CreateGrant x Prelude.Generic) -- | -- Create a value of 'CreateGrant' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'retiringPrincipal', 'createGrant_retiringPrincipal' - The principal that has permission to use the RetireGrant operation to -- retire the grant. -- -- To specify the principal, use the -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Name (ARN)> -- of an Amazon Web Services principal. Valid Amazon Web Services -- principals include Amazon Web Services accounts (root), IAM users, -- federated users, and assumed role users. For examples of the ARN syntax -- to use for specifying a principal, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam Amazon Web Services Identity and Access Management (IAM)> -- in the Example ARNs section of the /Amazon Web Services General -- Reference/. -- -- The grant determines the retiring principal. Other principals might have -- permission to retire the grant or revoke the grant. For details, see -- RevokeGrant and -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete Retiring and revoking grants> -- in the /Key Management Service Developer Guide/. -- -- 'grantTokens', 'createGrant_grantTokens' - A list of grant tokens. -- -- Use a grant token when your permission to call this operation comes from -- a new grant that has not yet achieved /eventual consistency/. For more -- information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token> -- and -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token> -- in the /Key Management Service Developer Guide/. -- -- 'constraints', 'createGrant_constraints' - Specifies a grant constraint. -- -- KMS supports the @EncryptionContextEquals@ and @EncryptionContextSubset@ -- grant constraints. Each constraint value can include up to 8 encryption -- context pairs. The encryption context value in each constraint cannot -- exceed 384 characters. -- -- These grant constraints allow the permissions in the grant only when the -- encryption context in the request matches (@EncryptionContextEquals@) or -- includes (@EncryptionContextSubset@) the encryption context specified in -- this structure. For information about grant constraints, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints Using grant constraints> -- in the /Key Management Service Developer Guide/. For more information -- about encryption context, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context Encryption Context> -- in the //Key Management Service Developer Guide// . -- -- The encryption context grant constraints are supported only on -- operations that include an encryption context. You cannot use an -- encryption context grant constraint for cryptographic operations with -- asymmetric KMS keys or for management operations, such as DescribeKey or -- RetireGrant. -- -- 'name', 'createGrant_name' - A friendly name for the grant. Use this value to prevent the unintended -- creation of duplicate grants when retrying this request. -- -- When this value is absent, all @CreateGrant@ requests result in a new -- grant with a unique @GrantId@ even if all the supplied parameters are -- identical. This can result in unintended duplicates when you retry the -- @CreateGrant@ request. -- -- When this value is present, you can retry a @CreateGrant@ request with -- identical parameters; if the grant already exists, the original -- @GrantId@ is returned without creating a new grant. Note that the -- returned grant token is unique with every @CreateGrant@ request, even -- when a duplicate @GrantId@ is returned. All grant tokens for the same -- grant ID can be used interchangeably. -- -- 'keyId', 'createGrant_keyId' - Identifies the KMS key for the grant. The grant gives principals -- permission to use this KMS key. -- -- Specify the key ID or key ARN of the KMS key. To specify a KMS key in a -- different Amazon Web Services account, you must use the key ARN. -- -- For example: -- -- - Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@ -- -- - Key ARN: -- @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@ -- -- To get the key ID and key ARN for a KMS key, use ListKeys or -- DescribeKey. -- -- 'granteePrincipal', 'createGrant_granteePrincipal' - The identity that gets the permissions specified in the grant. -- -- To specify the principal, use the -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Name (ARN)> -- of an Amazon Web Services principal. Valid Amazon Web Services -- principals include Amazon Web Services accounts (root), IAM users, IAM -- roles, federated users, and assumed role users. For examples of the ARN -- syntax to use for specifying a principal, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam Amazon Web Services Identity and Access Management (IAM)> -- in the Example ARNs section of the /Amazon Web Services General -- Reference/. -- -- 'operations', 'createGrant_operations' - A list of operations that the grant permits. -- -- The operation must be supported on the KMS key. For example, you cannot -- create a grant for a symmetric KMS key that allows the Sign operation, -- or a grant for an asymmetric KMS key that allows the GenerateDataKey -- operation. If you try, KMS returns a @ValidationError@ exception. For -- details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations Grant operations> -- in the /Key Management Service Developer Guide/. newCreateGrant :: -- | 'keyId' Prelude.Text -> -- | 'granteePrincipal' Prelude.Text -> CreateGrant newCreateGrant :: Text -> Text -> CreateGrant newCreateGrant Text pKeyId_ Text pGranteePrincipal_ = CreateGrant' :: Maybe Text -> Maybe [Text] -> Maybe GrantConstraints -> Maybe Text -> Text -> Text -> [GrantOperation] -> CreateGrant CreateGrant' { $sel:retiringPrincipal:CreateGrant' :: Maybe Text retiringPrincipal = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:grantTokens:CreateGrant' :: Maybe [Text] grantTokens = Maybe [Text] forall a. Maybe a Prelude.Nothing, $sel:constraints:CreateGrant' :: Maybe GrantConstraints constraints = Maybe GrantConstraints forall a. Maybe a Prelude.Nothing, $sel:name:CreateGrant' :: Maybe Text name = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:keyId:CreateGrant' :: Text keyId = Text pKeyId_, $sel:granteePrincipal:CreateGrant' :: Text granteePrincipal = Text pGranteePrincipal_, $sel:operations:CreateGrant' :: [GrantOperation] operations = [GrantOperation] forall a. Monoid a => a Prelude.mempty } -- | The principal that has permission to use the RetireGrant operation to -- retire the grant. -- -- To specify the principal, use the -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Name (ARN)> -- of an Amazon Web Services principal. Valid Amazon Web Services -- principals include Amazon Web Services accounts (root), IAM users, -- federated users, and assumed role users. For examples of the ARN syntax -- to use for specifying a principal, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam Amazon Web Services Identity and Access Management (IAM)> -- in the Example ARNs section of the /Amazon Web Services General -- Reference/. -- -- The grant determines the retiring principal. Other principals might have -- permission to retire the grant or revoke the grant. For details, see -- RevokeGrant and -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete Retiring and revoking grants> -- in the /Key Management Service Developer Guide/. createGrant_retiringPrincipal :: Lens.Lens' CreateGrant (Prelude.Maybe Prelude.Text) createGrant_retiringPrincipal :: (Maybe Text -> f (Maybe Text)) -> CreateGrant -> f CreateGrant createGrant_retiringPrincipal = (CreateGrant -> Maybe Text) -> (CreateGrant -> Maybe Text -> CreateGrant) -> Lens CreateGrant CreateGrant (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrant' {Maybe Text retiringPrincipal :: Maybe Text $sel:retiringPrincipal:CreateGrant' :: CreateGrant -> Maybe Text retiringPrincipal} -> Maybe Text retiringPrincipal) (\s :: CreateGrant s@CreateGrant' {} Maybe Text a -> CreateGrant s {$sel:retiringPrincipal:CreateGrant' :: Maybe Text retiringPrincipal = Maybe Text a} :: CreateGrant) -- | A list of grant tokens. -- -- Use a grant token when your permission to call this operation comes from -- a new grant that has not yet achieved /eventual consistency/. For more -- information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token> -- and -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token> -- in the /Key Management Service Developer Guide/. createGrant_grantTokens :: Lens.Lens' CreateGrant (Prelude.Maybe [Prelude.Text]) createGrant_grantTokens :: (Maybe [Text] -> f (Maybe [Text])) -> CreateGrant -> f CreateGrant createGrant_grantTokens = (CreateGrant -> Maybe [Text]) -> (CreateGrant -> Maybe [Text] -> CreateGrant) -> Lens CreateGrant CreateGrant (Maybe [Text]) (Maybe [Text]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrant' {Maybe [Text] grantTokens :: Maybe [Text] $sel:grantTokens:CreateGrant' :: CreateGrant -> Maybe [Text] grantTokens} -> Maybe [Text] grantTokens) (\s :: CreateGrant s@CreateGrant' {} Maybe [Text] a -> CreateGrant s {$sel:grantTokens:CreateGrant' :: Maybe [Text] grantTokens = Maybe [Text] a} :: CreateGrant) ((Maybe [Text] -> f (Maybe [Text])) -> CreateGrant -> f CreateGrant) -> ((Maybe [Text] -> f (Maybe [Text])) -> Maybe [Text] -> f (Maybe [Text])) -> (Maybe [Text] -> f (Maybe [Text])) -> CreateGrant -> f CreateGrant forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [Text] [Text] [Text] [Text] -> Iso (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [Text] [Text] [Text] [Text] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | Specifies a grant constraint. -- -- KMS supports the @EncryptionContextEquals@ and @EncryptionContextSubset@ -- grant constraints. Each constraint value can include up to 8 encryption -- context pairs. The encryption context value in each constraint cannot -- exceed 384 characters. -- -- These grant constraints allow the permissions in the grant only when the -- encryption context in the request matches (@EncryptionContextEquals@) or -- includes (@EncryptionContextSubset@) the encryption context specified in -- this structure. For information about grant constraints, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints Using grant constraints> -- in the /Key Management Service Developer Guide/. For more information -- about encryption context, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context Encryption Context> -- in the //Key Management Service Developer Guide// . -- -- The encryption context grant constraints are supported only on -- operations that include an encryption context. You cannot use an -- encryption context grant constraint for cryptographic operations with -- asymmetric KMS keys or for management operations, such as DescribeKey or -- RetireGrant. createGrant_constraints :: Lens.Lens' CreateGrant (Prelude.Maybe GrantConstraints) createGrant_constraints :: (Maybe GrantConstraints -> f (Maybe GrantConstraints)) -> CreateGrant -> f CreateGrant createGrant_constraints = (CreateGrant -> Maybe GrantConstraints) -> (CreateGrant -> Maybe GrantConstraints -> CreateGrant) -> Lens CreateGrant CreateGrant (Maybe GrantConstraints) (Maybe GrantConstraints) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrant' {Maybe GrantConstraints constraints :: Maybe GrantConstraints $sel:constraints:CreateGrant' :: CreateGrant -> Maybe GrantConstraints constraints} -> Maybe GrantConstraints constraints) (\s :: CreateGrant s@CreateGrant' {} Maybe GrantConstraints a -> CreateGrant s {$sel:constraints:CreateGrant' :: Maybe GrantConstraints constraints = Maybe GrantConstraints a} :: CreateGrant) -- | A friendly name for the grant. Use this value to prevent the unintended -- creation of duplicate grants when retrying this request. -- -- When this value is absent, all @CreateGrant@ requests result in a new -- grant with a unique @GrantId@ even if all the supplied parameters are -- identical. This can result in unintended duplicates when you retry the -- @CreateGrant@ request. -- -- When this value is present, you can retry a @CreateGrant@ request with -- identical parameters; if the grant already exists, the original -- @GrantId@ is returned without creating a new grant. Note that the -- returned grant token is unique with every @CreateGrant@ request, even -- when a duplicate @GrantId@ is returned. All grant tokens for the same -- grant ID can be used interchangeably. createGrant_name :: Lens.Lens' CreateGrant (Prelude.Maybe Prelude.Text) createGrant_name :: (Maybe Text -> f (Maybe Text)) -> CreateGrant -> f CreateGrant createGrant_name = (CreateGrant -> Maybe Text) -> (CreateGrant -> Maybe Text -> CreateGrant) -> Lens CreateGrant CreateGrant (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrant' {Maybe Text name :: Maybe Text $sel:name:CreateGrant' :: CreateGrant -> Maybe Text name} -> Maybe Text name) (\s :: CreateGrant s@CreateGrant' {} Maybe Text a -> CreateGrant s {$sel:name:CreateGrant' :: Maybe Text name = Maybe Text a} :: CreateGrant) -- | Identifies the KMS key for the grant. The grant gives principals -- permission to use this KMS key. -- -- Specify the key ID or key ARN of the KMS key. To specify a KMS key in a -- different Amazon Web Services account, you must use the key ARN. -- -- For example: -- -- - Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@ -- -- - Key ARN: -- @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@ -- -- To get the key ID and key ARN for a KMS key, use ListKeys or -- DescribeKey. createGrant_keyId :: Lens.Lens' CreateGrant Prelude.Text createGrant_keyId :: (Text -> f Text) -> CreateGrant -> f CreateGrant createGrant_keyId = (CreateGrant -> Text) -> (CreateGrant -> Text -> CreateGrant) -> Lens CreateGrant CreateGrant Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrant' {Text keyId :: Text $sel:keyId:CreateGrant' :: CreateGrant -> Text keyId} -> Text keyId) (\s :: CreateGrant s@CreateGrant' {} Text a -> CreateGrant s {$sel:keyId:CreateGrant' :: Text keyId = Text a} :: CreateGrant) -- | The identity that gets the permissions specified in the grant. -- -- To specify the principal, use the -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Name (ARN)> -- of an Amazon Web Services principal. Valid Amazon Web Services -- principals include Amazon Web Services accounts (root), IAM users, IAM -- roles, federated users, and assumed role users. For examples of the ARN -- syntax to use for specifying a principal, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam Amazon Web Services Identity and Access Management (IAM)> -- in the Example ARNs section of the /Amazon Web Services General -- Reference/. createGrant_granteePrincipal :: Lens.Lens' CreateGrant Prelude.Text createGrant_granteePrincipal :: (Text -> f Text) -> CreateGrant -> f CreateGrant createGrant_granteePrincipal = (CreateGrant -> Text) -> (CreateGrant -> Text -> CreateGrant) -> Lens CreateGrant CreateGrant Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrant' {Text granteePrincipal :: Text $sel:granteePrincipal:CreateGrant' :: CreateGrant -> Text granteePrincipal} -> Text granteePrincipal) (\s :: CreateGrant s@CreateGrant' {} Text a -> CreateGrant s {$sel:granteePrincipal:CreateGrant' :: Text granteePrincipal = Text a} :: CreateGrant) -- | A list of operations that the grant permits. -- -- The operation must be supported on the KMS key. For example, you cannot -- create a grant for a symmetric KMS key that allows the Sign operation, -- or a grant for an asymmetric KMS key that allows the GenerateDataKey -- operation. If you try, KMS returns a @ValidationError@ exception. For -- details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations Grant operations> -- in the /Key Management Service Developer Guide/. createGrant_operations :: Lens.Lens' CreateGrant [GrantOperation] createGrant_operations :: ([GrantOperation] -> f [GrantOperation]) -> CreateGrant -> f CreateGrant createGrant_operations = (CreateGrant -> [GrantOperation]) -> (CreateGrant -> [GrantOperation] -> CreateGrant) -> Lens CreateGrant CreateGrant [GrantOperation] [GrantOperation] forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrant' {[GrantOperation] operations :: [GrantOperation] $sel:operations:CreateGrant' :: CreateGrant -> [GrantOperation] operations} -> [GrantOperation] operations) (\s :: CreateGrant s@CreateGrant' {} [GrantOperation] a -> CreateGrant s {$sel:operations:CreateGrant' :: [GrantOperation] operations = [GrantOperation] a} :: CreateGrant) (([GrantOperation] -> f [GrantOperation]) -> CreateGrant -> f CreateGrant) -> (([GrantOperation] -> f [GrantOperation]) -> [GrantOperation] -> f [GrantOperation]) -> ([GrantOperation] -> f [GrantOperation]) -> CreateGrant -> f CreateGrant forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. ([GrantOperation] -> f [GrantOperation]) -> [GrantOperation] -> f [GrantOperation] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced instance Core.AWSRequest CreateGrant where type AWSResponse CreateGrant = CreateGrantResponse request :: CreateGrant -> Request CreateGrant request = Service -> CreateGrant -> Request CreateGrant forall a. (ToRequest a, ToJSON a) => Service -> a -> Request a Request.postJSON Service defaultService response :: Logger -> Service -> Proxy CreateGrant -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse CreateGrant))) response = (Int -> ResponseHeaders -> Object -> Either String (AWSResponse CreateGrant)) -> Logger -> Service -> Proxy CreateGrant -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse CreateGrant))) forall (m :: * -> *) a. MonadResource m => (Int -> ResponseHeaders -> Object -> Either String (AWSResponse a)) -> Logger -> Service -> Proxy a -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse a))) Response.receiveJSON ( \Int s ResponseHeaders h Object x -> Maybe Text -> Maybe Text -> Int -> CreateGrantResponse CreateGrantResponse' (Maybe Text -> Maybe Text -> Int -> CreateGrantResponse) -> Either String (Maybe Text) -> Either String (Maybe Text -> Int -> CreateGrantResponse) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> (Object x Object -> Text -> Either String (Maybe Text) forall a. FromJSON a => Object -> Text -> Either String (Maybe a) Core..?> Text "GrantId") Either String (Maybe Text -> Int -> CreateGrantResponse) -> Either String (Maybe Text) -> Either String (Int -> CreateGrantResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> (Object x Object -> Text -> Either String (Maybe Text) forall a. FromJSON a => Object -> Text -> Either String (Maybe a) Core..?> Text "GrantToken") Either String (Int -> CreateGrantResponse) -> Either String Int -> Either String CreateGrantResponse forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> (Int -> Either String Int forall (f :: * -> *) a. Applicative f => a -> f a Prelude.pure (Int -> Int forall a. Enum a => a -> Int Prelude.fromEnum Int s)) ) instance Prelude.Hashable CreateGrant instance Prelude.NFData CreateGrant instance Core.ToHeaders CreateGrant where toHeaders :: CreateGrant -> ResponseHeaders toHeaders = ResponseHeaders -> CreateGrant -> ResponseHeaders forall a b. a -> b -> a Prelude.const ( [ResponseHeaders] -> ResponseHeaders forall a. Monoid a => [a] -> a Prelude.mconcat [ HeaderName "X-Amz-Target" HeaderName -> ByteString -> ResponseHeaders forall a. ToHeader a => HeaderName -> a -> ResponseHeaders Core.=# (ByteString "TrentService.CreateGrant" :: Prelude.ByteString), HeaderName "Content-Type" HeaderName -> ByteString -> ResponseHeaders forall a. ToHeader a => HeaderName -> a -> ResponseHeaders Core.=# ( ByteString "application/x-amz-json-1.1" :: Prelude.ByteString ) ] ) instance Core.ToJSON CreateGrant where toJSON :: CreateGrant -> Value toJSON CreateGrant' {[GrantOperation] Maybe [Text] Maybe Text Maybe GrantConstraints Text operations :: [GrantOperation] granteePrincipal :: Text keyId :: Text name :: Maybe Text constraints :: Maybe GrantConstraints grantTokens :: Maybe [Text] retiringPrincipal :: Maybe Text $sel:operations:CreateGrant' :: CreateGrant -> [GrantOperation] $sel:granteePrincipal:CreateGrant' :: CreateGrant -> Text $sel:keyId:CreateGrant' :: CreateGrant -> Text $sel:name:CreateGrant' :: CreateGrant -> Maybe Text $sel:constraints:CreateGrant' :: CreateGrant -> Maybe GrantConstraints $sel:grantTokens:CreateGrant' :: CreateGrant -> Maybe [Text] $sel:retiringPrincipal:CreateGrant' :: CreateGrant -> Maybe Text ..} = [Pair] -> Value Core.object ( [Maybe Pair] -> [Pair] forall a. [Maybe a] -> [a] Prelude.catMaybes [ (Text "RetiringPrincipal" Text -> Text -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (Text -> Pair) -> Maybe Text -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe Text retiringPrincipal, (Text "GrantTokens" Text -> [Text] -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) ([Text] -> Pair) -> Maybe [Text] -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [Text] grantTokens, (Text "Constraints" Text -> GrantConstraints -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (GrantConstraints -> Pair) -> Maybe GrantConstraints -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe GrantConstraints constraints, (Text "Name" Text -> Text -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (Text -> Pair) -> Maybe Text -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe Text name, Pair -> Maybe Pair forall a. a -> Maybe a Prelude.Just (Text "KeyId" Text -> Text -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..= Text keyId), Pair -> Maybe Pair forall a. a -> Maybe a Prelude.Just (Text "GranteePrincipal" Text -> Text -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..= Text granteePrincipal), Pair -> Maybe Pair forall a. a -> Maybe a Prelude.Just (Text "Operations" Text -> [GrantOperation] -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..= [GrantOperation] operations) ] ) instance Core.ToPath CreateGrant where toPath :: CreateGrant -> ByteString toPath = ByteString -> CreateGrant -> ByteString forall a b. a -> b -> a Prelude.const ByteString "/" instance Core.ToQuery CreateGrant where toQuery :: CreateGrant -> QueryString toQuery = QueryString -> CreateGrant -> QueryString forall a b. a -> b -> a Prelude.const QueryString forall a. Monoid a => a Prelude.mempty -- | /See:/ 'newCreateGrantResponse' smart constructor. data CreateGrantResponse = CreateGrantResponse' { -- | The unique identifier for the grant. -- -- You can use the @GrantId@ in a ListGrants, RetireGrant, or RevokeGrant -- operation. CreateGrantResponse -> Maybe Text grantId :: Prelude.Maybe Prelude.Text, -- | The grant token. -- -- Use a grant token when your permission to call this operation comes from -- a new grant that has not yet achieved /eventual consistency/. For more -- information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token> -- and -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token> -- in the /Key Management Service Developer Guide/. CreateGrantResponse -> Maybe Text grantToken :: Prelude.Maybe Prelude.Text, -- | The response's http status code. CreateGrantResponse -> Int httpStatus :: Prelude.Int } deriving (CreateGrantResponse -> CreateGrantResponse -> Bool (CreateGrantResponse -> CreateGrantResponse -> Bool) -> (CreateGrantResponse -> CreateGrantResponse -> Bool) -> Eq CreateGrantResponse forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: CreateGrantResponse -> CreateGrantResponse -> Bool $c/= :: CreateGrantResponse -> CreateGrantResponse -> Bool == :: CreateGrantResponse -> CreateGrantResponse -> Bool $c== :: CreateGrantResponse -> CreateGrantResponse -> Bool Prelude.Eq, ReadPrec [CreateGrantResponse] ReadPrec CreateGrantResponse Int -> ReadS CreateGrantResponse ReadS [CreateGrantResponse] (Int -> ReadS CreateGrantResponse) -> ReadS [CreateGrantResponse] -> ReadPrec CreateGrantResponse -> ReadPrec [CreateGrantResponse] -> Read CreateGrantResponse forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [CreateGrantResponse] $creadListPrec :: ReadPrec [CreateGrantResponse] readPrec :: ReadPrec CreateGrantResponse $creadPrec :: ReadPrec CreateGrantResponse readList :: ReadS [CreateGrantResponse] $creadList :: ReadS [CreateGrantResponse] readsPrec :: Int -> ReadS CreateGrantResponse $creadsPrec :: Int -> ReadS CreateGrantResponse Prelude.Read, Int -> CreateGrantResponse -> ShowS [CreateGrantResponse] -> ShowS CreateGrantResponse -> String (Int -> CreateGrantResponse -> ShowS) -> (CreateGrantResponse -> String) -> ([CreateGrantResponse] -> ShowS) -> Show CreateGrantResponse forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [CreateGrantResponse] -> ShowS $cshowList :: [CreateGrantResponse] -> ShowS show :: CreateGrantResponse -> String $cshow :: CreateGrantResponse -> String showsPrec :: Int -> CreateGrantResponse -> ShowS $cshowsPrec :: Int -> CreateGrantResponse -> ShowS Prelude.Show, (forall x. CreateGrantResponse -> Rep CreateGrantResponse x) -> (forall x. Rep CreateGrantResponse x -> CreateGrantResponse) -> Generic CreateGrantResponse forall x. Rep CreateGrantResponse x -> CreateGrantResponse forall x. CreateGrantResponse -> Rep CreateGrantResponse x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep CreateGrantResponse x -> CreateGrantResponse $cfrom :: forall x. CreateGrantResponse -> Rep CreateGrantResponse x Prelude.Generic) -- | -- Create a value of 'CreateGrantResponse' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'grantId', 'createGrantResponse_grantId' - The unique identifier for the grant. -- -- You can use the @GrantId@ in a ListGrants, RetireGrant, or RevokeGrant -- operation. -- -- 'grantToken', 'createGrantResponse_grantToken' - The grant token. -- -- Use a grant token when your permission to call this operation comes from -- a new grant that has not yet achieved /eventual consistency/. For more -- information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token> -- and -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token> -- in the /Key Management Service Developer Guide/. -- -- 'httpStatus', 'createGrantResponse_httpStatus' - The response's http status code. newCreateGrantResponse :: -- | 'httpStatus' Prelude.Int -> CreateGrantResponse newCreateGrantResponse :: Int -> CreateGrantResponse newCreateGrantResponse Int pHttpStatus_ = CreateGrantResponse' :: Maybe Text -> Maybe Text -> Int -> CreateGrantResponse CreateGrantResponse' { $sel:grantId:CreateGrantResponse' :: Maybe Text grantId = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:grantToken:CreateGrantResponse' :: Maybe Text grantToken = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:httpStatus:CreateGrantResponse' :: Int httpStatus = Int pHttpStatus_ } -- | The unique identifier for the grant. -- -- You can use the @GrantId@ in a ListGrants, RetireGrant, or RevokeGrant -- operation. createGrantResponse_grantId :: Lens.Lens' CreateGrantResponse (Prelude.Maybe Prelude.Text) createGrantResponse_grantId :: (Maybe Text -> f (Maybe Text)) -> CreateGrantResponse -> f CreateGrantResponse createGrantResponse_grantId = (CreateGrantResponse -> Maybe Text) -> (CreateGrantResponse -> Maybe Text -> CreateGrantResponse) -> Lens CreateGrantResponse CreateGrantResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrantResponse' {Maybe Text grantId :: Maybe Text $sel:grantId:CreateGrantResponse' :: CreateGrantResponse -> Maybe Text grantId} -> Maybe Text grantId) (\s :: CreateGrantResponse s@CreateGrantResponse' {} Maybe Text a -> CreateGrantResponse s {$sel:grantId:CreateGrantResponse' :: Maybe Text grantId = Maybe Text a} :: CreateGrantResponse) -- | The grant token. -- -- Use a grant token when your permission to call this operation comes from -- a new grant that has not yet achieved /eventual consistency/. For more -- information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token Grant token> -- and -- <https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token Using a grant token> -- in the /Key Management Service Developer Guide/. createGrantResponse_grantToken :: Lens.Lens' CreateGrantResponse (Prelude.Maybe Prelude.Text) createGrantResponse_grantToken :: (Maybe Text -> f (Maybe Text)) -> CreateGrantResponse -> f CreateGrantResponse createGrantResponse_grantToken = (CreateGrantResponse -> Maybe Text) -> (CreateGrantResponse -> Maybe Text -> CreateGrantResponse) -> Lens CreateGrantResponse CreateGrantResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrantResponse' {Maybe Text grantToken :: Maybe Text $sel:grantToken:CreateGrantResponse' :: CreateGrantResponse -> Maybe Text grantToken} -> Maybe Text grantToken) (\s :: CreateGrantResponse s@CreateGrantResponse' {} Maybe Text a -> CreateGrantResponse s {$sel:grantToken:CreateGrantResponse' :: Maybe Text grantToken = Maybe Text a} :: CreateGrantResponse) -- | The response's http status code. createGrantResponse_httpStatus :: Lens.Lens' CreateGrantResponse Prelude.Int createGrantResponse_httpStatus :: (Int -> f Int) -> CreateGrantResponse -> f CreateGrantResponse createGrantResponse_httpStatus = (CreateGrantResponse -> Int) -> (CreateGrantResponse -> Int -> CreateGrantResponse) -> Lens CreateGrantResponse CreateGrantResponse Int Int forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateGrantResponse' {Int httpStatus :: Int $sel:httpStatus:CreateGrantResponse' :: CreateGrantResponse -> Int httpStatus} -> Int httpStatus) (\s :: CreateGrantResponse s@CreateGrantResponse' {} Int a -> CreateGrantResponse s {$sel:httpStatus:CreateGrantResponse' :: Int httpStatus = Int a} :: CreateGrantResponse) instance Prelude.NFData CreateGrantResponse