KmsGrantConfiguration - IAM Access Analyzer
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


A proposed grant configuration for a KMS key. For more information, see CreateGrant.



The principal that is given permission to perform the operations that the grant permits.

Type: String

Required: Yes


The Amazon Web Services account under which the grant was issued. The account is used to propose Amazon KMS grants issued by accounts other than the owner of the key.

Type: String

Required: Yes


A list of operations that the grant permits.

Type: Array of strings

Valid Values: CreateGrant | Decrypt | DescribeKey | Encrypt | GenerateDataKey | GenerateDataKeyPair | GenerateDataKeyPairWithoutPlaintext | GenerateDataKeyWithoutPlaintext | GetPublicKey | ReEncryptFrom | ReEncryptTo | RetireGrant | Sign | Verify

Required: Yes


Use this structure to propose allowing cryptographic operations in the grant only when the operation request includes the specified encryption context.

Type: KmsGrantConstraints object

Required: No


The principal that is given permission to retire the grant by using RetireGrant operation.

Type: String

Required: No

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: