Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Use RetireGrant with an Amazon SDK or CLI
The following code examples show how to use RetireGrant.
- CLI
-
- Amazon CLI
-
To retire a grant on a customer master key
The following retire-grant example deletes a grant from a KMS key.
The following example command specifies the grant-id and the key-id parameters. The value of the key-id parameter must be the key ARN of the KMS key.
aws kms retire-grant \
--grant-id 1234a2345b8a4e350500d432bccf8ecd6506710e1391880c4f7f7140160c9af3 \
--key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
This command produces no output. To confirm that the grant was retired, use the list-grants command.
For more information, see Retiring and revoking grants in the Amazon Key Management Service Developer Guide.
- Python
-
- SDK for Python (Boto3)
-
class GrantManager:
def __init__(self, kms_client):
self.kms_client = kms_client
def retire_grant(self, grant):
"""
Retires a grant so that it can no longer be used.
:param grant: The grant to retire.
"""
try:
self.kms_client.retire_grant(GrantToken=grant["GrantToken"])
except ClientError as err:
logger.error(
"Couldn't retire grant %s. Here's why: %s",
grant["GrantId"],
err.response["Error"]["Message"],
)
else:
print(f"Grant {grant['GrantId']} retired.")
For a complete list of Amazon SDK developer guides and code examples, see
Using Amazon KMS with an Amazon SDK.
This topic also includes information about getting started and details about previous SDK versions.