Use RevokeGrant
with an Amazon SDK or CLI
The following code examples show how to use RevokeGrant
.
- CLI
-
- Amazon CLI
-
To revoke a grant on a customer master key
The following
revoke-grant
example deletes a grant from a KMS key. The following example command specifies thegrant-id
and thekey-id
parameters. The value of thekey-id
parameter can be the key ID or key ARN of the KMS key.aws kms revoke-grant \ --grant-id
1234a2345b8a4e350500d432bccf8ecd6506710e1391880c4f7f7140160c9af3
\ --key-id1234abcd-12ab-34cd-56ef-1234567890ab
This command produces no output. To confirm that the grant was revoked, use the
list-grants
command.For more information, see Retiring and revoking grants
in the Amazon Key Management Service Developer Guide. -
For API details, see RevokeGrant
in Amazon CLI Command Reference.
-
- Java
-
- SDK for Java 2.x
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. /** * Revokes a grant for the specified AWS KMS key asynchronously. * * @param keyId The ID or key ARN of the AWS KMS key. * @param grantId The identifier of the grant to be revoked. * @return A {@link CompletableFuture} representing the asynchronous operation of revoking the grant. * The {@link CompletableFuture} will complete with a {@link RevokeGrantResponse} object * if the operation is successful, or with a {@code null} value if an error occurs. */ public CompletableFuture<RevokeGrantResponse> revokeKeyGrantAsync(String keyId, String grantId) { RevokeGrantRequest grantRequest = RevokeGrantRequest.builder() .keyId(keyId) .grantId(grantId) .build(); CompletableFuture<RevokeGrantResponse> responseFuture = getAsyncClient().revokeGrant(grantRequest); responseFuture.whenComplete((response, exception) -> { if (exception == null) { logger.info("Grant ID: [" + grantId + "] was successfully revoked!"); } else { if (exception instanceof KmsException kmsEx) { if (kmsEx.getMessage().contains("Grant does not exist")) { logger.info("The grant ID '" + grantId + "' does not exist. Moving on..."); } else { throw new RuntimeException("KMS error occurred: " + kmsEx.getMessage(), kmsEx); } } else { throw new RuntimeException("An unexpected error occurred: " + exception.getMessage(), exception); } } }); return responseFuture; }
-
For API details, see RevokeGrant in Amazon SDK for Java 2.x API Reference.
-
- Python
-
- SDK for Python (Boto3)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository
. class GrantManager: def __init__(self, kms_client): self.kms_client = kms_client def revoke_grant(self, key_id, grant): """ Revokes a grant so that it can no longer be used. :param key_id: The ARN or ID of the key associated with the grant. :param grant: The grant to revoke. """ try: self.kms_client.revoke_grant(KeyId=key_id, GrantId=grant["GrantId"]) except ClientError as err: logger.error( "Couldn't revoke grant %s. Here's why: %s", grant["GrantId"], err.response["Error"]["Message"], ) else: print(f"Grant {grant['GrantId']} revoked.")
-
For API details, see RevokeGrant in Amazon SDK for Python (Boto3) API Reference.
-
For a complete list of Amazon SDK developer guides and code examples, see Using Amazon KMS with an Amazon SDK. This topic also includes information about getting started and details about previous SDK versions.