ListRetirableGrants - AWS Key Management Service
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

ListRetirableGrants

Returns all grants in which the specified principal is the RetiringPrincipal in the grant.

You can specify any principal in your AWS account. The grants that are returned include grants for CMKs in your AWS account and other AWS accounts.

You might use this operation to determine which grants you may retire. To retire a grant, use the RetireGrant operation.

Cross-account use: You must specify a principal in your AWS account. However, this operation can return grants in any AWS account. You do not need kms:ListRetirableGrants permission (or any other additional permission) in any AWS account other than your own.

Required permissions: kms:ListRetirableGrants (IAM policy) in your AWS account.

Related operations:

Request Syntax

{ "Limit": number, "Marker": "string", "RetiringPrincipal": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

Note

In the following list, the required parameters are described first.

RetiringPrincipal

The retiring principal for which to list grants. Enter a principal in your AWS account.

To specify the retiring principal, use the Amazon Resource Name (ARN) of an AWS principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and assumed role users. For examples of the ARN syntax for specifying a principal, see AWS Identity and Access Management (IAM) in the Example ARNs section of the Amazon Web Services General Reference.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^[\w+=,.@:/-]+$

Required: Yes

Limit

Use this parameter to specify the maximum number of items to return. When this value is present, AWS KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do not include a value, it defaults to 50.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: No

Marker

Use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of NextMarker from the truncated response you just received.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

Required: No

Response Syntax

{ "Grants": [ { "Constraints": { "EncryptionContextEquals": { "string" : "string" }, "EncryptionContextSubset": { "string" : "string" } }, "CreationDate": number, "GranteePrincipal": "string", "GrantId": "string", "IssuingAccount": "string", "KeyId": "string", "Name": "string", "Operations": [ "string" ], "RetiringPrincipal": "string" } ], "NextMarker": "string", "Truncated": boolean }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Grants

A list of grants.

Type: Array of GrantListEntry objects

NextMarker

When Truncated is true, this element is present and contains the value to use for the Marker parameter in a subsequent request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

Truncated

A flag that indicates whether there are more items in the list. When this value is true, the list in this response is truncated. To get more items, pass the value of the NextMarker element in thisresponse to the Marker parameter in a subsequent request.

Type: Boolean

Errors

For information about the errors that are common to all actions, see Common Errors.

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500

InvalidArnException

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

HTTP Status Code: 400

InvalidMarkerException

The request was rejected because the marker that specifies where pagination should next begin is not valid.

HTTP Status Code: 400

KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 500

NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

Examples

The following examples are formatted for legibility.

Example Request

POST / HTTP/1.1 Host: kms.us-east-2.amazonaws.com Content-Length: 61 X-Amz-Target: TrentService.ListRetirableGrants X-Amz-Date: 20161207T191040Z Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161207/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=d5e43f0cfd75a3251f40bc27e76f83b3110b33e3d972142ae118b2b3c0f67b39 {"RetiringPrincipal": "arn:aws:iam::111122223333:role/ExampleRole"}

Example Response

HTTP/1.1 200 OK Server: Server Date: Wed, 07 Dec 2016 19:10:41 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 436 Connection: keep-alive x-amzn-RequestId: d86125dc-bcb0-11e6-82b3-e9e4af764a06 { "Grants": [ { "CreationDate": 1.481137775E9, "GrantId": "0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60", "GranteePrincipal": "arn:aws:iam::111122223333:role/ExampleRole", "IssuingAccount": "arn:aws:iam::444455556666:root", "KeyId": "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Name": "", "Operations": [ "Decrypt", "Encrypt" ], "RetiringPrincipal": "arn:aws:iam::111122223333:role/ExampleRole" } ], "Truncated": false }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: