ikan Uploader :
Directory : /usr/share/doc/awscli/examples/kms/
Upload File : |
| Current File : //usr/share/doc/awscli/examples/kms/create-grant.rst |
**To create a grant**
The following ``create-grant`` example creates a grant that allows the ``exampleUser`` user to use the ``decrypt`` command on the ``1234abcd-12ab-34cd-56ef-1234567890ab`` example CMK. The retiring principal is the ``adminRole`` role. The grant uses the ``EncryptionContextSubset`` grant constraint to allow this permission only when the encryption context in the ``decrypt`` request includes the "Department": "IT" key-value pair. ::
aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grantee-principal arn:aws:iam::123456789012:user/exampleUser \
--operations Decrypt \
--constraints EncryptionContextSubset={Department=IT} \
--retiring-principal arn:aws:iam::123456789012:role/adminRole
The output of this command includes the ID of the new grant and a grant token. You can use the ID and token to identify the grant to other AWS KMS CLI commands, including ``retire-grant`` and ``revoke-grant``. ::
{
"GrantId": "1a2b3c4d2f5e69f440bae30eaec9570bb1fb7358824f9ddfa1aa5a0dab1a59b2",
"GrantToken": "<grant token here>"
}
To view detailed information about the grant, use the ``list-grants`` command.
For more information, see `Using Grants <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html>`__ in the *AWS Key Management Service Developer Guide*.
Kontol Shell Bypass