KMS / Client / revoke_grant

revoke_grant#

KMS.Client.revoke_grant(**kwargs)#

Deletes the specified grant. You revoke a grant to terminate the permissions that the grant allows. For more information, see Retiring and revoking grants in the Key Management Service Developer Guide .

When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency . For details, see Eventual consistency in the Key Management Service Developer Guide .

For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide . For examples of working with grants in several programming languages, see Programming grants.

Cross-account use : Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the KeyId parameter.

Required permissions : kms:RevokeGrant (key policy).

Related operations:

  • CreateGrant

  • ListGrants

  • ListRetirableGrants

  • RetireGrant

See also: AWS API Documentation

Request Syntax

response = client.revoke_grant(
    KeyId='string',
    GrantId='string'
)
Parameters:

  • KeyId (string) –

    [REQUIRED]

    A unique identifier for the KMS key associated with the grant. To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.

    Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN.

    For example:

    • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

    • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

    To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.

  • GrantId (string) –

    [REQUIRED]

    Identifies the grant to revoke. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants.

Returns:

None

Exceptions

  • KMS.Client.exceptions.NotFoundException

  • KMS.Client.exceptions.DependencyTimeoutException

  • KMS.Client.exceptions.InvalidArnException

  • KMS.Client.exceptions.InvalidGrantIdException

  • KMS.Client.exceptions.KMSInternalException

  • KMS.Client.exceptions.KMSInvalidStateException

Examples

The following example revokes a grant.

response = client.revoke_grant(
    # The identifier of the grant to revoke.
    GrantId='0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60',
    # The identifier of the KMS key associated with the grant. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
)

print(response)

Expected Output:

{
    'ResponseMetadata': {
        '...': '...',
    },
}