KMS / Client / retire_grant

retire_grant#

KMS.Client.retire_grant(**kwargs)#

Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation returns both values.

This operation can be called by the retiring principal for a grant, by the grantee principal if the grant allows the RetireGrant operation, and by the Amazon Web Services account in which the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.

For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide . For examples of working with grants in several programming languages, see Programming grants.

Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.

Required permissions::Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.

Related operations:

  • CreateGrant

  • ListGrants

  • ListRetirableGrants

  • RevokeGrant

See also: AWS API Documentation

Request Syntax

response = client.retire_grant(
    GrantToken='string',
    KeyId='string',
    GrantId='string',
    DryRun=True|False
)
Parameters:

  • GrantToken (string) –

    Identifies the grant to be retired. You can use a grant token to identify a new grant even before it has achieved eventual consistency.

    Only the CreateGrant operation returns a grant token. For details, see Grant token and Eventual consistency in the Key Management Service Developer Guide.

  • KeyId (string) –

    The key ARN KMS key associated with the grant. To find the key ARN, use the ListKeys operation.

    For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab

  • GrantId (string) –

    Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants.

    • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123

  • DryRun (boolean) –

    Checks if your request will succeed. DryRun is an optional parameter.

    To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.

Returns:

None

Exceptions

  • KMS.Client.exceptions.InvalidArnException

  • KMS.Client.exceptions.InvalidGrantTokenException

  • KMS.Client.exceptions.InvalidGrantIdException

  • KMS.Client.exceptions.NotFoundException

  • KMS.Client.exceptions.DependencyTimeoutException

  • KMS.Client.exceptions.KMSInternalException

  • KMS.Client.exceptions.KMSInvalidStateException

  • KMS.Client.exceptions.DryRunOperationException

Examples

The following example retires a grant.

response = client.retire_grant(
    # The identifier of the grant to retire.
    GrantId='0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60',
    # The Amazon Resource Name (ARN) of the KMS key associated with the grant.
    KeyId='arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab',
)

print(response)

Expected Output:

{
    'ResponseMetadata': {
        '...': '...',
    },
}