AWS CLI Command Reference

[ aws . kms ]

list-retirable-grants

Description

Returns a list of all grants for which the grant’s RetiringPrincipal matches the one specified.

A typical use is to list all grants that you are able to retire. To retire a grant, use RetireGrant .

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  list-retirable-grants
[--limit <value>]
[--marker <value>]
--retiring-principal <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--cli-auto-prompt <value>]

Options

--limit (integer)

Use this parameter to specify the maximum number of items to return. When this value is present, AWS KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do not include a value, it defaults to 50.

--marker (string)

Use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of NextMarker from the truncated response you just received.

--retiring-principal (string)

The retiring principal for which to list grants.

To specify the retiring principal, use the Amazon Resource Name (ARN) of an AWS principal. Valid AWS principals include AWS accounts (root), IAM users, federated users, and assumed role users. For examples of the ARN syntax for specifying a principal, see AWS Identity and Access Management (IAM) in the Example ARNs section of the Amazon Web Services General Reference .

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

--cli-auto-prompt (boolean) Automatically prompt for CLI input parameters.

See ‘aws help’ for descriptions of global parameters.

Output

Grants -> (list)

A list of grants.

(structure)

Contains information about a grant.

KeyId -> (string)

The unique identifier for the customer master key (CMK) to which the grant applies.

GrantId -> (string)

The unique identifier for the grant.

Name -> (string)

The friendly name that identifies the grant. If a name was provided in the CreateGrant request, that name is returned. Otherwise this value is null.

CreationDate -> (timestamp)

The date and time when the grant was created.

GranteePrincipal -> (string)

The identity that gets the permissions in the grant.

The GranteePrincipal field in the ListGrants response usually contains the user or role designated as the grantee principal in the grant. However, when the grantee principal in the grant is an AWS service, the GranteePrincipal field contains the service principal , which might represent several different grantee principals.

RetiringPrincipal -> (string)

The principal that can retire the grant.

IssuingAccount -> (string)

The AWS account under which the grant was issued.

Operations -> (list)

The list of operations permitted by the grant.

(string)

Constraints -> (structure)

A list of key-value pairs that must be present in the encryption context of certain subsequent operations that the grant allows.

EncryptionContextSubset -> (map)

A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

key -> (string)

value -> (string)

EncryptionContextEquals -> (map)

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

key -> (string)

value -> (string)

NextMarker -> (string)

When Truncated is true, this element is present and contains the value to use for the Marker parameter in a subsequent request.

Truncated -> (boolean)

A flag that indicates whether there are more items in the list. When this value is true, the list in this response is truncated. To get more items, pass the value of the NextMarker element in thisresponse to the Marker parameter in a subsequent request.

© Copyright 2018, Amazon Web Services. Created using Sphinx.