retire-grant¶
Description¶
Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token , or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation returns both values.
This operation can be called by the retiring principal for a grant, by the grantee principal if the grant allows the RetireGrant operation, and by the Amazon Web Services account (root user) in which the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, see Retiring and revoking grants in the Key Management Service Developer Guide .
For detailed information about grants, including grant terminology, see Using grants in the * Key Management Service Developer Guide * . For examples of working with grants in several programming languages, see Programming grants .
Cross-account use : Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.
Required permissions: :Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide .
Related operations:
CreateGrant
ListGrants
ListRetirableGrants
RevokeGrant
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
Synopsis¶
retire-grant
[--grant-token <value>]
[--key-id <value>]
[--grant-id <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
Options¶
--grant-token (string)
Identifies the grant to be retired. You can use a grant token to identify a new grant even before it has achieved eventual consistency.
Only the CreateGrant operation returns a grant token. For details, see Grant token and Eventual consistency in the Key Management Service Developer Guide .
--key-id (string)
The key ARN KMS key associated with the grant. To find the key ARN, use the ListKeys operation.
For example:
arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab
--grant-id (string)
Identifies the grant to retire. To get the grant ID, use CreateGrant , ListGrants , or ListRetirableGrants .
Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123
--cli-input-json | --cli-input-yaml (string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.
--generate-cli-skeleton (string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
Examples¶
To retire a grant on a customer master key
The following retire-grant example deletes a grant from a CMK.
The following example command specifies the grant-id and the key-id parameters. The value of the key-id parameter must be the Amazon Resource Name (ARN) of the CMK.
aws kms retire-grant \
--grant-id 1234a2345b8a4e350500d432bccf8ecd6506710e1391880c4f7f7140160c9af3 \
--key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
This command produces no output. To confirm that the grant was retired, use the list-grants command.
For more information, see Using Grants in the AWS Key Management Service Developer Guide.
Output¶
None