KMS / Client / list_grants
list_grants¶
- KMS.Client.list_grants(**kwargs)¶
Gets a list of all grants for the specified KMS key.
You must specify the KMS key in all requests. You can filter the grant list by grant ID, grantee principal, or grantee service principal.
For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide . For examples of creating grants in several programming languages, see Use CreateGrant with an Amazon Web Services SDK or CLI.
Note
When a grant is created with the
GranteePrincipalfield, theListGrantsresponse usually contains the user or role designated as the grantee principal in the grant. However, if the grantee principal is an Amazon Web Services service, theGranteePrincipalfield contains an Amazon Web Services service principal, which might correspond to several different grantee principals, such as an IAM user, IAM role, or Amazon Web Services account.When a grant is created with the
GranteeServicePrincipalfield, theListGrantsresponse always includes aGranteeServicePrincipalthat indicates the grantee is actually an Amazon Web Services service principal.Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the
KeyIdparameter.Required permissions: kms:ListGrants (key policy)
Related operations:
CreateGrant
ListRetirableGrants
RetireGrant
RevokeGrant
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.
See also: AWS API Documentation
Request Syntax
response = client.list_grants( Limit=123, Marker='string', KeyId='string', GrantId='string', GranteePrincipal='string', GranteeServicePrincipal='string' )
- Parameters:
Limit (integer) –
Use this parameter to specify the maximum number of items to return. When this value is present, KMS does not return more than the specified number of items, but it might return fewer.
This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do not include a value, it defaults to 50.
Marker (string) – Use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of
NextMarkerfrom the truncated response you just received.KeyId (string) –
[REQUIRED]
Returns only grants for the specified KMS key. This parameter is required.
Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN.
For example:
Key ID:
1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
GrantId (string) – Returns only the grant with the specified grant ID. The grant ID uniquely identifies the grant.
GranteePrincipal (string) –
Returns only grants where the specified principal is the grantee principal for the grant.
You can specify either
GranteePrincipalorGranteeServicePrincipal, but not both.GranteeServicePrincipal (string) –
Returns only grants where the specified Amazon Web Services service principal is the grantee service principal for the grant. This filter is only usable by callers in a service principal.
You can specify either
GranteePrincipalorGranteeServicePrincipal, but not both.
- Return type:
dict
- Returns:
Response Syntax
{ 'Grants': [ { 'KeyId': 'string', 'GrantId': 'string', 'Name': 'string', 'CreationDate': datetime(2015, 1, 1), 'GranteePrincipal': 'string', 'RetiringPrincipal': 'string', 'IssuingAccount': 'string', 'Operations': [ 'Decrypt'|'Encrypt'|'GenerateDataKey'|'GenerateDataKeyWithoutPlaintext'|'ReEncryptFrom'|'ReEncryptTo'|'Sign'|'Verify'|'GetPublicKey'|'CreateGrant'|'RetireGrant'|'DescribeKey'|'GenerateDataKeyPair'|'GenerateDataKeyPairWithoutPlaintext'|'GenerateMac'|'VerifyMac'|'DeriveSharedSecret', ], 'Constraints': { 'EncryptionContextSubset': { 'string': 'string' }, 'EncryptionContextEquals': { 'string': 'string' }, 'SourceArn': 'string' }, 'GranteeServicePrincipal': 'string', 'RetiringServicePrincipal': 'string' }, ], 'NextMarker': 'string', 'Truncated': True|False }
Response Structure
(dict) –
Grants (list) –
A list of grants.
(dict) –
Contains information about a grant.
KeyId (string) –
The unique identifier for the KMS key to which the grant applies.
GrantId (string) –
The unique identifier for the grant.
Name (string) –
The friendly name that identifies the grant. If a name was provided in the CreateGrant request, that name is returned. Otherwise this value is null.
CreationDate (datetime) –
The date and time when the grant was created.
GranteePrincipal (string) –
The identity that gets the permissions in the grant.
When a grant is created with the
GranteePrincipalfield, theListGrantsresponse usually contains the user or role designated as the grantee principal in the grant. However, if the grantee principal is an Amazon Web Services service, theGranteePrincipalfield contains an Amazon Web Services service principal, which might correspond to several different grantee principals, such as an IAM user, IAM role, or Amazon Web Services account.RetiringPrincipal (string) –
The principal that can retire the grant.
IssuingAccount (string) –
The Amazon Web Services account under which the grant was issued.
Operations (list) –
The list of operations permitted by the grant.
(string) –
Constraints (dict) –
The constraints on the grant, such as encryption context pairs or a SourceArn, that restrict the subsequent operations the grant allows.
EncryptionContextSubset (dict) –
A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.
(string) –
(string) –
EncryptionContextEquals (dict) –
A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.
(string) –
(string) –
SourceArn (string) –
The Amazon Resource Name (ARN) of an Amazon Web Services resource on behalf of which the request is made. This is effectively the same as having the aws:SourceArn global condition key in the grant. The SourceArn constraint ensures that the principal can use the KMS key only when the request is made on behalf of the specified resource.
GranteeServicePrincipal (string) –
The Amazon Web Services service principal that gets the permissions in the grant.
RetiringServicePrincipal (string) –
The Amazon Web Services service principal that can retire the grant.
NextMarker (string) –
When
Truncatedis true, this element is present and contains the value to use for theMarkerparameter in a subsequent request.Truncated (boolean) –
A flag that indicates whether there are more items in the list. When this value is true, the list in this response is truncated. To get more items, pass the value of the
NextMarkerelement in this response to theMarkerparameter in a subsequent request.
Exceptions
KMS.Client.exceptions.NotFoundExceptionKMS.Client.exceptions.DependencyTimeoutExceptionKMS.Client.exceptions.InvalidMarkerExceptionKMS.Client.exceptions.InvalidGrantIdExceptionKMS.Client.exceptions.InvalidArnExceptionKMS.Client.exceptions.KMSInternalExceptionKMS.Client.exceptions.KMSInvalidStateException
Examples
The following example lists grants for the specified KMS key.
response = client.list_grants( # The identifier of the KMS key whose grants you want to list. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key. KeyId='1234abcd-12ab-34cd-56ef-1234567890ab', ) print(response)
Expected Output:
{ # A list of grants. 'Grants': [ { 'CreationDate': datetime(2016, 10, 25, 14, 37, 41, 1, 299, 0), 'GrantId': '91ad875e49b04a9d1f3bdeb84d821f9db6ea95e1098813f6d47f0c65fbe2a172', 'GranteePrincipal': 'acm.us-east-2.amazonaws.com', 'IssuingAccount': 'arn:aws:iam::111122223333:root', 'KeyId': 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', 'Operations': [ 'Encrypt', 'ReEncryptFrom', 'ReEncryptTo', ], 'RetiringPrincipal': 'acm.us-east-2.amazonaws.com', }, { 'CreationDate': datetime(2016, 10, 25, 14, 37, 41, 1, 299, 0), 'GrantId': 'a5d67d3e207a8fc1f4928749ee3e52eb0440493a8b9cf05bbfad91655b056200', 'GranteePrincipal': 'acm.us-east-2.amazonaws.com', 'IssuingAccount': 'arn:aws:iam::111122223333:root', 'KeyId': 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', 'Operations': [ 'ReEncryptFrom', 'ReEncryptTo', ], 'RetiringPrincipal': 'acm.us-east-2.amazonaws.com', }, { 'CreationDate': datetime(2016, 10, 25, 14, 37, 41, 1, 299, 0), 'GrantId': 'c541aaf05d90cb78846a73b346fc43e65be28b7163129488c738e0c9e0628f4f', 'GranteePrincipal': 'acm.us-east-2.amazonaws.com', 'IssuingAccount': 'arn:aws:iam::111122223333:root', 'KeyId': 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', 'Operations': [ 'Encrypt', 'ReEncryptFrom', 'ReEncryptTo', ], 'RetiringPrincipal': 'acm.us-east-2.amazonaws.com', }, { 'CreationDate': datetime(2016, 10, 25, 14, 37, 41, 1, 299, 0), 'GrantId': 'dd2052c67b4c76ee45caf1dc6a1e2d24e8dc744a51b36ae2f067dc540ce0105c', 'GranteePrincipal': 'acm.us-east-2.amazonaws.com', 'IssuingAccount': 'arn:aws:iam::111122223333:root', 'KeyId': 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', 'Operations': [ 'Encrypt', 'ReEncryptFrom', 'ReEncryptTo', ], 'RetiringPrincipal': 'acm.us-east-2.amazonaws.com', }, ], # A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not. 'Truncated': True, 'ResponseMetadata': { '...': '...', }, }