kms/aws.sdk.kotlin.services.kms/KmsClient/listGrants

listGrants

abstract suspend fun listGrants(input: ListGrantsRequest): ListGrantsResponse

Gets a list of all grants for the specified KMS key.

You must specify the KMS key in all requests. You can filter the grant list by grant ID, grantee principal, or grantee service principal.

For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide. For examples of creating grants in several programming languages, see Use CreateGrant with an Amazon Web Services SDK or CLI.

When a grant is created with the GranteePrincipal field, the ListGrants response usually contains the user or role designated as the grantee principal in the grant. However, if the grantee principal is an Amazon Web Services service, the GranteePrincipal field contains an Amazon Web Services service principal, which might correspond to several different grantee principals, such as an IAM user, IAM role, or Amazon Web Services account.

When a grant is created with the GranteeServicePrincipal field, the ListGrants response always includes a GranteeServicePrincipal that indicates the grantee is actually an Amazon Web Services service principal.

Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the KeyId parameter.

Required permissions: kms:ListGrants (key policy)

Related operations:

  • CreateGrant

  • ListRetirableGrants

  • RetireGrant

  • RevokeGrant

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Generated by Dokka
© 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved.