kms/aws.sdk.kotlin.services.kms.model/CreateGrantRequest/constraints

constraints

val constraints: GrantConstraints?

Specifies a grant constraint.

Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.

KMS supports the following grant constraints.

  • EncryptionContextEquals and EncryptionContextSubset — These encryption context grant constraints allow the permissions in the grant only when the encryption context in the request matches (EncryptionContextEquals) or includes (EncryptionContextSubset) the encryption context specified in the constraint.Encryption context grant constraints are supported only on grant operations that include an EncryptionContext parameter, such as cryptographic operations on symmetric encryption KMS keys. You cannot use an encryption context grant constraint for cryptographic operations with asymmetric KMS keys or HMAC KMS keys. Operations with these keys don't support an encryption context. Grants with encryption context grant constraints can include the DescribeKey and RetireGrant operations, but the constraint doesn't apply to these operations. If a grant with an encryption context grant constraint includes the CreateGrant operation, the constraint requires that any grants created with the CreateGrant permission have an equally strict or stricter encryption context constraint. Each constraint value can include up to 8 encryption context pairs. The encryption context value in each constraint cannot exceed 384 characters. For more information about encryption context, see Encryption context in the Key Management Service Developer Guide.

  • SourceArn — This grant constraint allows the permissions in the grant only when the request is made on behalf of a specific Amazon Web Services resource, identified by its Amazon Resource Name (ARN). This is effectively the same as having the aws:SourceArn global condition key in the grant. The SourceArn constraint is supported on grants for all types of KMS keys and can also be applied to the DescribeKey operation when specified in the request. However, it does not apply to RetireGrant operation.

For information about grant constraints, see Using grant constraints in the Key Management Service Developer Guide.

Generated by Dokka
© 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved.