本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # CreateGrant 下列範例顯示 [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) 操作的 AWS CloudTrail 日誌項目。如需在 中建立授與的詳細資訊 AWS KMS,請參閱 [在 中授予 AWS KMS](grants.md)。 在 2022 年 12 月或之後記錄的此操作的 CloudTrail 日誌項目會在 `responseElements.keyId` 值中包含受影響 KMS 金鑰的金鑰 ARN,即使此操作不會傳回金鑰 ARN。 下列範例顯示具有加密內容限制的授予的`CreateGrant`日誌項目。 ``` { "eventVersion": "1.02", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-11-04T00:53:12Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "constraints": { "encryptionContextSubset": { "ContextKey1": "Value1" } }, "operations": [ "Encrypt", "RetireGrant" ], "granteePrincipal": "{{service-name}}.amazonaws.com" }, "responseElements": { "grantId": "f020fe75197b93991dc8491d6f19dd3cebb24ee62277a05914386724f3d48758", "keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "requestID": "f3c08808-63bc-11e4-bc2b-4198b6150d5c", "eventID": "5d529779-2d27-42b5-92da-91aaea1fc4b5", "readOnly": false, "resources": [{ "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ``` 下列範例顯示服務委託人授予的`CreateGrant`日誌項目。此授予使用 `GranteeServicePrincipal` 參數來指定 AWS 服務委託人做為承授者,並包含`SourceArn`授予限制。 ``` { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2026-03-04T18:22:45Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "constraints": { "sourceArn": "arn:aws:dynamodb:us-east-1:111122223333:table/ExampleTable" }, "operations": [ "Encrypt", "Decrypt", "GenerateDataKey" ], "granteeServicePrincipal": "{{service-name}}.amazonaws.com", "retiringServicePrincipal": "{{service-name}}.amazonaws.com" }, "responseElements": { "grantId": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", "keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "readOnly": false, "resources": [{ "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ``` **注意** 使用 `GranteeServicePrincipal` 參數建立授予時,`CreateGrant`操作的 CloudTrail 日誌項目會包含 `granteeServicePrincipal` 欄位,而非 `granteePrincipal`。同樣地,如果指定 `RetiringServicePrincipal` ,則日誌項目會包含 `retiringServicePrincipal` 欄位,而不是 `retiringPrincipal`。這會區分使用 `GranteeServicePrincipal` 為 AWS [服務主體](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services)明確建立的授予,以及 `granteePrincipal`欄位中代表 AWS 服務的授予。