Class Grant

Provides a resource-based access control mechanism for a KMS customer master key.

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var key = new Aws.Kms.Key("key", new Aws.Kms.KeyArgs
    {
    });
    var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
    {
        AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
  ""Action"": ""sts:AssumeRole"",
  ""Principal"": {
    ""Service"": ""lambda.amazonaws.com""
  },
  ""Effect"": ""Allow"",
  ""Sid"": """"
}
]
}

",
    });
    var grant = new Aws.Kms.Grant("grant", new Aws.Kms.GrantArgs
    {
        Constraints = 
        {
            new Aws.Kms.Inputs.GrantConstraintArgs
            {
                EncryptionContextEquals = 
                {
                    { "Department", "Finance" },
                },
            },
        },
        GranteePrincipal = role.Arn,
        KeyId = key.KeyId,
        Operations = 
        {
            "Encrypt",
            "Decrypt",
            "GenerateDataKey",
        },
    });
}

}
Inheritance
System.Object
Resource
CustomResource
Grant
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Aws.Kms
Assembly: Pulumi.Aws.dll
Syntax
public class Grant : CustomResource

Constructors

View Source

Grant(String, GrantArgs, CustomResourceOptions)

Create a Grant resource with the given unique name, arguments, and options.

Declaration
public Grant(string name, GrantArgs args, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
GrantArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

Constraints

A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.

Declaration
public Output<ImmutableArray<GrantConstraint>> Constraints { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<GrantConstraint>>
View Source

GrantCreationTokens

A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.

Declaration
public Output<ImmutableArray<string>> GrantCreationTokens { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<System.String>>
View Source

GranteePrincipal

The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

Declaration
public Output<string> GranteePrincipal { get; }
Property Value
Type Description
Output<System.String>
View Source

GrantId

The unique identifier for the grant.

Declaration
public Output<string> GrantId { get; }
Property Value
Type Description
Output<System.String>
View Source

GrantToken

The grant token for the created grant. For more information, see Grant Tokens.

Declaration
public Output<string> GrantToken { get; }
Property Value
Type Description
Output<System.String>
View Source

KeyId

The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.

Declaration
public Output<string> KeyId { get; }
Property Value
Type Description
Output<System.String>
View Source

Name

A friendly name for identifying the grant.

Declaration
public Output<string> Name { get; }
Property Value
Type Description
Output<System.String>
View Source

Operations

A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey

Declaration
public Output<ImmutableArray<string>> Operations { get; }
Property Value
Type Description
Output<System.Collections.Immutable.ImmutableArray<System.String>>
View Source

RetireOnDelete

-(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

Declaration
public Output<bool?> RetireOnDelete { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

RetiringPrincipal

The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, the state may not always be refreshed to reflect what is true in AWS.

Declaration
public Output<string> RetiringPrincipal { get; }
Property Value
Type Description
Output<System.String>

Methods

View Source

Get(String, Input<String>, GrantState, CustomResourceOptions)

Get an existing Grant resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static Grant Get(string name, Input<string> id, GrantState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
GrantState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
Grant