Function
This API enables users to retire a grant.
For example, user A grants operation permissions on CMK A/key to user B and authorizes user C to retire the grant. By doing this, users A, B, and C all can cancel the permissions. After the canceling, user B does not have permissions on CMK A/key anymore.
The following are allowed to call this API:
- The user who granted the permissions
- The user indicated by parameter retiring_principal
- The user indicated by parameter grantee_principal when retire-grant has been selected
URI
Requests
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
key_id |
Yes |
String |
36-byte ID of a CMK that matches the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$ Example: 0d0466b0-e727-4d9c-b35d-f84bb474a37f |
grant_id |
Yes |
String |
64-byte ID of a grant that meets the regular expression ^[A-Fa-f0-9]{64}$ Example: 7c9a3286af4fcca5f0a385ad13e1d21a50e27b6dbcab50f37f30f93b8939827d |
sequence |
No |
String |
36-byte serial number of a request message Example: 919c82d4-8046-4722-9094-35c3c6524cff |
Responses
None
Examples
The following example describes how to retire a grant whose grant ID is 7c9a3286af4fcca5f0a385ad13e1d21a50e27b6dbcab50f37f30f93b8939827d and the CMK ID is bb6a3d22-dc93-47ac-b5bd-88df7ad35f1e.
- Example request
{ "key_id": "bb6a3d22-dc93-47ac-b5bd-88df7ad35f1e", "grant_id":"7c9a3286af4fcca5f0a385ad13e1d21a50e27b6dbcab50f37f30f93b8939827d" } - Example response
{ }or
{ "error": { "error_code": "KMS.XXXX", "error_msg": "XXX" } }
Status Codes
Exception status code. For details, see Status Codes.