Manage AWS KMS Grants

August 15, 2020

Create

aws kms create-grant \
    --region us-east-1 \
    --key-id <key-ARN> \
    --grantee-principal <grantee-principal-role-ARN> \
    --operations Encrypt Decrypt GenerateDataKey \
    --constraints EncryptionContextSubset={'foo'='bar'}

Note:

The list of valid --operations can be found here.
If you don’t want to supply encryption context, just omit the --constraints parameter.

List

aws kms list-grants \
    --region us-east-1 \
    --key-id <key-ARN>

Retire

aws kms retire-grant \
    --region us-east-1 \
    --grant-id <grant-id> \
    --key-id <key-ARN>