* Adds a grant to a KMS key. *
** A grant is a policy instrument that allows Amazon Web Services * principals to use KMS keys in cryptographic operations. It also can allow * them to view a KMS key (DescribeKey) and create and manage grants. * When authorizing access to a KMS key, grants are considered along with key * policies and IAM policies. Grants are often used for temporary permissions * because you can create one, use its permissions, and delete it without * changing your key policies or IAM policies. *
** For detailed information about grants, including grant terminology, see Grants * in KMS in the Key Management Service Developer Guide . For * examples of working with grants in several programming languages, see Programming grants. *
*
* The CreateGrant operation returns a GrantToken and
* a GrantId.
*
* When you create, retire, or revoke a grant, there might be a brief delay, * usually less than five minutes, until the grant is available throughout KMS. * This state is known as eventual consistency. Once the grant has * achieved eventual consistency, the grantee principal can use the permissions * in the grant without identifying the grant. *
*
* However, to use the permissions in the grant immediately, use the
* GrantToken that CreateGrant returns. For details,
* see Using a grant token in the Key Management Service Developer
* Guide .
*
* The CreateGrant operation also returns a GrantId.
* You can use the GrantId and a key identifier to identify the
* grant in the RetireGrant and RevokeGrant operations. To find
* the grant ID, use the ListGrants or ListRetirableGrants
* operations.
*
* The KMS key that you use for this operation must be in a compatible key * state. For details, see Key states of KMS keys in the Key Management Service Developer * Guide. *
*
* Cross-account use: Yes. To perform this operation on a KMS key in a
* different Amazon Web Services account, specify the key ARN in the value of
* the KeyId parameter.
*
* Required permissions: kms:CreateGrant (key policy) *
** Related operations: *
** ListGrants *
** RetireGrant *
** RevokeGrant *
** Identifies the KMS key for the grant. The grant gives principals * permission to use this KMS key. *
** Specify the key ID or key ARN of the KMS key. To specify a KMS key in a * different Amazon Web Services account, you must use the key ARN. *
** For example: *
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
* Key ARN:
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
* To get the key ID and key ARN for a KMS key, use ListKeys or * DescribeKey. *
*
* Constraints:
* Length: 1 - 2048
*/
private String keyId;
/**
*
* The identity that gets the permissions specified in the grant. *
** To specify the grantee principal, use the Amazon Resource Name (ARN) of * an Amazon Web Services principal. Valid principals include Amazon Web * Services accounts, IAM users, IAM roles, federated users, and assumed * role users. For help with the ARN syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide * . *
*
* Constraints:
* Length: 1 - 256
* Pattern: ^[\w+=,.@:/-]+$
*/
private String granteePrincipal;
/**
*
* The principal that has permission to use the RetireGrant operation * to retire the grant. *
** To specify the principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal. * Valid principals include Amazon Web Services accounts, IAM users, IAM * roles, federated users, and assumed role users. For help with the ARN * syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide * . *
** The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring and revoking grants in the Key Management Service * Developer Guide. *
*
* Constraints:
* Length: 1 - 256
* Pattern: ^[\w+=,.@:/-]+$
*/
private String retiringPrincipal;
/**
*
* A list of operations that the grant permits. *
*
* This list must include only operations that are permitted in a grant.
* Also, the operation must be supported on the KMS key. For example, you
* cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows
* the GenerateDataKey operation. If you try, KMS returns a
* ValidationError exception. For details, see Grant operations in the Key Management Service Developer
* Guide.
*
* Specifies a grant constraint. *
** Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *
*
* KMS supports the EncryptionContextEquals and
* EncryptionContextSubset grant constraints, which allow the
* permissions in the grant only when the encryption context in the request
* matches (EncryptionContextEquals) or includes (
* EncryptionContextSubset) the encryption context specified in
* the constraint.
*
* The encryption context grant constraints are supported only on grant operations that include an EncryptionContext
* parameter, such as cryptographic operations on symmetric encryption KMS
* keys. Grants with grant constraints can include the DescribeKey
* and RetireGrant operations, but the constraint doesn't apply to
* these operations. If a grant with a grant constraint includes the
* CreateGrant operation, the constraint requires that any
* grants created with the CreateGrant permission have an
* equally strict or stricter encryption context constraint.
*
* You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with * these keys don't support an encryption context. *
** Each constraint value can include up to 8 encryption context pairs. The * encryption context value in each constraint cannot exceed 384 characters. * For information about grant constraints, see Using grant constraints in the Key Management Service Developer * Guide. For more information about encryption context, see Encryption context in the Key Management Service Developer * Guide . *
*/ private GrantConstraints constraints; /** ** A list of grant tokens. *
** Use a grant token when your permission to call this operation comes from * a new grant that has not yet achieved eventual consistency. For * more information, see Grant token and Using a grant token in the Key Management Service Developer * Guide. *
*/ private java.util.List* A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request. *
** Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *
*
* When this value is absent, all CreateGrant requests result
* in a new grant with a unique GrantId even if all the
* supplied parameters are identical. This can result in unintended
* duplicates when you retry the CreateGrant request.
*
* When this value is present, you can retry a CreateGrant
* request with identical parameters; if the grant already exists, the
* original GrantId is returned without creating a new grant.
* Note that the returned grant token is unique with every
* CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID
* can be used interchangeably.
*
* Constraints:
* Length: 1 - 256
* Pattern: ^[a-zA-Z0-9:/_-]+$
*/
private String name;
/**
*
* Checks if your request will succeed. DryRun is an optional
* parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *
*/ private Boolean dryRun; /** ** Identifies the KMS key for the grant. The grant gives principals * permission to use this KMS key. *
** Specify the key ID or key ARN of the KMS key. To specify a KMS key in a * different Amazon Web Services account, you must use the key ARN. *
** For example: *
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
* Key ARN:
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
* To get the key ID and key ARN for a KMS key, use ListKeys or * DescribeKey. *
*
* Constraints:
* Length: 1 - 2048
*
* @return
* Identifies the KMS key for the grant. The grant gives principals * permission to use this KMS key. *
** Specify the key ID or key ARN of the KMS key. To specify a KMS * key in a different Amazon Web Services account, you must use the * key ARN. *
** For example: *
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
* Key ARN:
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
* To get the key ID and key ARN for a KMS key, use ListKeys * or DescribeKey. *
*/ public String getKeyId() { return keyId; } /** ** Identifies the KMS key for the grant. The grant gives principals * permission to use this KMS key. *
** Specify the key ID or key ARN of the KMS key. To specify a KMS key in a * different Amazon Web Services account, you must use the key ARN. *
** For example: *
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
* Key ARN:
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
* To get the key ID and key ARN for a KMS key, use ListKeys or * DescribeKey. *
*
* Constraints:
* Length: 1 - 2048
*
* @param keyId
* Identifies the KMS key for the grant. The grant gives * principals permission to use this KMS key. *
** Specify the key ID or key ARN of the KMS key. To specify a KMS * key in a different Amazon Web Services account, you must use * the key ARN. *
** For example: *
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
* Key ARN:
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
* To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey. *
*/ public void setKeyId(String keyId) { this.keyId = keyId; } /** ** Identifies the KMS key for the grant. The grant gives principals * permission to use this KMS key. *
** Specify the key ID or key ARN of the KMS key. To specify a KMS key in a * different Amazon Web Services account, you must use the key ARN. *
** For example: *
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
* Key ARN:
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
* To get the key ID and key ARN for a KMS key, use ListKeys or * DescribeKey. *
** Returns a reference to this object so that method calls can be chained * together. *
* Constraints:
* Length: 1 - 2048
*
* @param keyId
* Identifies the KMS key for the grant. The grant gives * principals permission to use this KMS key. *
** Specify the key ID or key ARN of the KMS key. To specify a KMS * key in a different Amazon Web Services account, you must use * the key ARN. *
** For example: *
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
* Key ARN:
* arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
* To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey. *
* @return A reference to this updated object so that method calls can be * chained together. */ public CreateGrantRequest withKeyId(String keyId) { this.keyId = keyId; return this; } /** ** The identity that gets the permissions specified in the grant. *
** To specify the grantee principal, use the Amazon Resource Name (ARN) of * an Amazon Web Services principal. Valid principals include Amazon Web * Services accounts, IAM users, IAM roles, federated users, and assumed * role users. For help with the ARN syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide * . *
*
* Constraints:
* Length: 1 - 256
* Pattern: ^[\w+=,.@:/-]+$
*
* @return
* The identity that gets the permissions specified in the grant. *
** To specify the grantee principal, use the Amazon Resource Name * (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, * federated users, and assumed role users. For help with the ARN * syntax for a principal, see IAM ARNs in the Identity and Access Management User * Guide . *
*/ public String getGranteePrincipal() { return granteePrincipal; } /** ** The identity that gets the permissions specified in the grant. *
** To specify the grantee principal, use the Amazon Resource Name (ARN) of * an Amazon Web Services principal. Valid principals include Amazon Web * Services accounts, IAM users, IAM roles, federated users, and assumed * role users. For help with the ARN syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide * . *
*
* Constraints:
* Length: 1 - 256
* Pattern: ^[\w+=,.@:/-]+$
*
* @param granteePrincipal
* The identity that gets the permissions specified in the grant. *
** To specify the grantee principal, use the Amazon Resource Name * (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, * federated users, and assumed role users. For help with the ARN * syntax for a principal, see IAM ARNs in the Identity and Access Management * User Guide . *
*/ public void setGranteePrincipal(String granteePrincipal) { this.granteePrincipal = granteePrincipal; } /** ** The identity that gets the permissions specified in the grant. *
** To specify the grantee principal, use the Amazon Resource Name (ARN) of * an Amazon Web Services principal. Valid principals include Amazon Web * Services accounts, IAM users, IAM roles, federated users, and assumed * role users. For help with the ARN syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide * . *
** Returns a reference to this object so that method calls can be chained * together. *
* Constraints:
* Length: 1 - 256
* Pattern: ^[\w+=,.@:/-]+$
*
* @param granteePrincipal
* The identity that gets the permissions specified in the grant. *
** To specify the grantee principal, use the Amazon Resource Name * (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, * federated users, and assumed role users. For help with the ARN * syntax for a principal, see IAM ARNs in the Identity and Access Management * User Guide . *
* @return A reference to this updated object so that method calls can be * chained together. */ public CreateGrantRequest withGranteePrincipal(String granteePrincipal) { this.granteePrincipal = granteePrincipal; return this; } /** ** The principal that has permission to use the RetireGrant operation * to retire the grant. *
** To specify the principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal. * Valid principals include Amazon Web Services accounts, IAM users, IAM * roles, federated users, and assumed role users. For help with the ARN * syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide * . *
** The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring and revoking grants in the Key Management Service * Developer Guide. *
*
* Constraints:
* Length: 1 - 256
* Pattern: ^[\w+=,.@:/-]+$
*
* @return
* The principal that has permission to use the RetireGrant * operation to retire the grant. *
** To specify the principal, use the Amazon Resource Name (ARN) of an Amazon Web Services * principal. Valid principals include Amazon Web Services accounts, * IAM users, IAM roles, federated users, and assumed role users. * For help with the ARN syntax for a principal, see IAM ARNs in the Identity and Access Management User * Guide . *
** The grant determines the retiring principal. Other principals * might have permission to retire the grant or revoke the grant. * For details, see RevokeGrant and Retiring and revoking grants in the Key Management * Service Developer Guide. *
*/ public String getRetiringPrincipal() { return retiringPrincipal; } /** ** The principal that has permission to use the RetireGrant operation * to retire the grant. *
** To specify the principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal. * Valid principals include Amazon Web Services accounts, IAM users, IAM * roles, federated users, and assumed role users. For help with the ARN * syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide * . *
** The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring and revoking grants in the Key Management Service * Developer Guide. *
*
* Constraints:
* Length: 1 - 256
* Pattern: ^[\w+=,.@:/-]+$
*
* @param retiringPrincipal
* The principal that has permission to use the * RetireGrant operation to retire the grant. *
** To specify the principal, use the Amazon Resource Name (ARN) of an Amazon Web Services * principal. Valid principals include Amazon Web Services * accounts, IAM users, IAM roles, federated users, and assumed * role users. For help with the ARN syntax for a principal, see * IAM ARNs in the Identity and Access Management * User Guide . *
** The grant determines the retiring principal. Other principals * might have permission to retire the grant or revoke the grant. * For details, see RevokeGrant and Retiring and revoking grants in the Key Management * Service Developer Guide. *
*/ public void setRetiringPrincipal(String retiringPrincipal) { this.retiringPrincipal = retiringPrincipal; } /** ** The principal that has permission to use the RetireGrant operation * to retire the grant. *
** To specify the principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal. * Valid principals include Amazon Web Services accounts, IAM users, IAM * roles, federated users, and assumed role users. For help with the ARN * syntax for a principal, see IAM ARNs in the Identity and Access Management User Guide * . *
** The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring and revoking grants in the Key Management Service * Developer Guide. *
** Returns a reference to this object so that method calls can be chained * together. *
* Constraints:
* Length: 1 - 256
* Pattern: ^[\w+=,.@:/-]+$
*
* @param retiringPrincipal
* The principal that has permission to use the * RetireGrant operation to retire the grant. *
** To specify the principal, use the Amazon Resource Name (ARN) of an Amazon Web Services * principal. Valid principals include Amazon Web Services * accounts, IAM users, IAM roles, federated users, and assumed * role users. For help with the ARN syntax for a principal, see * IAM ARNs in the Identity and Access Management * User Guide . *
** The grant determines the retiring principal. Other principals * might have permission to retire the grant or revoke the grant. * For details, see RevokeGrant and Retiring and revoking grants in the Key Management * Service Developer Guide. *
* @return A reference to this updated object so that method calls can be * chained together. */ public CreateGrantRequest withRetiringPrincipal(String retiringPrincipal) { this.retiringPrincipal = retiringPrincipal; return this; } /** ** A list of operations that the grant permits. *
*
* This list must include only operations that are permitted in a grant.
* Also, the operation must be supported on the KMS key. For example, you
* cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows
* the GenerateDataKey operation. If you try, KMS returns a
* ValidationError exception. For details, see Grant operations in the Key Management Service Developer
* Guide.
*
* A list of operations that the grant permits. *
*
* This list must include only operations that are permitted in a
* grant. Also, the operation must be supported on the KMS key. For
* example, you cannot create a grant for a symmetric encryption KMS
* key that allows the Sign operation, or a grant for an
* asymmetric KMS key that allows the GenerateDataKey
* operation. If you try, KMS returns a ValidationError
* exception. For details, see Grant operations in the Key Management Service Developer
* Guide.
*
* A list of operations that the grant permits. *
*
* This list must include only operations that are permitted in a grant.
* Also, the operation must be supported on the KMS key. For example, you
* cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows
* the GenerateDataKey operation. If you try, KMS returns a
* ValidationError exception. For details, see Grant operations in the Key Management Service Developer
* Guide.
*
* A list of operations that the grant permits. *
*
* This list must include only operations that are permitted in a
* grant. Also, the operation must be supported on the KMS key.
* For example, you cannot create a grant for a symmetric
* encryption KMS key that allows the Sign operation, or a
* grant for an asymmetric KMS key that allows the
* GenerateDataKey operation. If you try, KMS returns a
* ValidationError exception. For details, see Grant operations in the Key Management Service
* Developer Guide.
*
* A list of operations that the grant permits. *
*
* This list must include only operations that are permitted in a grant.
* Also, the operation must be supported on the KMS key. For example, you
* cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows
* the GenerateDataKey operation. If you try, KMS returns a
* ValidationError exception. For details, see Grant operations in the Key Management Service Developer
* Guide.
*
* Returns a reference to this object so that method calls can be chained * together. * * @param operations
* A list of operations that the grant permits. *
*
* This list must include only operations that are permitted in a
* grant. Also, the operation must be supported on the KMS key.
* For example, you cannot create a grant for a symmetric
* encryption KMS key that allows the Sign operation, or a
* grant for an asymmetric KMS key that allows the
* GenerateDataKey operation. If you try, KMS returns a
* ValidationError exception. For details, see Grant operations in the Key Management Service
* Developer Guide.
*
* A list of operations that the grant permits. *
*
* This list must include only operations that are permitted in a grant.
* Also, the operation must be supported on the KMS key. For example, you
* cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows
* the GenerateDataKey operation. If you try, KMS returns a
* ValidationError exception. For details, see Grant operations in the Key Management Service Developer
* Guide.
*
* Returns a reference to this object so that method calls can be chained * together. * * @param operations
* A list of operations that the grant permits. *
*
* This list must include only operations that are permitted in a
* grant. Also, the operation must be supported on the KMS key.
* For example, you cannot create a grant for a symmetric
* encryption KMS key that allows the Sign operation, or a
* grant for an asymmetric KMS key that allows the
* GenerateDataKey operation. If you try, KMS returns a
* ValidationError exception. For details, see Grant operations in the Key Management Service
* Developer Guide.
*
* Specifies a grant constraint. *
** Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *
*
* KMS supports the EncryptionContextEquals and
* EncryptionContextSubset grant constraints, which allow the
* permissions in the grant only when the encryption context in the request
* matches (EncryptionContextEquals) or includes (
* EncryptionContextSubset) the encryption context specified in
* the constraint.
*
* The encryption context grant constraints are supported only on grant operations that include an EncryptionContext
* parameter, such as cryptographic operations on symmetric encryption KMS
* keys. Grants with grant constraints can include the DescribeKey
* and RetireGrant operations, but the constraint doesn't apply to
* these operations. If a grant with a grant constraint includes the
* CreateGrant operation, the constraint requires that any
* grants created with the CreateGrant permission have an
* equally strict or stricter encryption context constraint.
*
* You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with * these keys don't support an encryption context. *
** Each constraint value can include up to 8 encryption context pairs. The * encryption context value in each constraint cannot exceed 384 characters. * For information about grant constraints, see Using grant constraints in the Key Management Service Developer * Guide. For more information about encryption context, see Encryption context in the Key Management Service Developer * Guide . *
* * @return* Specifies a grant constraint. *
** Do not include confidential or sensitive information in this * field. This field may be displayed in plaintext in CloudTrail * logs and other output. *
*
* KMS supports the EncryptionContextEquals and
* EncryptionContextSubset grant constraints, which
* allow the permissions in the grant only when the encryption
* context in the request matches (
* EncryptionContextEquals) or includes (
* EncryptionContextSubset) the encryption context
* specified in the constraint.
*
* The encryption context grant constraints are supported only on grant operations that include an
* EncryptionContext parameter, such as cryptographic
* operations on symmetric encryption KMS keys. Grants with grant
* constraints can include the DescribeKey and
* RetireGrant operations, but the constraint doesn't apply
* to these operations. If a grant with a grant constraint includes
* the CreateGrant operation, the constraint requires
* that any grants created with the CreateGrant
* permission have an equally strict or stricter encryption context
* constraint.
*
* You cannot use an encryption context grant constraint for * cryptographic operations with asymmetric KMS keys or HMAC KMS * keys. Operations with these keys don't support an encryption * context. *
** Each constraint value can include up to 8 encryption context * pairs. The encryption context value in each constraint cannot * exceed 384 characters. For information about grant constraints, * see Using grant constraints in the Key Management Service * Developer Guide. For more information about encryption * context, see Encryption context in the Key Management Service * Developer Guide . *
*/ public GrantConstraints getConstraints() { return constraints; } /** ** Specifies a grant constraint. *
** Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *
*
* KMS supports the EncryptionContextEquals and
* EncryptionContextSubset grant constraints, which allow the
* permissions in the grant only when the encryption context in the request
* matches (EncryptionContextEquals) or includes (
* EncryptionContextSubset) the encryption context specified in
* the constraint.
*
* The encryption context grant constraints are supported only on grant operations that include an EncryptionContext
* parameter, such as cryptographic operations on symmetric encryption KMS
* keys. Grants with grant constraints can include the DescribeKey
* and RetireGrant operations, but the constraint doesn't apply to
* these operations. If a grant with a grant constraint includes the
* CreateGrant operation, the constraint requires that any
* grants created with the CreateGrant permission have an
* equally strict or stricter encryption context constraint.
*
* You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with * these keys don't support an encryption context. *
** Each constraint value can include up to 8 encryption context pairs. The * encryption context value in each constraint cannot exceed 384 characters. * For information about grant constraints, see Using grant constraints in the Key Management Service Developer * Guide. For more information about encryption context, see Encryption context in the Key Management Service Developer * Guide . *
* * @param constraints* Specifies a grant constraint. *
** Do not include confidential or sensitive information in this * field. This field may be displayed in plaintext in CloudTrail * logs and other output. *
*
* KMS supports the EncryptionContextEquals and
* EncryptionContextSubset grant constraints, which
* allow the permissions in the grant only when the encryption
* context in the request matches (
* EncryptionContextEquals) or includes (
* EncryptionContextSubset) the encryption context
* specified in the constraint.
*
* The encryption context grant constraints are supported only on
* grant operations that include an
* EncryptionContext parameter, such as
* cryptographic operations on symmetric encryption KMS keys.
* Grants with grant constraints can include the
* DescribeKey and RetireGrant operations, but the
* constraint doesn't apply to these operations. If a grant with
* a grant constraint includes the CreateGrant
* operation, the constraint requires that any grants created
* with the CreateGrant permission have an equally
* strict or stricter encryption context constraint.
*
* You cannot use an encryption context grant constraint for * cryptographic operations with asymmetric KMS keys or HMAC KMS * keys. Operations with these keys don't support an encryption * context. *
** Each constraint value can include up to 8 encryption context * pairs. The encryption context value in each constraint cannot * exceed 384 characters. For information about grant * constraints, see Using grant constraints in the Key Management Service * Developer Guide. For more information about encryption * context, see Encryption context in the Key Management Service * Developer Guide . *
*/ public void setConstraints(GrantConstraints constraints) { this.constraints = constraints; } /** ** Specifies a grant constraint. *
** Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *
*
* KMS supports the EncryptionContextEquals and
* EncryptionContextSubset grant constraints, which allow the
* permissions in the grant only when the encryption context in the request
* matches (EncryptionContextEquals) or includes (
* EncryptionContextSubset) the encryption context specified in
* the constraint.
*
* The encryption context grant constraints are supported only on grant operations that include an EncryptionContext
* parameter, such as cryptographic operations on symmetric encryption KMS
* keys. Grants with grant constraints can include the DescribeKey
* and RetireGrant operations, but the constraint doesn't apply to
* these operations. If a grant with a grant constraint includes the
* CreateGrant operation, the constraint requires that any
* grants created with the CreateGrant permission have an
* equally strict or stricter encryption context constraint.
*
* You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with * these keys don't support an encryption context. *
** Each constraint value can include up to 8 encryption context pairs. The * encryption context value in each constraint cannot exceed 384 characters. * For information about grant constraints, see Using grant constraints in the Key Management Service Developer * Guide. For more information about encryption context, see Encryption context in the Key Management Service Developer * Guide . *
** Returns a reference to this object so that method calls can be chained * together. * * @param constraints
* Specifies a grant constraint. *
** Do not include confidential or sensitive information in this * field. This field may be displayed in plaintext in CloudTrail * logs and other output. *
*
* KMS supports the EncryptionContextEquals and
* EncryptionContextSubset grant constraints, which
* allow the permissions in the grant only when the encryption
* context in the request matches (
* EncryptionContextEquals) or includes (
* EncryptionContextSubset) the encryption context
* specified in the constraint.
*
* The encryption context grant constraints are supported only on
* grant operations that include an
* EncryptionContext parameter, such as
* cryptographic operations on symmetric encryption KMS keys.
* Grants with grant constraints can include the
* DescribeKey and RetireGrant operations, but the
* constraint doesn't apply to these operations. If a grant with
* a grant constraint includes the CreateGrant
* operation, the constraint requires that any grants created
* with the CreateGrant permission have an equally
* strict or stricter encryption context constraint.
*
* You cannot use an encryption context grant constraint for * cryptographic operations with asymmetric KMS keys or HMAC KMS * keys. Operations with these keys don't support an encryption * context. *
** Each constraint value can include up to 8 encryption context * pairs. The encryption context value in each constraint cannot * exceed 384 characters. For information about grant * constraints, see Using grant constraints in the Key Management Service * Developer Guide. For more information about encryption * context, see Encryption context in the Key Management Service * Developer Guide . *
* @return A reference to this updated object so that method calls can be * chained together. */ public CreateGrantRequest withConstraints(GrantConstraints constraints) { this.constraints = constraints; return this; } /** ** A list of grant tokens. *
** Use a grant token when your permission to call this operation comes from * a new grant that has not yet achieved eventual consistency. For * more information, see Grant token and Using a grant token in the Key Management Service Developer * Guide. *
* * @return* A list of grant tokens. *
** Use a grant token when your permission to call this operation * comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant token and Using a grant token in the Key Management Service * Developer Guide. *
*/ public java.util.List* A list of grant tokens. *
** Use a grant token when your permission to call this operation comes from * a new grant that has not yet achieved eventual consistency. For * more information, see Grant token and Using a grant token in the Key Management Service Developer * Guide. *
* * @param grantTokens* A list of grant tokens. *
** Use a grant token when your permission to call this operation * comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant token and Using a grant token in the Key Management Service * Developer Guide. *
*/ public void setGrantTokens(java.util.Collection* A list of grant tokens. *
** Use a grant token when your permission to call this operation comes from * a new grant that has not yet achieved eventual consistency. For * more information, see Grant token and Using a grant token in the Key Management Service Developer * Guide. *
** Returns a reference to this object so that method calls can be chained * together. * * @param grantTokens
* A list of grant tokens. *
** Use a grant token when your permission to call this operation * comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant token and Using a grant token in the Key Management Service * Developer Guide. *
* @return A reference to this updated object so that method calls can be * chained together. */ public CreateGrantRequest withGrantTokens(String... grantTokens) { if (getGrantTokens() == null) { this.grantTokens = new java.util.ArrayList* A list of grant tokens. *
** Use a grant token when your permission to call this operation comes from * a new grant that has not yet achieved eventual consistency. For * more information, see Grant token and Using a grant token in the Key Management Service Developer * Guide. *
** Returns a reference to this object so that method calls can be chained * together. * * @param grantTokens
* A list of grant tokens. *
** Use a grant token when your permission to call this operation * comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant token and Using a grant token in the Key Management Service * Developer Guide. *
* @return A reference to this updated object so that method calls can be * chained together. */ public CreateGrantRequest withGrantTokens(java.util.Collection* A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request. *
** Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *
*
* When this value is absent, all CreateGrant requests result
* in a new grant with a unique GrantId even if all the
* supplied parameters are identical. This can result in unintended
* duplicates when you retry the CreateGrant request.
*
* When this value is present, you can retry a CreateGrant
* request with identical parameters; if the grant already exists, the
* original GrantId is returned without creating a new grant.
* Note that the returned grant token is unique with every
* CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID
* can be used interchangeably.
*
* Constraints:
* Length: 1 - 256
* Pattern: ^[a-zA-Z0-9:/_-]+$
*
* @return
* A friendly name for the grant. Use this value to prevent the * unintended creation of duplicate grants when retrying this * request. *
** Do not include confidential or sensitive information in this * field. This field may be displayed in plaintext in CloudTrail * logs and other output. *
*
* When this value is absent, all CreateGrant requests
* result in a new grant with a unique GrantId even if
* all the supplied parameters are identical. This can result in
* unintended duplicates when you retry the CreateGrant
* request.
*
* When this value is present, you can retry a
* CreateGrant request with identical parameters; if
* the grant already exists, the original GrantId is
* returned without creating a new grant. Note that the returned
* grant token is unique with every CreateGrant
* request, even when a duplicate GrantId is returned.
* All grant tokens for the same grant ID can be used
* interchangeably.
*
* A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request. *
** Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *
*
* When this value is absent, all CreateGrant requests result
* in a new grant with a unique GrantId even if all the
* supplied parameters are identical. This can result in unintended
* duplicates when you retry the CreateGrant request.
*
* When this value is present, you can retry a CreateGrant
* request with identical parameters; if the grant already exists, the
* original GrantId is returned without creating a new grant.
* Note that the returned grant token is unique with every
* CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID
* can be used interchangeably.
*
* Constraints:
* Length: 1 - 256
* Pattern: ^[a-zA-Z0-9:/_-]+$
*
* @param name
* A friendly name for the grant. Use this value to prevent the * unintended creation of duplicate grants when retrying this * request. *
** Do not include confidential or sensitive information in this * field. This field may be displayed in plaintext in CloudTrail * logs and other output. *
*
* When this value is absent, all CreateGrant
* requests result in a new grant with a unique
* GrantId even if all the supplied parameters are
* identical. This can result in unintended duplicates when you
* retry the CreateGrant request.
*
* When this value is present, you can retry a
* CreateGrant request with identical parameters; if
* the grant already exists, the original GrantId is
* returned without creating a new grant. Note that the returned
* grant token is unique with every CreateGrant
* request, even when a duplicate GrantId is
* returned. All grant tokens for the same grant ID can be used
* interchangeably.
*
* A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request. *
** Do not include confidential or sensitive information in this field. This * field may be displayed in plaintext in CloudTrail logs and other output. *
*
* When this value is absent, all CreateGrant requests result
* in a new grant with a unique GrantId even if all the
* supplied parameters are identical. This can result in unintended
* duplicates when you retry the CreateGrant request.
*
* When this value is present, you can retry a CreateGrant
* request with identical parameters; if the grant already exists, the
* original GrantId is returned without creating a new grant.
* Note that the returned grant token is unique with every
* CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID
* can be used interchangeably.
*
* Returns a reference to this object so that method calls can be chained * together. *
* Constraints:
* Length: 1 - 256
* Pattern: ^[a-zA-Z0-9:/_-]+$
*
* @param name
* A friendly name for the grant. Use this value to prevent the * unintended creation of duplicate grants when retrying this * request. *
** Do not include confidential or sensitive information in this * field. This field may be displayed in plaintext in CloudTrail * logs and other output. *
*
* When this value is absent, all CreateGrant
* requests result in a new grant with a unique
* GrantId even if all the supplied parameters are
* identical. This can result in unintended duplicates when you
* retry the CreateGrant request.
*
* When this value is present, you can retry a
* CreateGrant request with identical parameters; if
* the grant already exists, the original GrantId is
* returned without creating a new grant. Note that the returned
* grant token is unique with every CreateGrant
* request, even when a duplicate GrantId is
* returned. All grant tokens for the same grant ID can be used
* interchangeably.
*
* Checks if your request will succeed. DryRun is an optional
* parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *
* * @return
* Checks if your request will succeed. DryRun is an
* optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *
*/ public Boolean isDryRun() { return dryRun; } /** *
* Checks if your request will succeed. DryRun is an optional
* parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *
* * @return
* Checks if your request will succeed. DryRun is an
* optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *
*/ public Boolean getDryRun() { return dryRun; } /** *
* Checks if your request will succeed. DryRun is an optional
* parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *
* * @param dryRun
* Checks if your request will succeed. DryRun is an
* optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management * Service Developer Guide. *
*/ public void setDryRun(Boolean dryRun) { this.dryRun = dryRun; } /** *
* Checks if your request will succeed. DryRun is an optional
* parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service * Developer Guide. *
** Returns a reference to this object so that method calls can be chained * together. * * @param dryRun
* Checks if your request will succeed. DryRun is an
* optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management * Service Developer Guide. *
* @return A reference to this updated object so that method calls can be * chained together. */ public CreateGrantRequest withDryRun(Boolean dryRun) { this.dryRun = dryRun; return this; } /** * Returns a string representation of this object; useful for testing and * debugging. * * @return A string representation of this object. * @see java.lang.Object#toString() */ @Override public String toString() { StringBuilder sb = new StringBuilder(); sb.append("{"); if (getKeyId() != null) sb.append("KeyId: " + getKeyId() + ","); if (getGranteePrincipal() != null) sb.append("GranteePrincipal: " + getGranteePrincipal() + ","); if (getRetiringPrincipal() != null) sb.append("RetiringPrincipal: " + getRetiringPrincipal() + ","); if (getOperations() != null) sb.append("Operations: " + getOperations() + ","); if (getConstraints() != null) sb.append("Constraints: " + getConstraints() + ","); if (getGrantTokens() != null) sb.append("GrantTokens: " + getGrantTokens() + ","); if (getName() != null) sb.append("Name: " + getName() + ","); if (getDryRun() != null) sb.append("DryRun: " + getDryRun()); sb.append("}"); return sb.toString(); } @Override public int hashCode() { final int prime = 31; int hashCode = 1; hashCode = prime * hashCode + ((getKeyId() == null) ? 0 : getKeyId().hashCode()); hashCode = prime * hashCode + ((getGranteePrincipal() == null) ? 0 : getGranteePrincipal().hashCode()); hashCode = prime * hashCode + ((getRetiringPrincipal() == null) ? 0 : getRetiringPrincipal().hashCode()); hashCode = prime * hashCode + ((getOperations() == null) ? 0 : getOperations().hashCode()); hashCode = prime * hashCode + ((getConstraints() == null) ? 0 : getConstraints().hashCode()); hashCode = prime * hashCode + ((getGrantTokens() == null) ? 0 : getGrantTokens().hashCode()); hashCode = prime * hashCode + ((getName() == null) ? 0 : getName().hashCode()); hashCode = prime * hashCode + ((getDryRun() == null) ? 0 : getDryRun().hashCode()); return hashCode; } @Override public boolean equals(Object obj) { if (this == obj) return true; if (obj == null) return false; if (obj instanceof CreateGrantRequest == false) return false; CreateGrantRequest other = (CreateGrantRequest) obj; if (other.getKeyId() == null ^ this.getKeyId() == null) return false; if (other.getKeyId() != null && other.getKeyId().equals(this.getKeyId()) == false) return false; if (other.getGranteePrincipal() == null ^ this.getGranteePrincipal() == null) return false; if (other.getGranteePrincipal() != null && other.getGranteePrincipal().equals(this.getGranteePrincipal()) == false) return false; if (other.getRetiringPrincipal() == null ^ this.getRetiringPrincipal() == null) return false; if (other.getRetiringPrincipal() != null && other.getRetiringPrincipal().equals(this.getRetiringPrincipal()) == false) return false; if (other.getOperations() == null ^ this.getOperations() == null) return false; if (other.getOperations() != null && other.getOperations().equals(this.getOperations()) == false) return false; if (other.getConstraints() == null ^ this.getConstraints() == null) return false; if (other.getConstraints() != null && other.getConstraints().equals(this.getConstraints()) == false) return false; if (other.getGrantTokens() == null ^ this.getGrantTokens() == null) return false; if (other.getGrantTokens() != null && other.getGrantTokens().equals(this.getGrantTokens()) == false) return false; if (other.getName() == null ^ this.getName() == null) return false; if (other.getName() != null && other.getName().equals(this.getName()) == false) return false; if (other.getDryRun() == null ^ this.getDryRun() == null) return false; if (other.getDryRun() != null && other.getDryRun().equals(this.getDryRun()) == false) return false; return true; } }