/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include #include #include #include namespace Aws { namespace KMS { namespace Model { /** */ class CreateGrantRequest : public KMSRequest { public: AWS_KMS_API CreateGrantRequest(); // Service request name is the Operation name which will send this request out, // each operation should has unique request name, so that we can get operation's name from this request. // Note: this is not true for response, multiple operations may have the same response name, // so we can not get operation's name from response. inline virtual const char* GetServiceRequestName() const override { return "CreateGrant"; } AWS_KMS_API Aws::String SerializePayload() const override; AWS_KMS_API Aws::Http::HeaderValueCollection GetRequestSpecificHeaders() const override; /** *

Identifies the KMS key for the grant. The grant gives principals permission * to use this KMS key.

Specify the key ID or key ARN of the KMS key. To * specify a KMS key in a different Amazon Web Services account, you must use the * key ARN.

For example:

  • Key ID: * 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *

To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey.

*/ inline const Aws::String& GetKeyId() const{ return m_keyId; } /** *

Identifies the KMS key for the grant. The grant gives principals permission * to use this KMS key.

Specify the key ID or key ARN of the KMS key. To * specify a KMS key in a different Amazon Web Services account, you must use the * key ARN.

For example:

  • Key ID: * 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *

To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey.

*/ inline bool KeyIdHasBeenSet() const { return m_keyIdHasBeenSet; } /** *

Identifies the KMS key for the grant. The grant gives principals permission * to use this KMS key.

Specify the key ID or key ARN of the KMS key. To * specify a KMS key in a different Amazon Web Services account, you must use the * key ARN.

For example:

  • Key ID: * 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *

To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey.

*/ inline void SetKeyId(const Aws::String& value) { m_keyIdHasBeenSet = true; m_keyId = value; } /** *

Identifies the KMS key for the grant. The grant gives principals permission * to use this KMS key.

Specify the key ID or key ARN of the KMS key. To * specify a KMS key in a different Amazon Web Services account, you must use the * key ARN.

For example:

  • Key ID: * 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *

To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey.

*/ inline void SetKeyId(Aws::String&& value) { m_keyIdHasBeenSet = true; m_keyId = std::move(value); } /** *

Identifies the KMS key for the grant. The grant gives principals permission * to use this KMS key.

Specify the key ID or key ARN of the KMS key. To * specify a KMS key in a different Amazon Web Services account, you must use the * key ARN.

For example:

  • Key ID: * 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *

To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey.

*/ inline void SetKeyId(const char* value) { m_keyIdHasBeenSet = true; m_keyId.assign(value); } /** *

Identifies the KMS key for the grant. The grant gives principals permission * to use this KMS key.

Specify the key ID or key ARN of the KMS key. To * specify a KMS key in a different Amazon Web Services account, you must use the * key ARN.

For example:

  • Key ID: * 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *

To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey.

*/ inline CreateGrantRequest& WithKeyId(const Aws::String& value) { SetKeyId(value); return *this;} /** *

Identifies the KMS key for the grant. The grant gives principals permission * to use this KMS key.

Specify the key ID or key ARN of the KMS key. To * specify a KMS key in a different Amazon Web Services account, you must use the * key ARN.

For example:

  • Key ID: * 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *

To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey.

*/ inline CreateGrantRequest& WithKeyId(Aws::String&& value) { SetKeyId(std::move(value)); return *this;} /** *

Identifies the KMS key for the grant. The grant gives principals permission * to use this KMS key.

Specify the key ID or key ARN of the KMS key. To * specify a KMS key in a different Amazon Web Services account, you must use the * key ARN.

For example:

  • Key ID: * 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: * arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab *

To get the key ID and key ARN for a KMS key, use * ListKeys or DescribeKey.

*/ inline CreateGrantRequest& WithKeyId(const char* value) { SetKeyId(value); return *this;} /** *

The identity that gets the permissions specified in the grant.

To * specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon * Web Services principal. Valid principals include Amazon Web Services accounts, * IAM users, IAM roles, federated users, and assumed role users. For help with the * ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*/ inline const Aws::String& GetGranteePrincipal() const{ return m_granteePrincipal; } /** *

The identity that gets the permissions specified in the grant.

To * specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon * Web Services principal. Valid principals include Amazon Web Services accounts, * IAM users, IAM roles, federated users, and assumed role users. For help with the * ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*/ inline bool GranteePrincipalHasBeenSet() const { return m_granteePrincipalHasBeenSet; } /** *

The identity that gets the permissions specified in the grant.

To * specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon * Web Services principal. Valid principals include Amazon Web Services accounts, * IAM users, IAM roles, federated users, and assumed role users. For help with the * ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*/ inline void SetGranteePrincipal(const Aws::String& value) { m_granteePrincipalHasBeenSet = true; m_granteePrincipal = value; } /** *

The identity that gets the permissions specified in the grant.

To * specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon * Web Services principal. Valid principals include Amazon Web Services accounts, * IAM users, IAM roles, federated users, and assumed role users. For help with the * ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*/ inline void SetGranteePrincipal(Aws::String&& value) { m_granteePrincipalHasBeenSet = true; m_granteePrincipal = std::move(value); } /** *

The identity that gets the permissions specified in the grant.

To * specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon * Web Services principal. Valid principals include Amazon Web Services accounts, * IAM users, IAM roles, federated users, and assumed role users. For help with the * ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*/ inline void SetGranteePrincipal(const char* value) { m_granteePrincipalHasBeenSet = true; m_granteePrincipal.assign(value); } /** *

The identity that gets the permissions specified in the grant.

To * specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon * Web Services principal. Valid principals include Amazon Web Services accounts, * IAM users, IAM roles, federated users, and assumed role users. For help with the * ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*/ inline CreateGrantRequest& WithGranteePrincipal(const Aws::String& value) { SetGranteePrincipal(value); return *this;} /** *

The identity that gets the permissions specified in the grant.

To * specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon * Web Services principal. Valid principals include Amazon Web Services accounts, * IAM users, IAM roles, federated users, and assumed role users. For help with the * ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*/ inline CreateGrantRequest& WithGranteePrincipal(Aws::String&& value) { SetGranteePrincipal(std::move(value)); return *this;} /** *

The identity that gets the permissions specified in the grant.

To * specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon * Web Services principal. Valid principals include Amazon Web Services accounts, * IAM users, IAM roles, federated users, and assumed role users. For help with the * ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*/ inline CreateGrantRequest& WithGranteePrincipal(const char* value) { SetGranteePrincipal(value); return *this;} /** *

The principal that has permission to use the RetireGrant operation to * retire the grant.

To specify the principal, use the Amazon * Resource Name (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, federated users, and * assumed role users. For help with the ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*

The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring * and revoking grants in the Key Management Service Developer Guide. *

*/ inline const Aws::String& GetRetiringPrincipal() const{ return m_retiringPrincipal; } /** *

The principal that has permission to use the RetireGrant operation to * retire the grant.

To specify the principal, use the Amazon * Resource Name (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, federated users, and * assumed role users. For help with the ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*

The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring * and revoking grants in the Key Management Service Developer Guide. *

*/ inline bool RetiringPrincipalHasBeenSet() const { return m_retiringPrincipalHasBeenSet; } /** *

The principal that has permission to use the RetireGrant operation to * retire the grant.

To specify the principal, use the Amazon * Resource Name (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, federated users, and * assumed role users. For help with the ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*

The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring * and revoking grants in the Key Management Service Developer Guide. *

*/ inline void SetRetiringPrincipal(const Aws::String& value) { m_retiringPrincipalHasBeenSet = true; m_retiringPrincipal = value; } /** *

The principal that has permission to use the RetireGrant operation to * retire the grant.

To specify the principal, use the Amazon * Resource Name (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, federated users, and * assumed role users. For help with the ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*

The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring * and revoking grants in the Key Management Service Developer Guide. *

*/ inline void SetRetiringPrincipal(Aws::String&& value) { m_retiringPrincipalHasBeenSet = true; m_retiringPrincipal = std::move(value); } /** *

The principal that has permission to use the RetireGrant operation to * retire the grant.

To specify the principal, use the Amazon * Resource Name (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, federated users, and * assumed role users. For help with the ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*

The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring * and revoking grants in the Key Management Service Developer Guide. *

*/ inline void SetRetiringPrincipal(const char* value) { m_retiringPrincipalHasBeenSet = true; m_retiringPrincipal.assign(value); } /** *

The principal that has permission to use the RetireGrant operation to * retire the grant.

To specify the principal, use the Amazon * Resource Name (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, federated users, and * assumed role users. For help with the ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*

The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring * and revoking grants in the Key Management Service Developer Guide. *

*/ inline CreateGrantRequest& WithRetiringPrincipal(const Aws::String& value) { SetRetiringPrincipal(value); return *this;} /** *

The principal that has permission to use the RetireGrant operation to * retire the grant.

To specify the principal, use the Amazon * Resource Name (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, federated users, and * assumed role users. For help with the ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*

The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring * and revoking grants in the Key Management Service Developer Guide. *

*/ inline CreateGrantRequest& WithRetiringPrincipal(Aws::String&& value) { SetRetiringPrincipal(std::move(value)); return *this;} /** *

The principal that has permission to use the RetireGrant operation to * retire the grant.

To specify the principal, use the Amazon * Resource Name (ARN) of an Amazon Web Services principal. Valid principals * include Amazon Web Services accounts, IAM users, IAM roles, federated users, and * assumed role users. For help with the ARN syntax for a principal, see IAM * ARNs in the Identity and Access Management User Guide .

*

The grant determines the retiring principal. Other principals might have * permission to retire the grant or revoke the grant. For details, see * RevokeGrant and Retiring * and revoking grants in the Key Management Service Developer Guide. *

*/ inline CreateGrantRequest& WithRetiringPrincipal(const char* value) { SetRetiringPrincipal(value); return *this;} /** *

A list of operations that the grant permits.

This list must include * only operations that are permitted in a grant. Also, the operation must be * supported on the KMS key. For example, you cannot create a grant for a symmetric * encryption KMS key that allows the Sign operation, or a grant for an * asymmetric KMS key that allows the GenerateDataKey operation. If you try, * KMS returns a ValidationError exception. For details, see Grant * operations in the Key Management Service Developer Guide.

*/ inline const Aws::Vector& GetOperations() const{ return m_operations; } /** *

A list of operations that the grant permits.

This list must include * only operations that are permitted in a grant. Also, the operation must be * supported on the KMS key. For example, you cannot create a grant for a symmetric * encryption KMS key that allows the Sign operation, or a grant for an * asymmetric KMS key that allows the GenerateDataKey operation. If you try, * KMS returns a ValidationError exception. For details, see Grant * operations in the Key Management Service Developer Guide.

*/ inline bool OperationsHasBeenSet() const { return m_operationsHasBeenSet; } /** *

A list of operations that the grant permits.

This list must include * only operations that are permitted in a grant. Also, the operation must be * supported on the KMS key. For example, you cannot create a grant for a symmetric * encryption KMS key that allows the Sign operation, or a grant for an * asymmetric KMS key that allows the GenerateDataKey operation. If you try, * KMS returns a ValidationError exception. For details, see Grant * operations in the Key Management Service Developer Guide.

*/ inline void SetOperations(const Aws::Vector& value) { m_operationsHasBeenSet = true; m_operations = value; } /** *

A list of operations that the grant permits.

This list must include * only operations that are permitted in a grant. Also, the operation must be * supported on the KMS key. For example, you cannot create a grant for a symmetric * encryption KMS key that allows the Sign operation, or a grant for an * asymmetric KMS key that allows the GenerateDataKey operation. If you try, * KMS returns a ValidationError exception. For details, see Grant * operations in the Key Management Service Developer Guide.

*/ inline void SetOperations(Aws::Vector&& value) { m_operationsHasBeenSet = true; m_operations = std::move(value); } /** *

A list of operations that the grant permits.

This list must include * only operations that are permitted in a grant. Also, the operation must be * supported on the KMS key. For example, you cannot create a grant for a symmetric * encryption KMS key that allows the Sign operation, or a grant for an * asymmetric KMS key that allows the GenerateDataKey operation. If you try, * KMS returns a ValidationError exception. For details, see Grant * operations in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& WithOperations(const Aws::Vector& value) { SetOperations(value); return *this;} /** *

A list of operations that the grant permits.

This list must include * only operations that are permitted in a grant. Also, the operation must be * supported on the KMS key. For example, you cannot create a grant for a symmetric * encryption KMS key that allows the Sign operation, or a grant for an * asymmetric KMS key that allows the GenerateDataKey operation. If you try, * KMS returns a ValidationError exception. For details, see Grant * operations in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& WithOperations(Aws::Vector&& value) { SetOperations(std::move(value)); return *this;} /** *

A list of operations that the grant permits.

This list must include * only operations that are permitted in a grant. Also, the operation must be * supported on the KMS key. For example, you cannot create a grant for a symmetric * encryption KMS key that allows the Sign operation, or a grant for an * asymmetric KMS key that allows the GenerateDataKey operation. If you try, * KMS returns a ValidationError exception. For details, see Grant * operations in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& AddOperations(const GrantOperation& value) { m_operationsHasBeenSet = true; m_operations.push_back(value); return *this; } /** *

A list of operations that the grant permits.

This list must include * only operations that are permitted in a grant. Also, the operation must be * supported on the KMS key. For example, you cannot create a grant for a symmetric * encryption KMS key that allows the Sign operation, or a grant for an * asymmetric KMS key that allows the GenerateDataKey operation. If you try, * KMS returns a ValidationError exception. For details, see Grant * operations in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& AddOperations(GrantOperation&& value) { m_operationsHasBeenSet = true; m_operations.push_back(std::move(value)); return *this; } /** *

Specifies a grant constraint.

Do not include confidential * or sensitive information in this field. This field may be displayed in plaintext * in CloudTrail logs and other output.

KMS supports the * EncryptionContextEquals and EncryptionContextSubset * grant constraints, which allow the permissions in the grant only when the * encryption context in the request matches (EncryptionContextEquals) * or includes (EncryptionContextSubset) the encryption context * specified in the constraint.

The encryption context grant constraints * are supported only on grant * operations that include an EncryptionContext parameter, such as * cryptographic operations on symmetric encryption KMS keys. Grants with grant * constraints can include the DescribeKey and RetireGrant * operations, but the constraint doesn't apply to these operations. If a grant * with a grant constraint includes the CreateGrant operation, the * constraint requires that any grants created with the CreateGrant * permission have an equally strict or stricter encryption context constraint.

*

You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with these keys * don't support an encryption context.

Each constraint value can include up * to 8 encryption context pairs. The encryption context value in each constraint * cannot exceed 384 characters. For information about grant constraints, see Using * grant constraints in the Key Management Service Developer Guide. For * more information about encryption context, see Encryption * context in the Key Management Service Developer Guide .

*/ inline const GrantConstraints& GetConstraints() const{ return m_constraints; } /** *

Specifies a grant constraint.

Do not include confidential * or sensitive information in this field. This field may be displayed in plaintext * in CloudTrail logs and other output.

KMS supports the * EncryptionContextEquals and EncryptionContextSubset * grant constraints, which allow the permissions in the grant only when the * encryption context in the request matches (EncryptionContextEquals) * or includes (EncryptionContextSubset) the encryption context * specified in the constraint.

The encryption context grant constraints * are supported only on grant * operations that include an EncryptionContext parameter, such as * cryptographic operations on symmetric encryption KMS keys. Grants with grant * constraints can include the DescribeKey and RetireGrant * operations, but the constraint doesn't apply to these operations. If a grant * with a grant constraint includes the CreateGrant operation, the * constraint requires that any grants created with the CreateGrant * permission have an equally strict or stricter encryption context constraint.

*

You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with these keys * don't support an encryption context.

Each constraint value can include up * to 8 encryption context pairs. The encryption context value in each constraint * cannot exceed 384 characters. For information about grant constraints, see Using * grant constraints in the Key Management Service Developer Guide. For * more information about encryption context, see Encryption * context in the Key Management Service Developer Guide .

*/ inline bool ConstraintsHasBeenSet() const { return m_constraintsHasBeenSet; } /** *

Specifies a grant constraint.

Do not include confidential * or sensitive information in this field. This field may be displayed in plaintext * in CloudTrail logs and other output.

KMS supports the * EncryptionContextEquals and EncryptionContextSubset * grant constraints, which allow the permissions in the grant only when the * encryption context in the request matches (EncryptionContextEquals) * or includes (EncryptionContextSubset) the encryption context * specified in the constraint.

The encryption context grant constraints * are supported only on grant * operations that include an EncryptionContext parameter, such as * cryptographic operations on symmetric encryption KMS keys. Grants with grant * constraints can include the DescribeKey and RetireGrant * operations, but the constraint doesn't apply to these operations. If a grant * with a grant constraint includes the CreateGrant operation, the * constraint requires that any grants created with the CreateGrant * permission have an equally strict or stricter encryption context constraint.

*

You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with these keys * don't support an encryption context.

Each constraint value can include up * to 8 encryption context pairs. The encryption context value in each constraint * cannot exceed 384 characters. For information about grant constraints, see Using * grant constraints in the Key Management Service Developer Guide. For * more information about encryption context, see Encryption * context in the Key Management Service Developer Guide .

*/ inline void SetConstraints(const GrantConstraints& value) { m_constraintsHasBeenSet = true; m_constraints = value; } /** *

Specifies a grant constraint.

Do not include confidential * or sensitive information in this field. This field may be displayed in plaintext * in CloudTrail logs and other output.

KMS supports the * EncryptionContextEquals and EncryptionContextSubset * grant constraints, which allow the permissions in the grant only when the * encryption context in the request matches (EncryptionContextEquals) * or includes (EncryptionContextSubset) the encryption context * specified in the constraint.

The encryption context grant constraints * are supported only on grant * operations that include an EncryptionContext parameter, such as * cryptographic operations on symmetric encryption KMS keys. Grants with grant * constraints can include the DescribeKey and RetireGrant * operations, but the constraint doesn't apply to these operations. If a grant * with a grant constraint includes the CreateGrant operation, the * constraint requires that any grants created with the CreateGrant * permission have an equally strict or stricter encryption context constraint.

*

You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with these keys * don't support an encryption context.

Each constraint value can include up * to 8 encryption context pairs. The encryption context value in each constraint * cannot exceed 384 characters. For information about grant constraints, see Using * grant constraints in the Key Management Service Developer Guide. For * more information about encryption context, see Encryption * context in the Key Management Service Developer Guide .

*/ inline void SetConstraints(GrantConstraints&& value) { m_constraintsHasBeenSet = true; m_constraints = std::move(value); } /** *

Specifies a grant constraint.

Do not include confidential * or sensitive information in this field. This field may be displayed in plaintext * in CloudTrail logs and other output.

KMS supports the * EncryptionContextEquals and EncryptionContextSubset * grant constraints, which allow the permissions in the grant only when the * encryption context in the request matches (EncryptionContextEquals) * or includes (EncryptionContextSubset) the encryption context * specified in the constraint.

The encryption context grant constraints * are supported only on grant * operations that include an EncryptionContext parameter, such as * cryptographic operations on symmetric encryption KMS keys. Grants with grant * constraints can include the DescribeKey and RetireGrant * operations, but the constraint doesn't apply to these operations. If a grant * with a grant constraint includes the CreateGrant operation, the * constraint requires that any grants created with the CreateGrant * permission have an equally strict or stricter encryption context constraint.

*

You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with these keys * don't support an encryption context.

Each constraint value can include up * to 8 encryption context pairs. The encryption context value in each constraint * cannot exceed 384 characters. For information about grant constraints, see Using * grant constraints in the Key Management Service Developer Guide. For * more information about encryption context, see Encryption * context in the Key Management Service Developer Guide .

*/ inline CreateGrantRequest& WithConstraints(const GrantConstraints& value) { SetConstraints(value); return *this;} /** *

Specifies a grant constraint.

Do not include confidential * or sensitive information in this field. This field may be displayed in plaintext * in CloudTrail logs and other output.

KMS supports the * EncryptionContextEquals and EncryptionContextSubset * grant constraints, which allow the permissions in the grant only when the * encryption context in the request matches (EncryptionContextEquals) * or includes (EncryptionContextSubset) the encryption context * specified in the constraint.

The encryption context grant constraints * are supported only on grant * operations that include an EncryptionContext parameter, such as * cryptographic operations on symmetric encryption KMS keys. Grants with grant * constraints can include the DescribeKey and RetireGrant * operations, but the constraint doesn't apply to these operations. If a grant * with a grant constraint includes the CreateGrant operation, the * constraint requires that any grants created with the CreateGrant * permission have an equally strict or stricter encryption context constraint.

*

You cannot use an encryption context grant constraint for cryptographic * operations with asymmetric KMS keys or HMAC KMS keys. Operations with these keys * don't support an encryption context.

Each constraint value can include up * to 8 encryption context pairs. The encryption context value in each constraint * cannot exceed 384 characters. For information about grant constraints, see Using * grant constraints in the Key Management Service Developer Guide. For * more information about encryption context, see Encryption * context in the Key Management Service Developer Guide .

*/ inline CreateGrantRequest& WithConstraints(GrantConstraints&& value) { SetConstraints(std::move(value)); return *this;} /** *

A list of grant tokens.

Use a grant token when your permission to * call this operation comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant * token and Using * a grant token in the Key Management Service Developer Guide.

*/ inline const Aws::Vector& GetGrantTokens() const{ return m_grantTokens; } /** *

A list of grant tokens.

Use a grant token when your permission to * call this operation comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant * token and Using * a grant token in the Key Management Service Developer Guide.

*/ inline bool GrantTokensHasBeenSet() const { return m_grantTokensHasBeenSet; } /** *

A list of grant tokens.

Use a grant token when your permission to * call this operation comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant * token and Using * a grant token in the Key Management Service Developer Guide.

*/ inline void SetGrantTokens(const Aws::Vector& value) { m_grantTokensHasBeenSet = true; m_grantTokens = value; } /** *

A list of grant tokens.

Use a grant token when your permission to * call this operation comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant * token and Using * a grant token in the Key Management Service Developer Guide.

*/ inline void SetGrantTokens(Aws::Vector&& value) { m_grantTokensHasBeenSet = true; m_grantTokens = std::move(value); } /** *

A list of grant tokens.

Use a grant token when your permission to * call this operation comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant * token and Using * a grant token in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& WithGrantTokens(const Aws::Vector& value) { SetGrantTokens(value); return *this;} /** *

A list of grant tokens.

Use a grant token when your permission to * call this operation comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant * token and Using * a grant token in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& WithGrantTokens(Aws::Vector&& value) { SetGrantTokens(std::move(value)); return *this;} /** *

A list of grant tokens.

Use a grant token when your permission to * call this operation comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant * token and Using * a grant token in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& AddGrantTokens(const Aws::String& value) { m_grantTokensHasBeenSet = true; m_grantTokens.push_back(value); return *this; } /** *

A list of grant tokens.

Use a grant token when your permission to * call this operation comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant * token and Using * a grant token in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& AddGrantTokens(Aws::String&& value) { m_grantTokensHasBeenSet = true; m_grantTokens.push_back(std::move(value)); return *this; } /** *

A list of grant tokens.

Use a grant token when your permission to * call this operation comes from a new grant that has not yet achieved eventual * consistency. For more information, see Grant * token and Using * a grant token in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& AddGrantTokens(const char* value) { m_grantTokensHasBeenSet = true; m_grantTokens.push_back(value); return *this; } /** *

A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request.

Do * not include confidential or sensitive information in this field. This field may * be displayed in plaintext in CloudTrail logs and other output.

*

When this value is absent, all CreateGrant requests result in a * new grant with a unique GrantId even if all the supplied parameters * are identical. This can result in unintended duplicates when you retry the * CreateGrant request.

When this value is present, you can * retry a CreateGrant request with identical parameters; if the grant * already exists, the original GrantId is returned without creating a * new grant. Note that the returned grant token is unique with every * CreateGrant request, even when a duplicate GrantId is * returned. All grant tokens for the same grant ID can be used * interchangeably.

*/ inline const Aws::String& GetName() const{ return m_name; } /** *

A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request.

Do * not include confidential or sensitive information in this field. This field may * be displayed in plaintext in CloudTrail logs and other output.

*

When this value is absent, all CreateGrant requests result in a * new grant with a unique GrantId even if all the supplied parameters * are identical. This can result in unintended duplicates when you retry the * CreateGrant request.

When this value is present, you can * retry a CreateGrant request with identical parameters; if the grant * already exists, the original GrantId is returned without creating a * new grant. Note that the returned grant token is unique with every * CreateGrant request, even when a duplicate GrantId is * returned. All grant tokens for the same grant ID can be used * interchangeably.

*/ inline bool NameHasBeenSet() const { return m_nameHasBeenSet; } /** *

A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request.

Do * not include confidential or sensitive information in this field. This field may * be displayed in plaintext in CloudTrail logs and other output.

*

When this value is absent, all CreateGrant requests result in a * new grant with a unique GrantId even if all the supplied parameters * are identical. This can result in unintended duplicates when you retry the * CreateGrant request.

When this value is present, you can * retry a CreateGrant request with identical parameters; if the grant * already exists, the original GrantId is returned without creating a * new grant. Note that the returned grant token is unique with every * CreateGrant request, even when a duplicate GrantId is * returned. All grant tokens for the same grant ID can be used * interchangeably.

*/ inline void SetName(const Aws::String& value) { m_nameHasBeenSet = true; m_name = value; } /** *

A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request.

Do * not include confidential or sensitive information in this field. This field may * be displayed in plaintext in CloudTrail logs and other output.

*

When this value is absent, all CreateGrant requests result in a * new grant with a unique GrantId even if all the supplied parameters * are identical. This can result in unintended duplicates when you retry the * CreateGrant request.

When this value is present, you can * retry a CreateGrant request with identical parameters; if the grant * already exists, the original GrantId is returned without creating a * new grant. Note that the returned grant token is unique with every * CreateGrant request, even when a duplicate GrantId is * returned. All grant tokens for the same grant ID can be used * interchangeably.

*/ inline void SetName(Aws::String&& value) { m_nameHasBeenSet = true; m_name = std::move(value); } /** *

A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request.

Do * not include confidential or sensitive information in this field. This field may * be displayed in plaintext in CloudTrail logs and other output.

*

When this value is absent, all CreateGrant requests result in a * new grant with a unique GrantId even if all the supplied parameters * are identical. This can result in unintended duplicates when you retry the * CreateGrant request.

When this value is present, you can * retry a CreateGrant request with identical parameters; if the grant * already exists, the original GrantId is returned without creating a * new grant. Note that the returned grant token is unique with every * CreateGrant request, even when a duplicate GrantId is * returned. All grant tokens for the same grant ID can be used * interchangeably.

*/ inline void SetName(const char* value) { m_nameHasBeenSet = true; m_name.assign(value); } /** *

A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request.

Do * not include confidential or sensitive information in this field. This field may * be displayed in plaintext in CloudTrail logs and other output.

*

When this value is absent, all CreateGrant requests result in a * new grant with a unique GrantId even if all the supplied parameters * are identical. This can result in unintended duplicates when you retry the * CreateGrant request.

When this value is present, you can * retry a CreateGrant request with identical parameters; if the grant * already exists, the original GrantId is returned without creating a * new grant. Note that the returned grant token is unique with every * CreateGrant request, even when a duplicate GrantId is * returned. All grant tokens for the same grant ID can be used * interchangeably.

*/ inline CreateGrantRequest& WithName(const Aws::String& value) { SetName(value); return *this;} /** *

A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request.

Do * not include confidential or sensitive information in this field. This field may * be displayed in plaintext in CloudTrail logs and other output.

*

When this value is absent, all CreateGrant requests result in a * new grant with a unique GrantId even if all the supplied parameters * are identical. This can result in unintended duplicates when you retry the * CreateGrant request.

When this value is present, you can * retry a CreateGrant request with identical parameters; if the grant * already exists, the original GrantId is returned without creating a * new grant. Note that the returned grant token is unique with every * CreateGrant request, even when a duplicate GrantId is * returned. All grant tokens for the same grant ID can be used * interchangeably.

*/ inline CreateGrantRequest& WithName(Aws::String&& value) { SetName(std::move(value)); return *this;} /** *

A friendly name for the grant. Use this value to prevent the unintended * creation of duplicate grants when retrying this request.

Do * not include confidential or sensitive information in this field. This field may * be displayed in plaintext in CloudTrail logs and other output.

*

When this value is absent, all CreateGrant requests result in a * new grant with a unique GrantId even if all the supplied parameters * are identical. This can result in unintended duplicates when you retry the * CreateGrant request.

When this value is present, you can * retry a CreateGrant request with identical parameters; if the grant * already exists, the original GrantId is returned without creating a * new grant. Note that the returned grant token is unique with every * CreateGrant request, even when a duplicate GrantId is * returned. All grant tokens for the same grant ID can be used * interchangeably.

*/ inline CreateGrantRequest& WithName(const char* value) { SetName(value); return *this;} /** *

Checks if your request will succeed. DryRun is an optional * parameter.

To learn more about how to use this parameter, see Testing * your KMS API calls in the Key Management Service Developer Guide.

*/ inline bool GetDryRun() const{ return m_dryRun; } /** *

Checks if your request will succeed. DryRun is an optional * parameter.

To learn more about how to use this parameter, see Testing * your KMS API calls in the Key Management Service Developer Guide.

*/ inline bool DryRunHasBeenSet() const { return m_dryRunHasBeenSet; } /** *

Checks if your request will succeed. DryRun is an optional * parameter.

To learn more about how to use this parameter, see Testing * your KMS API calls in the Key Management Service Developer Guide.

*/ inline void SetDryRun(bool value) { m_dryRunHasBeenSet = true; m_dryRun = value; } /** *

Checks if your request will succeed. DryRun is an optional * parameter.

To learn more about how to use this parameter, see Testing * your KMS API calls in the Key Management Service Developer Guide.

*/ inline CreateGrantRequest& WithDryRun(bool value) { SetDryRun(value); return *this;} private: Aws::String m_keyId; bool m_keyIdHasBeenSet = false; Aws::String m_granteePrincipal; bool m_granteePrincipalHasBeenSet = false; Aws::String m_retiringPrincipal; bool m_retiringPrincipalHasBeenSet = false; Aws::Vector m_operations; bool m_operationsHasBeenSet = false; GrantConstraints m_constraints; bool m_constraintsHasBeenSet = false; Aws::Vector m_grantTokens; bool m_grantTokensHasBeenSet = false; Aws::String m_name; bool m_nameHasBeenSet = false; bool m_dryRun; bool m_dryRunHasBeenSet = false; }; } // namespace Model } // namespace KMS } // namespace Aws