/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include namespace Aws { namespace Utils { namespace Json { class JsonValue; class JsonView; } // namespace Json } // namespace Utils namespace KMS { namespace Model { /** *

Use this structure to allow cryptographic * operations in the grant only when the operation request includes the * specified encryption * context.

KMS applies the grant constraints only to cryptographic * operations that support an encryption context, that is, all cryptographic * operations with a symmetric * KMS key. Grant constraints are not applied to operations that do not support * an encryption context, such as cryptographic operations with asymmetric KMS keys * and management operations, such as DescribeKey or RetireGrant.

In a cryptographic operation, the encryption context in the * decryption operation must be an exact, case-sensitive match for the keys and * values in the encryption context of the encryption operation. Only the order of * the pairs can vary.

However, in a grant constraint, the key in each * key-value pair is not case sensitive, but the value is case sensitive.

To * avoid confusion, do not use multiple encryption context pairs that differ only * by case. To require a fully case-sensitive encryption context, use the * kms:EncryptionContext: and kms:EncryptionContextKeys * conditions in an IAM or key policy. For details, see kms:EncryptionContext: * in the Key Management Service Developer Guide .

A list of key-value pairs that must be included in the encryption context of * the cryptographic * operation request. The grant allows the cryptographic operation only when * the encryption context in the request includes the key-value pairs specified in * this constraint, although it can include additional key-value pairs.

*/ inline const Aws::Map& GetEncryptionContextSubset() const{ return m_encryptionContextSubset; } /** *

*/ inline bool EncryptionContextSubsetHasBeenSet() const { return m_encryptionContextSubsetHasBeenSet; } /** *

*/ inline void SetEncryptionContextSubset(const Aws::Map& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset = value; } /** *

*/ inline void SetEncryptionContextSubset(Aws::Map&& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset = std::move(value); } /** *

*/ inline GrantConstraints& WithEncryptionContextSubset(const Aws::Map& value) { SetEncryptionContextSubset(value); return *this;} /** *

*/ inline GrantConstraints& WithEncryptionContextSubset(Aws::Map&& value) { SetEncryptionContextSubset(std::move(value)); return *this;} /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(const Aws::String& key, const Aws::String& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(key, value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(Aws::String&& key, const Aws::String& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(std::move(key), value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(const Aws::String& key, Aws::String&& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(key, std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(Aws::String&& key, Aws::String&& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(std::move(key), std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(const char* key, Aws::String&& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(key, std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(Aws::String&& key, const char* value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(std::move(key), value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(const char* key, const char* value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(key, value); return *this; } /** *

A list of key-value pairs that must match the encryption context in the cryptographic * operation request. The grant allows the operation only when the encryption * context in the request is the same as the encryption context specified in this * constraint.

*/ inline const Aws::Map& GetEncryptionContextEquals() const{ return m_encryptionContextEquals; } /** *

*/ inline bool EncryptionContextEqualsHasBeenSet() const { return m_encryptionContextEqualsHasBeenSet; } /** *

*/ inline void SetEncryptionContextEquals(const Aws::Map& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals = value; } /** *

*/ inline void SetEncryptionContextEquals(Aws::Map&& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals = std::move(value); } /** *

*/ inline GrantConstraints& WithEncryptionContextEquals(const Aws::Map& value) { SetEncryptionContextEquals(value); return *this;} /** *

*/ inline GrantConstraints& WithEncryptionContextEquals(Aws::Map&& value) { SetEncryptionContextEquals(std::move(value)); return *this;} /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(const Aws::String& key, const Aws::String& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(key, value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(Aws::String&& key, const Aws::String& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(std::move(key), value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(const Aws::String& key, Aws::String&& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(key, std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(Aws::String&& key, Aws::String&& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(std::move(key), std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(const char* key, Aws::String&& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(key, std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(Aws::String&& key, const char* value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(std::move(key), value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(const char* key, const char* value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(key, value); return *this; } private: Aws::Map m_encryptionContextSubset; bool m_encryptionContextSubsetHasBeenSet = false; Aws::Map m_encryptionContextEquals; bool m_encryptionContextEqualsHasBeenSet = false; }; } // namespace Model } // namespace KMS } // namespace Aws

See Also: