retireGrant method

Future<void> retireGrant({
  1. String? grantId,
  2. String? grantToken,
  3. String? keyId,
})

Retires a grant. To clean up, you can retire a grant when you're done using it. You should revoke a grant when you intend to actively deny operations that depend on it. The following are permitted to call this API:

  • The AWS account (root user) under which the grant was created
  • The RetiringPrincipal, if present in the grant
  • The GranteePrincipal, if RetireGrant is an operation specified in the grant
You must identify the grant to retire by its grant token or by a combination of the grant ID and the Amazon Resource Name (ARN) of the customer master key (CMK). A grant token is a unique variable-length base64-encoded string. A grant ID is a 64 character unique identifier of a grant. The CreateGrant operation returns both.

Cross-account use: Yes. You can retire a grant on a CMK in a different AWS account.

Required permissions:: Permission to retire a grant is specified in the grant. You cannot control access to this operation in a policy. For more information, see Using grants in the AWS Key Management Service Developer Guide.

Related operations:

May throw InvalidArnException. May throw InvalidGrantTokenException. May throw InvalidGrantIdException. May throw NotFoundException. May throw DependencyTimeoutException. May throw KMSInternalException. May throw KMSInvalidStateException.

Parameter grantId : Unique identifier of the grant to retire. The grant ID is returned in the response to a CreateGrant operation.

  • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123

Parameter grantToken : Token that identifies the grant to be retired.

Parameter keyId : The Amazon Resource Name (ARN) of the CMK associated with the grant.

For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab

Implementation

Future<void> retireGrant({
  String? grantId,
  String? grantToken,
  String? keyId,
}) async {
  _s.validateStringLength(
    'grantId',
    grantId,
    1,
    128,
  );
  _s.validateStringLength(
    'grantToken',
    grantToken,
    1,
    8192,
  );
  _s.validateStringLength(
    'keyId',
    keyId,
    1,
    2048,
  );
  final headers = <String, String>{
    'Content-Type': 'application/x-amz-json-1.1',
    'X-Amz-Target': 'TrentService.RetireGrant'
  };
  await _protocol.send(
    method: 'POST',
    requestUri: '/',
    exceptionFnMap: _exceptionFns,
    // TODO queryParams
    headers: headers,
    payload: {
      if (grantId != null) 'GrantId': grantId,
      if (grantToken != null) 'GrantToken': grantToken,
      if (keyId != null) 'KeyId': keyId,
    },
  );
}