Skip to content

Resource: awsKmsGrant

Provides a resource-based access control mechanism for a KMS customer master key.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsKmsKeyA = new aws.kmsKey.KmsKey(this, "a", {});
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: "lambda.amazonaws.com",
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const awsIamRoleA = new aws.iamRole.IamRole(this, "a_2", {
  assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
  name: "iam-role-for-grant",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRoleA.overrideLogicalId("a");
const awsKmsGrantA = new aws.kmsGrant.KmsGrant(this, "a_3", {
  constraints: [
    {
      encryptionContextEquals: [
        {
          department: "Finance",
        },
      ],
    },
  ],
  granteePrincipal: awsIamRoleA.arn,
  keyId: awsKmsKeyA.keyId,
  name: "my-grant",
  operations: ["Encrypt", "Decrypt", "GenerateDataKey"],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsKmsGrantA.overrideLogicalId("a");

Argument Reference

The following arguments are supported:

  • name - (Optional, Forces new resources) A friendly name for identifying the grant.
  • keyId - (Required, Forces new resources) The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.
  • granteePrincipal - (Required, Forces new resources) The principal that is given permission to perform the operations that the grant permits in ARN format. Note that due to eventual consistency issues around IAM principals, terraform's state may not always be refreshed to reflect what is true in AWS.
  • operations - (Required, Forces new resources) A list of operations that the grant permits. The permitted values are: decrypt, encrypt, generateDataKey, generateDataKeyWithoutPlaintext, reEncryptFrom, reEncryptTo, sign, verify, getPublicKey, createGrant, retireGrant, describeKey, generateDataKeyPair, or generateDataKeyPairWithoutPlaintext.
  • retiringPrincipal - (Optional, Forces new resources) The principal that is given permission to retire the grant by using RetireGrant operation in ARN format. Note that due to eventual consistency issues around IAM principals, terraform's state may not always be refreshed to reflect what is true in AWS.
  • constraints - (Optional, Forces new resources) A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.
  • grantCreationTokens - (Optional, Forces new resources) A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.
  • retireOnDelete -(Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants. See RetireGrant for more information.

The constraints block supports the following arguments:

  • encryptionContextEquals - (Optional) A list of key-value pairs that must match the encryption context in subsequent cryptographic operation requests. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint. Conflicts with encryptionContextSubset.
  • encryptionContextSubset - (Optional) A list of key-value pairs that must be included in the encryption context of subsequent cryptographic operation requests. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs. Conflicts with encryptionContextEquals.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • grantId - The unique identifier for the grant.
  • grantToken - The grant token for the created grant. For more information, see Grant Tokens.

Import

KMS Grants can be imported using the Key ID and Grant ID separated by a colon (:), e.g.,

$ terraform import aws_kms_grant.test 1234abcd-12ab-34cd-56ef-1234567890ab:abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514