kms/aws.sdk.kotlin.services.kms/retireGrant

retireGrant

inline suspend fun KmsClient.retireGrant(crossinline block: RetireGrantRequest.Builder.() -> Unit): RetireGrantResponse

Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation returns both values.

This operation can be called by the retiring principal for a grant, by the grantee principal if the grant allows the RetireGrant operation, and by the Amazon Web Services account in which the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated.

For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide. For examples of creating grants in several programming languages, see Use CreateGrant with an Amazon Web Services SDK or CLI.

Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.

Required permissions: Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.

Related operations:

  • CreateGrant

  • ListGrants

  • ListRetirableGrants

  • RevokeGrant

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Samples


fun main() { 
   //sampleStart 
   // The following example retires a grant.
kmsClient.retireGrant {
    keyId = "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab"
    grantId = "0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60"
} 
   //sampleEnd
}
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Generated by dokka