Smaws_Client_KMS.RetireGrantval request :
Smaws_Lib.Context.t ->
retire_grant_request ->
(unit,
[> Smaws_Lib.Protocols.AwsJson.error
| `DependencyTimeoutException of dependency_timeout_exception
| `DryRunOperationException of dry_run_operation_exception
| `InvalidArnException of invalid_arn_exception
| `InvalidGrantIdException of invalid_grant_id_exception
| `InvalidGrantTokenException of invalid_grant_token_exception
| `KMSInternalException of kms_internal_exception
| `KMSInvalidStateException of kms_invalid_state_exception
| `NotFoundException of not_found_exception ])
Stdlib.resultDeletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation returns both values.
This operation can be called by the retiring principal for a grant, by the grantee principal if the grant allows the RetireGrant operation, and by the Amazon Web Services account in which the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.
For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide. For examples of working with grants in several programming languages, see Programming grants.
Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.
Required permissions: Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.
Related operations:
CreateGrantListGrantsListRetirableGrantsRevokeGrantEventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.