com.amazonaws.services.kms.model.CreateGrantRequest Maven / Gradle / Ivy
Show all versions of aws-java-sdk-kms Show documentation
/*
* Copyright 2019-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package com.amazonaws.services.kms.model;
import java.io.Serializable;
import javax.annotation.Generated;
import com.amazonaws.AmazonWebServiceRequest;
/**
*
* @see AWS API
* Documentation
*/
@Generated("com.amazonaws:aws-java-sdk-code-generator")
public class CreateGrantRequest extends com.amazonaws.AmazonWebServiceRequest implements Serializable, Cloneable {
/**
*
* Identifies the KMS key for the grant. The grant gives principals permission to use this KMS key.
*
*
* Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services account,
* you must use the key ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
*
*/
private String keyId;
/**
*
* The identity that gets the permissions specified in the grant.
*
*
* To specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal. Valid
* principals include Amazon Web Services accounts, IAM users, IAM roles, federated users, and assumed role users.
* For help with the ARN syntax for a principal, see IAM ARNs
* in the Identity and Access Management User Guide .
*
*/
private String granteePrincipal;
/**
*
* The principal that has permission to use the RetireGrant operation to retire the grant.
*
*
* To specify the principal, use the Amazon Resource Name (ARN)
* of an Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles,
* federated users, and assumed role users. For help with the ARN syntax for a principal, see IAM ARNs
* in the Identity and Access Management User Guide .
*
*
* The grant determines the retiring principal. Other principals might have permission to retire the grant or revoke
* the grant. For details, see RevokeGrant and Retiring and revoking
* grants in the Key Management Service Developer Guide.
*
*/
private String retiringPrincipal;
/**
*
* A list of operations that the grant permits.
*
*
* This list must include only operations that are permitted in a grant. Also, the operation must be supported on
* the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows the GenerateDataKey operation. If
* you try, KMS returns a ValidationError exception. For details, see Grant
* operations in the Key Management Service Developer Guide.
*
*/
private com.amazonaws.internal.SdkInternalList operations;
/**
*
* Specifies a grant constraint.
*
*
*
* Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in
* CloudTrail logs and other output.
*
*
*
* KMS supports the EncryptionContextEquals and EncryptionContextSubset grant constraints,
* which allow the permissions in the grant only when the encryption context in the request matches (
* EncryptionContextEquals) or includes (EncryptionContextSubset) the encryption context
* specified in the constraint.
*
*
* The encryption context grant constraints are supported only on grant
* operations that include an EncryptionContext parameter, such as cryptographic operations on
* symmetric encryption KMS keys. Grants with grant constraints can include the DescribeKey and
* RetireGrant operations, but the constraint doesn't apply to these operations. If a grant with a grant
* constraint includes the CreateGrant operation, the constraint requires that any grants created with
* the CreateGrant permission have an equally strict or stricter encryption context constraint.
*
*
* You cannot use an encryption context grant constraint for cryptographic operations with asymmetric KMS keys or
* HMAC KMS keys. Operations with these keys don't support an encryption context.
*
*
* Each constraint value can include up to 8 encryption context pairs. The encryption context value in each
* constraint cannot exceed 384 characters. For information about grant constraints, see Using
* grant constraints in the Key Management Service Developer Guide. For more information about encryption
* context, see Encryption context
* in the Key Management Service Developer Guide .
*
*/
private GrantConstraints constraints;
/**
*
* A list of grant tokens.
*
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved
* eventual consistency. For more information, see Grant token and Using a grant
* token in the Key Management Service Developer Guide.
*
*/
private com.amazonaws.internal.SdkInternalList grantTokens;
/**
*
* A friendly name for the grant. Use this value to prevent the unintended creation of duplicate grants when
* retrying this request.
*
*
*
* Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in
* CloudTrail logs and other output.
*
*
*
* When this value is absent, all CreateGrant requests result in a new grant with a unique
* GrantId even if all the supplied parameters are identical. This can result in unintended duplicates
* when you retry the CreateGrant request.
*
*
* When this value is present, you can retry a CreateGrant request with identical parameters; if the
* grant already exists, the original GrantId is returned without creating a new grant. Note that the
* returned grant token is unique with every CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID can be used interchangeably.
*
*/
private String name;
/**
*
* Checks if your request will succeed. DryRun is an optional parameter.
*
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*
*/
private Boolean dryRun;
/**
*
* Identifies the KMS key for the grant. The grant gives principals permission to use this KMS key.
*
*
* Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services account,
* you must use the key ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
*
*
* @param keyId
* Identifies the KMS key for the grant. The grant gives principals permission to use this KMS key.
*
* Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services
* account, you must use the key ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
*/
public void setKeyId(String keyId) {
this.keyId = keyId;
}
/**
*
* Identifies the KMS key for the grant. The grant gives principals permission to use this KMS key.
*
*
* Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services account,
* you must use the key ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
*
*
* @return Identifies the KMS key for the grant. The grant gives principals permission to use this KMS key.
*
* Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services
* account, you must use the key ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
*/
public String getKeyId() {
return this.keyId;
}
/**
*
* Identifies the KMS key for the grant. The grant gives principals permission to use this KMS key.
*
*
* Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services account,
* you must use the key ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
*
*
* @param keyId
* Identifies the KMS key for the grant. The grant gives principals permission to use this KMS key.
*
* Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services
* account, you must use the key ARN.
*
*
* For example:
*
*
* -
*
* Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
*
*
* -
*
* Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
*
*
*
*
* To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
* @return Returns a reference to this object so that method calls can be chained together.
*/
public CreateGrantRequest withKeyId(String keyId) {
setKeyId(keyId);
return this;
}
/**
*
* The identity that gets the permissions specified in the grant.
*
*
* To specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal. Valid
* principals include Amazon Web Services accounts, IAM users, IAM roles, federated users, and assumed role users.
* For help with the ARN syntax for a principal, see IAM ARNs
* in the Identity and Access Management User Guide .
*
*
* @param granteePrincipal
* The identity that gets the permissions specified in the grant.
*
* To specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal.
* Valid principals include Amazon Web Services accounts, IAM users, IAM roles, federated users, and assumed
* role users. For help with the ARN syntax for a principal, see IAM
* ARNs in the Identity and Access Management User Guide .
*/
public void setGranteePrincipal(String granteePrincipal) {
this.granteePrincipal = granteePrincipal;
}
/**
*
* The identity that gets the permissions specified in the grant.
*
*
* To specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal. Valid
* principals include Amazon Web Services accounts, IAM users, IAM roles, federated users, and assumed role users.
* For help with the ARN syntax for a principal, see IAM ARNs
* in the Identity and Access Management User Guide .
*
*
* @return The identity that gets the permissions specified in the grant.
*
* To specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal.
* Valid principals include Amazon Web Services accounts, IAM users, IAM roles, federated users, and assumed
* role users. For help with the ARN syntax for a principal, see IAM
* ARNs in the Identity and Access Management User Guide .
*/
public String getGranteePrincipal() {
return this.granteePrincipal;
}
/**
*
* The identity that gets the permissions specified in the grant.
*
*
* To specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal. Valid
* principals include Amazon Web Services accounts, IAM users, IAM roles, federated users, and assumed role users.
* For help with the ARN syntax for a principal, see IAM ARNs
* in the Identity and Access Management User Guide .
*
*
* @param granteePrincipal
* The identity that gets the permissions specified in the grant.
*
* To specify the grantee principal, use the Amazon Resource Name (ARN) of an Amazon Web Services principal.
* Valid principals include Amazon Web Services accounts, IAM users, IAM roles, federated users, and assumed
* role users. For help with the ARN syntax for a principal, see IAM
* ARNs in the Identity and Access Management User Guide .
* @return Returns a reference to this object so that method calls can be chained together.
*/
public CreateGrantRequest withGranteePrincipal(String granteePrincipal) {
setGranteePrincipal(granteePrincipal);
return this;
}
/**
*
* The principal that has permission to use the RetireGrant operation to retire the grant.
*
*
* To specify the principal, use the Amazon Resource Name (ARN)
* of an Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles,
* federated users, and assumed role users. For help with the ARN syntax for a principal, see IAM ARNs
* in the Identity and Access Management User Guide .
*
*
* The grant determines the retiring principal. Other principals might have permission to retire the grant or revoke
* the grant. For details, see RevokeGrant and Retiring and revoking
* grants in the Key Management Service Developer Guide.
*
*
* @param retiringPrincipal
* The principal that has permission to use the RetireGrant operation to retire the grant.
*
* To specify the principal, use the Amazon Resource Name
* (ARN) of an Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM
* users, IAM roles, federated users, and assumed role users. For help with the ARN syntax for a principal,
* see IAM
* ARNs in the Identity and Access Management User Guide .
*
*
* The grant determines the retiring principal. Other principals might have permission to retire the grant or
* revoke the grant. For details, see RevokeGrant and Retiring and
* revoking grants in the Key Management Service Developer Guide.
*/
public void setRetiringPrincipal(String retiringPrincipal) {
this.retiringPrincipal = retiringPrincipal;
}
/**
*
* The principal that has permission to use the RetireGrant operation to retire the grant.
*
*
* To specify the principal, use the Amazon Resource Name (ARN)
* of an Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles,
* federated users, and assumed role users. For help with the ARN syntax for a principal, see IAM ARNs
* in the Identity and Access Management User Guide .
*
*
* The grant determines the retiring principal. Other principals might have permission to retire the grant or revoke
* the grant. For details, see RevokeGrant and Retiring and revoking
* grants in the Key Management Service Developer Guide.
*
*
* @return The principal that has permission to use the RetireGrant operation to retire the grant.
*
* To specify the principal, use the Amazon Resource Name
* (ARN) of an Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM
* users, IAM roles, federated users, and assumed role users. For help with the ARN syntax for a principal,
* see IAM
* ARNs in the Identity and Access Management User Guide .
*
*
* The grant determines the retiring principal. Other principals might have permission to retire the grant
* or revoke the grant. For details, see RevokeGrant and Retiring and
* revoking grants in the Key Management Service Developer Guide.
*/
public String getRetiringPrincipal() {
return this.retiringPrincipal;
}
/**
*
* The principal that has permission to use the RetireGrant operation to retire the grant.
*
*
* To specify the principal, use the Amazon Resource Name (ARN)
* of an Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM users, IAM roles,
* federated users, and assumed role users. For help with the ARN syntax for a principal, see IAM ARNs
* in the Identity and Access Management User Guide .
*
*
* The grant determines the retiring principal. Other principals might have permission to retire the grant or revoke
* the grant. For details, see RevokeGrant and Retiring and revoking
* grants in the Key Management Service Developer Guide.
*
*
* @param retiringPrincipal
* The principal that has permission to use the RetireGrant operation to retire the grant.
*
* To specify the principal, use the Amazon Resource Name
* (ARN) of an Amazon Web Services principal. Valid principals include Amazon Web Services accounts, IAM
* users, IAM roles, federated users, and assumed role users. For help with the ARN syntax for a principal,
* see IAM
* ARNs in the Identity and Access Management User Guide .
*
*
* The grant determines the retiring principal. Other principals might have permission to retire the grant or
* revoke the grant. For details, see RevokeGrant and Retiring and
* revoking grants in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
*/
public CreateGrantRequest withRetiringPrincipal(String retiringPrincipal) {
setRetiringPrincipal(retiringPrincipal);
return this;
}
/**
*
* A list of operations that the grant permits.
*
*
* This list must include only operations that are permitted in a grant. Also, the operation must be supported on
* the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows the GenerateDataKey operation. If
* you try, KMS returns a ValidationError exception. For details, see Grant
* operations in the Key Management Service Developer Guide.
*
*
* @return A list of operations that the grant permits.
*
* This list must include only operations that are permitted in a grant. Also, the operation must be
* supported on the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that
* allows the Sign operation, or a grant for an asymmetric KMS key that allows the
* GenerateDataKey operation. If you try, KMS returns a ValidationError exception. For
* details, see Grant
* operations in the Key Management Service Developer Guide.
* @see GrantOperation
*/
public java.util.List getOperations() {
if (operations == null) {
operations = new com.amazonaws.internal.SdkInternalList();
}
return operations;
}
/**
*
* A list of operations that the grant permits.
*
*
* This list must include only operations that are permitted in a grant. Also, the operation must be supported on
* the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows the GenerateDataKey operation. If
* you try, KMS returns a ValidationError exception. For details, see Grant
* operations in the Key Management Service Developer Guide.
*
*
* @param operations
* A list of operations that the grant permits.
*
* This list must include only operations that are permitted in a grant. Also, the operation must be
* supported on the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that
* allows the Sign operation, or a grant for an asymmetric KMS key that allows the
* GenerateDataKey operation. If you try, KMS returns a ValidationError exception. For
* details, see Grant
* operations in the Key Management Service Developer Guide.
* @see GrantOperation
*/
public void setOperations(java.util.Collection operations) {
if (operations == null) {
this.operations = null;
return;
}
this.operations = new com.amazonaws.internal.SdkInternalList(operations);
}
/**
*
* A list of operations that the grant permits.
*
*
* This list must include only operations that are permitted in a grant. Also, the operation must be supported on
* the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows the GenerateDataKey operation. If
* you try, KMS returns a ValidationError exception. For details, see Grant
* operations in the Key Management Service Developer Guide.
*
*
* NOTE: This method appends the values to the existing list (if any). Use
* {@link #setOperations(java.util.Collection)} or {@link #withOperations(java.util.Collection)} if you want to
* override the existing values.
*
*
* @param operations
* A list of operations that the grant permits.
*
* This list must include only operations that are permitted in a grant. Also, the operation must be
* supported on the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that
* allows the Sign operation, or a grant for an asymmetric KMS key that allows the
* GenerateDataKey operation. If you try, KMS returns a ValidationError exception. For
* details, see Grant
* operations in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
* @see GrantOperation
*/
public CreateGrantRequest withOperations(String... operations) {
if (this.operations == null) {
setOperations(new com.amazonaws.internal.SdkInternalList(operations.length));
}
for (String ele : operations) {
this.operations.add(ele);
}
return this;
}
/**
*
* A list of operations that the grant permits.
*
*
* This list must include only operations that are permitted in a grant. Also, the operation must be supported on
* the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows the GenerateDataKey operation. If
* you try, KMS returns a ValidationError exception. For details, see Grant
* operations in the Key Management Service Developer Guide.
*
*
* @param operations
* A list of operations that the grant permits.
*
* This list must include only operations that are permitted in a grant. Also, the operation must be
* supported on the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that
* allows the Sign operation, or a grant for an asymmetric KMS key that allows the
* GenerateDataKey operation. If you try, KMS returns a ValidationError exception. For
* details, see Grant
* operations in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
* @see GrantOperation
*/
public CreateGrantRequest withOperations(java.util.Collection operations) {
setOperations(operations);
return this;
}
/**
*
* A list of operations that the grant permits.
*
*
* This list must include only operations that are permitted in a grant. Also, the operation must be supported on
* the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that allows the
* Sign operation, or a grant for an asymmetric KMS key that allows the GenerateDataKey operation. If
* you try, KMS returns a ValidationError exception. For details, see Grant
* operations in the Key Management Service Developer Guide.
*
*
* @param operations
* A list of operations that the grant permits.
*
* This list must include only operations that are permitted in a grant. Also, the operation must be
* supported on the KMS key. For example, you cannot create a grant for a symmetric encryption KMS key that
* allows the Sign operation, or a grant for an asymmetric KMS key that allows the
* GenerateDataKey operation. If you try, KMS returns a ValidationError exception. For
* details, see Grant
* operations in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
* @see GrantOperation
*/
public CreateGrantRequest withOperations(GrantOperation... operations) {
com.amazonaws.internal.SdkInternalList operationsCopy = new com.amazonaws.internal.SdkInternalList(operations.length);
for (GrantOperation value : operations) {
operationsCopy.add(value.toString());
}
if (getOperations() == null) {
setOperations(operationsCopy);
} else {
getOperations().addAll(operationsCopy);
}
return this;
}
/**
*
* Specifies a grant constraint.
*
*
*
* Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in
* CloudTrail logs and other output.
*
*
*
* KMS supports the EncryptionContextEquals and EncryptionContextSubset grant constraints,
* which allow the permissions in the grant only when the encryption context in the request matches (
* EncryptionContextEquals) or includes (EncryptionContextSubset) the encryption context
* specified in the constraint.
*
*
* The encryption context grant constraints are supported only on grant
* operations that include an EncryptionContext parameter, such as cryptographic operations on
* symmetric encryption KMS keys. Grants with grant constraints can include the DescribeKey and
* RetireGrant operations, but the constraint doesn't apply to these operations. If a grant with a grant
* constraint includes the CreateGrant operation, the constraint requires that any grants created with
* the CreateGrant permission have an equally strict or stricter encryption context constraint.
*
*
* You cannot use an encryption context grant constraint for cryptographic operations with asymmetric KMS keys or
* HMAC KMS keys. Operations with these keys don't support an encryption context.
*
*
* Each constraint value can include up to 8 encryption context pairs. The encryption context value in each
* constraint cannot exceed 384 characters. For information about grant constraints, see Using
* grant constraints in the Key Management Service Developer Guide. For more information about encryption
* context, see Encryption context
* in the Key Management Service Developer Guide .
*
*
* @param constraints
* Specifies a grant constraint.
*
* Do not include confidential or sensitive information in this field. This field may be displayed in
* plaintext in CloudTrail logs and other output.
*
*
*
* KMS supports the EncryptionContextEquals and EncryptionContextSubset grant
* constraints, which allow the permissions in the grant only when the encryption context in the request
* matches (EncryptionContextEquals) or includes (EncryptionContextSubset) the
* encryption context specified in the constraint.
*
*
* The encryption context grant constraints are supported only on grant
* operations that include an EncryptionContext parameter, such as cryptographic operations
* on symmetric encryption KMS keys. Grants with grant constraints can include the DescribeKey and
* RetireGrant operations, but the constraint doesn't apply to these operations. If a grant with a
* grant constraint includes the CreateGrant operation, the constraint requires that any grants
* created with the CreateGrant permission have an equally strict or stricter encryption context
* constraint.
*
*
* You cannot use an encryption context grant constraint for cryptographic operations with asymmetric KMS
* keys or HMAC KMS keys. Operations with these keys don't support an encryption context.
*
*
* Each constraint value can include up to 8 encryption context pairs. The encryption context value in each
* constraint cannot exceed 384 characters. For information about grant constraints, see Using
* grant constraints in the Key Management Service Developer Guide. For more information about
* encryption context, see Encryption
* context in the Key Management Service Developer Guide .
*/
public void setConstraints(GrantConstraints constraints) {
this.constraints = constraints;
}
/**
*
* Specifies a grant constraint.
*
*
*
* Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in
* CloudTrail logs and other output.
*
*
*
* KMS supports the EncryptionContextEquals and EncryptionContextSubset grant constraints,
* which allow the permissions in the grant only when the encryption context in the request matches (
* EncryptionContextEquals) or includes (EncryptionContextSubset) the encryption context
* specified in the constraint.
*
*
* The encryption context grant constraints are supported only on grant
* operations that include an EncryptionContext parameter, such as cryptographic operations on
* symmetric encryption KMS keys. Grants with grant constraints can include the DescribeKey and
* RetireGrant operations, but the constraint doesn't apply to these operations. If a grant with a grant
* constraint includes the CreateGrant operation, the constraint requires that any grants created with
* the CreateGrant permission have an equally strict or stricter encryption context constraint.
*
*
* You cannot use an encryption context grant constraint for cryptographic operations with asymmetric KMS keys or
* HMAC KMS keys. Operations with these keys don't support an encryption context.
*
*
* Each constraint value can include up to 8 encryption context pairs. The encryption context value in each
* constraint cannot exceed 384 characters. For information about grant constraints, see Using
* grant constraints in the Key Management Service Developer Guide. For more information about encryption
* context, see Encryption context
* in the Key Management Service Developer Guide .
*
*
* @return Specifies a grant constraint.
*
* Do not include confidential or sensitive information in this field. This field may be displayed in
* plaintext in CloudTrail logs and other output.
*
*
*
* KMS supports the EncryptionContextEquals and EncryptionContextSubset grant
* constraints, which allow the permissions in the grant only when the encryption context in the request
* matches (EncryptionContextEquals) or includes (EncryptionContextSubset) the
* encryption context specified in the constraint.
*
*
* The encryption context grant constraints are supported only on grant
* operations that include an EncryptionContext parameter, such as cryptographic operations
* on symmetric encryption KMS keys. Grants with grant constraints can include the DescribeKey and
* RetireGrant operations, but the constraint doesn't apply to these operations. If a grant with a
* grant constraint includes the CreateGrant operation, the constraint requires that any grants
* created with the CreateGrant permission have an equally strict or stricter encryption
* context constraint.
*
*
* You cannot use an encryption context grant constraint for cryptographic operations with asymmetric KMS
* keys or HMAC KMS keys. Operations with these keys don't support an encryption context.
*
*
* Each constraint value can include up to 8 encryption context pairs. The encryption context value in each
* constraint cannot exceed 384 characters. For information about grant constraints, see Using grant constraints in the Key Management Service Developer Guide. For more information
* about encryption context, see Encryption
* context in the Key Management Service Developer Guide .
*/
public GrantConstraints getConstraints() {
return this.constraints;
}
/**
*
* Specifies a grant constraint.
*
*
*
* Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in
* CloudTrail logs and other output.
*
*
*
* KMS supports the EncryptionContextEquals and EncryptionContextSubset grant constraints,
* which allow the permissions in the grant only when the encryption context in the request matches (
* EncryptionContextEquals) or includes (EncryptionContextSubset) the encryption context
* specified in the constraint.
*
*
* The encryption context grant constraints are supported only on grant
* operations that include an EncryptionContext parameter, such as cryptographic operations on
* symmetric encryption KMS keys. Grants with grant constraints can include the DescribeKey and
* RetireGrant operations, but the constraint doesn't apply to these operations. If a grant with a grant
* constraint includes the CreateGrant operation, the constraint requires that any grants created with
* the CreateGrant permission have an equally strict or stricter encryption context constraint.
*
*
* You cannot use an encryption context grant constraint for cryptographic operations with asymmetric KMS keys or
* HMAC KMS keys. Operations with these keys don't support an encryption context.
*
*
* Each constraint value can include up to 8 encryption context pairs. The encryption context value in each
* constraint cannot exceed 384 characters. For information about grant constraints, see Using
* grant constraints in the Key Management Service Developer Guide. For more information about encryption
* context, see Encryption context
* in the Key Management Service Developer Guide .
*
*
* @param constraints
* Specifies a grant constraint.
*
* Do not include confidential or sensitive information in this field. This field may be displayed in
* plaintext in CloudTrail logs and other output.
*
*
*
* KMS supports the EncryptionContextEquals and EncryptionContextSubset grant
* constraints, which allow the permissions in the grant only when the encryption context in the request
* matches (EncryptionContextEquals) or includes (EncryptionContextSubset) the
* encryption context specified in the constraint.
*
*
* The encryption context grant constraints are supported only on grant
* operations that include an EncryptionContext parameter, such as cryptographic operations
* on symmetric encryption KMS keys. Grants with grant constraints can include the DescribeKey and
* RetireGrant operations, but the constraint doesn't apply to these operations. If a grant with a
* grant constraint includes the CreateGrant operation, the constraint requires that any grants
* created with the CreateGrant permission have an equally strict or stricter encryption context
* constraint.
*
*
* You cannot use an encryption context grant constraint for cryptographic operations with asymmetric KMS
* keys or HMAC KMS keys. Operations with these keys don't support an encryption context.
*
*
* Each constraint value can include up to 8 encryption context pairs. The encryption context value in each
* constraint cannot exceed 384 characters. For information about grant constraints, see Using
* grant constraints in the Key Management Service Developer Guide. For more information about
* encryption context, see Encryption
* context in the Key Management Service Developer Guide .
* @return Returns a reference to this object so that method calls can be chained together.
*/
public CreateGrantRequest withConstraints(GrantConstraints constraints) {
setConstraints(constraints);
return this;
}
/**
*
* A list of grant tokens.
*
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved
* eventual consistency. For more information, see Grant token and Using a grant
* token in the Key Management Service Developer Guide.
*
*
* @return A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet
* achieved eventual consistency. For more information, see Grant token and
* Using
* a grant token in the Key Management Service Developer Guide.
*/
public java.util.List getGrantTokens() {
if (grantTokens == null) {
grantTokens = new com.amazonaws.internal.SdkInternalList();
}
return grantTokens;
}
/**
*
* A list of grant tokens.
*
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved
* eventual consistency. For more information, see Grant token and Using a grant
* token in the Key Management Service Developer Guide.
*
*
* @param grantTokens
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet
* achieved eventual consistency. For more information, see Grant token and
* Using
* a grant token in the Key Management Service Developer Guide.
*/
public void setGrantTokens(java.util.Collection grantTokens) {
if (grantTokens == null) {
this.grantTokens = null;
return;
}
this.grantTokens = new com.amazonaws.internal.SdkInternalList(grantTokens);
}
/**
*
* A list of grant tokens.
*
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved
* eventual consistency. For more information, see Grant token and Using a grant
* token in the Key Management Service Developer Guide.
*
*
* NOTE: This method appends the values to the existing list (if any). Use
* {@link #setGrantTokens(java.util.Collection)} or {@link #withGrantTokens(java.util.Collection)} if you want to
* override the existing values.
*
*
* @param grantTokens
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet
* achieved eventual consistency. For more information, see Grant token and
* Using
* a grant token in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
*/
public CreateGrantRequest withGrantTokens(String... grantTokens) {
if (this.grantTokens == null) {
setGrantTokens(new com.amazonaws.internal.SdkInternalList(grantTokens.length));
}
for (String ele : grantTokens) {
this.grantTokens.add(ele);
}
return this;
}
/**
*
* A list of grant tokens.
*
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved
* eventual consistency. For more information, see Grant token and Using a grant
* token in the Key Management Service Developer Guide.
*
*
* @param grantTokens
* A list of grant tokens.
*
* Use a grant token when your permission to call this operation comes from a new grant that has not yet
* achieved eventual consistency. For more information, see Grant token and
* Using
* a grant token in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
*/
public CreateGrantRequest withGrantTokens(java.util.Collection grantTokens) {
setGrantTokens(grantTokens);
return this;
}
/**
*
* A friendly name for the grant. Use this value to prevent the unintended creation of duplicate grants when
* retrying this request.
*
*
*
* Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in
* CloudTrail logs and other output.
*
*
*
* When this value is absent, all CreateGrant requests result in a new grant with a unique
* GrantId even if all the supplied parameters are identical. This can result in unintended duplicates
* when you retry the CreateGrant request.
*
*
* When this value is present, you can retry a CreateGrant request with identical parameters; if the
* grant already exists, the original GrantId is returned without creating a new grant. Note that the
* returned grant token is unique with every CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID can be used interchangeably.
*
*
* @param name
* A friendly name for the grant. Use this value to prevent the unintended creation of duplicate grants when
* retrying this request.
*
* Do not include confidential or sensitive information in this field. This field may be displayed in
* plaintext in CloudTrail logs and other output.
*
*
*
* When this value is absent, all CreateGrant requests result in a new grant with a unique
* GrantId even if all the supplied parameters are identical. This can result in unintended
* duplicates when you retry the CreateGrant request.
*
*
* When this value is present, you can retry a CreateGrant request with identical parameters; if
* the grant already exists, the original GrantId is returned without creating a new grant. Note
* that the returned grant token is unique with every CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID can be used interchangeably.
*/
public void setName(String name) {
this.name = name;
}
/**
*
* A friendly name for the grant. Use this value to prevent the unintended creation of duplicate grants when
* retrying this request.
*
*
*
* Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in
* CloudTrail logs and other output.
*
*
*
* When this value is absent, all CreateGrant requests result in a new grant with a unique
* GrantId even if all the supplied parameters are identical. This can result in unintended duplicates
* when you retry the CreateGrant request.
*
*
* When this value is present, you can retry a CreateGrant request with identical parameters; if the
* grant already exists, the original GrantId is returned without creating a new grant. Note that the
* returned grant token is unique with every CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID can be used interchangeably.
*
*
* @return A friendly name for the grant. Use this value to prevent the unintended creation of duplicate grants when
* retrying this request.
*
* Do not include confidential or sensitive information in this field. This field may be displayed in
* plaintext in CloudTrail logs and other output.
*
*
*
* When this value is absent, all CreateGrant requests result in a new grant with a unique
* GrantId even if all the supplied parameters are identical. This can result in unintended
* duplicates when you retry the CreateGrant request.
*
*
* When this value is present, you can retry a CreateGrant request with identical parameters;
* if the grant already exists, the original GrantId is returned without creating a new grant.
* Note that the returned grant token is unique with every CreateGrant request, even when a
* duplicate GrantId is returned. All grant tokens for the same grant ID can be used
* interchangeably.
*/
public String getName() {
return this.name;
}
/**
*
* A friendly name for the grant. Use this value to prevent the unintended creation of duplicate grants when
* retrying this request.
*
*
*
* Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in
* CloudTrail logs and other output.
*
*
*
* When this value is absent, all CreateGrant requests result in a new grant with a unique
* GrantId even if all the supplied parameters are identical. This can result in unintended duplicates
* when you retry the CreateGrant request.
*
*
* When this value is present, you can retry a CreateGrant request with identical parameters; if the
* grant already exists, the original GrantId is returned without creating a new grant. Note that the
* returned grant token is unique with every CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID can be used interchangeably.
*
*
* @param name
* A friendly name for the grant. Use this value to prevent the unintended creation of duplicate grants when
* retrying this request.
*
* Do not include confidential or sensitive information in this field. This field may be displayed in
* plaintext in CloudTrail logs and other output.
*
*
*
* When this value is absent, all CreateGrant requests result in a new grant with a unique
* GrantId even if all the supplied parameters are identical. This can result in unintended
* duplicates when you retry the CreateGrant request.
*
*
* When this value is present, you can retry a CreateGrant request with identical parameters; if
* the grant already exists, the original GrantId is returned without creating a new grant. Note
* that the returned grant token is unique with every CreateGrant request, even when a duplicate
* GrantId is returned. All grant tokens for the same grant ID can be used interchangeably.
* @return Returns a reference to this object so that method calls can be chained together.
*/
public CreateGrantRequest withName(String name) {
setName(name);
return this;
}
/**
*
* Checks if your request will succeed. DryRun is an optional parameter.
*
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*
*
* @param dryRun
* Checks if your request will succeed. DryRun is an optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*/
public void setDryRun(Boolean dryRun) {
this.dryRun = dryRun;
}
/**
*
* Checks if your request will succeed. DryRun is an optional parameter.
*
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*
*
* @return Checks if your request will succeed. DryRun is an optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*/
public Boolean getDryRun() {
return this.dryRun;
}
/**
*
* Checks if your request will succeed. DryRun is an optional parameter.
*
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*
*
* @param dryRun
* Checks if your request will succeed. DryRun is an optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
* @return Returns a reference to this object so that method calls can be chained together.
*/
public CreateGrantRequest withDryRun(Boolean dryRun) {
setDryRun(dryRun);
return this;
}
/**
*
* Checks if your request will succeed. DryRun is an optional parameter.
*
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*
*
* @return Checks if your request will succeed. DryRun is an optional parameter.
*
* To learn more about how to use this parameter, see Testing your KMS API
* calls in the Key Management Service Developer Guide.
*/
public Boolean isDryRun() {
return this.dryRun;
}
/**
* Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be
* redacted from this string using a placeholder value.
*
* @return A string representation of this object.
*
* @see java.lang.Object#toString()
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("{");
if (getKeyId() != null)
sb.append("KeyId: ").append(getKeyId()).append(",");
if (getGranteePrincipal() != null)
sb.append("GranteePrincipal: ").append(getGranteePrincipal()).append(",");
if (getRetiringPrincipal() != null)
sb.append("RetiringPrincipal: ").append(getRetiringPrincipal()).append(",");
if (getOperations() != null)
sb.append("Operations: ").append(getOperations()).append(",");
if (getConstraints() != null)
sb.append("Constraints: ").append(getConstraints()).append(",");
if (getGrantTokens() != null)
sb.append("GrantTokens: ").append(getGrantTokens()).append(",");
if (getName() != null)
sb.append("Name: ").append(getName()).append(",");
if (getDryRun() != null)
sb.append("DryRun: ").append(getDryRun());
sb.append("}");
return sb.toString();
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (obj instanceof CreateGrantRequest == false)
return false;
CreateGrantRequest other = (CreateGrantRequest) obj;
if (other.getKeyId() == null ^ this.getKeyId() == null)
return false;
if (other.getKeyId() != null && other.getKeyId().equals(this.getKeyId()) == false)
return false;
if (other.getGranteePrincipal() == null ^ this.getGranteePrincipal() == null)
return false;
if (other.getGranteePrincipal() != null && other.getGranteePrincipal().equals(this.getGranteePrincipal()) == false)
return false;
if (other.getRetiringPrincipal() == null ^ this.getRetiringPrincipal() == null)
return false;
if (other.getRetiringPrincipal() != null && other.getRetiringPrincipal().equals(this.getRetiringPrincipal()) == false)
return false;
if (other.getOperations() == null ^ this.getOperations() == null)
return false;
if (other.getOperations() != null && other.getOperations().equals(this.getOperations()) == false)
return false;
if (other.getConstraints() == null ^ this.getConstraints() == null)
return false;
if (other.getConstraints() != null && other.getConstraints().equals(this.getConstraints()) == false)
return false;
if (other.getGrantTokens() == null ^ this.getGrantTokens() == null)
return false;
if (other.getGrantTokens() != null && other.getGrantTokens().equals(this.getGrantTokens()) == false)
return false;
if (other.getName() == null ^ this.getName() == null)
return false;
if (other.getName() != null && other.getName().equals(this.getName()) == false)
return false;
if (other.getDryRun() == null ^ this.getDryRun() == null)
return false;
if (other.getDryRun() != null && other.getDryRun().equals(this.getDryRun()) == false)
return false;
return true;
}
@Override
public int hashCode() {
final int prime = 31;
int hashCode = 1;
hashCode = prime * hashCode + ((getKeyId() == null) ? 0 : getKeyId().hashCode());
hashCode = prime * hashCode + ((getGranteePrincipal() == null) ? 0 : getGranteePrincipal().hashCode());
hashCode = prime * hashCode + ((getRetiringPrincipal() == null) ? 0 : getRetiringPrincipal().hashCode());
hashCode = prime * hashCode + ((getOperations() == null) ? 0 : getOperations().hashCode());
hashCode = prime * hashCode + ((getConstraints() == null) ? 0 : getConstraints().hashCode());
hashCode = prime * hashCode + ((getGrantTokens() == null) ? 0 : getGrantTokens().hashCode());
hashCode = prime * hashCode + ((getName() == null) ? 0 : getName().hashCode());
hashCode = prime * hashCode + ((getDryRun() == null) ? 0 : getDryRun().hashCode());
return hashCode;
}
@Override
public CreateGrantRequest clone() {
return (CreateGrantRequest) super.clone();
}
}