// snippet-start:[KMS.dotnetv3.CreateGrantExample]
public static async Task Main()
{
var client = new AmazonKeyManagementServiceClient();
// The identity that is given permission to perform the operations
// specified in the grant.
var grantee = "arn:aws:iam::111122223333:role/ExampleRole";
// The identifier of the AWS KMS key to which the grant applies. You
// can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
var keyId = "7c9eccc2-38cb-4c4f-9db3-766ee8dd3ad4";
var request = new CreateGrantRequest
{
GranteePrincipal = grantee,
KeyId = keyId,
// A list of operations that the grant allows.
Operations = new List <string>
{
"Encrypt",
"Decrypt",
},
};
var response = await client.CreateGrantAsync(request);
string grantId = response.GrantId; // The unique identifier of the grant.
string grantToken = response.GrantToken; // The grant token.
Console.WriteLine($"Id: {grantId}, Token: {grantToken}");
}
public Task <CreateGrantResponse> CreateGrantAsync(
string grantName,
string keyId,
string principalARN,
GrantType grant,
CancellationToken cancellationToken = default(CancellationToken))
{
var opList = new List <string>();
if ((grant & GrantType.Encrypt) != 0)
{
opList.Add(GrantOperation.Encrypt);
opList.Add(GrantOperation.ReEncryptFrom);
opList.Add(GrantOperation.ReEncryptTo);
opList.Add(GrantOperation.GenerateDataKey);
opList.Add(GrantOperation.GenerateDataKeyWithoutPlaintext);
}
if ((grant & GrantType.Decrypt) != 0)
{
opList.Add(GrantOperation.Decrypt);
}
if ((grant & GrantType.Retire) != 0)
{
opList.Add(GrantOperation.RetireGrant);
}
if ((grant & GrantType.Describe) != 0)
{
opList.Add(GrantOperation.DescribeKey);
}
return(_client.CreateGrantAsync(
new CreateGrantRequest()
{
KeyId = keyId,
GranteePrincipal = principalARN,
Name = grantName,
Operations = opList,
},
cancellationToken).EnsureSuccessAsync());
}