Gets a list of all grants for the specified KMS key.
You must specify the KMS key in all requests. You can filter the grant list by grant ID, grantee principal, or grantee service principal.
For detailed information about grants, including grant terminology, see
Grants in KMS in the
Key Management Service Developer Guide. For examples of creating grants in several programming languages, see
Use CreateGrant with an Amazon Web Services SDK or CLI.
When a grant is created with the
GranteePrincipal field, the
ListGrants response usually contains the user or role designated as the grantee principal in the grant. However, if the grantee principal is an Amazon Web Services service, the
GranteePrincipal field contains an Amazon Web Services
service principal, which might correspond to several different grantee principals, such as an IAM user, IAM role, or Amazon Web Services account.
When a grant is created with the
GranteeServicePrincipal field, the
ListGrants response always includes a
GranteeServicePrincipal that indicates the grantee is actually an Amazon Web Services
service principal.
Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the
KeyId parameter.
Required permissions:
kms:ListGrants (key policy)
Related operations:Eventual consistency: The KMS API follows an eventual consistency model. For more information, see
KMS eventual consistency.
This cmdlet automatically pages all available results to the pipeline - parameters related to iteration are only needed if you want to manually control the paginated output. To disable autopagination, use -NoAutoIteration.
Note: For scripts written against earlier versions of this module this cmdlet can also be invoked with the alias,
Get-KMSGrants.