AWS Key Management Service

2015/06/22 - AWS Key Management Service - 1 new1 updated api methods

UpdateAlias (new) Link ¶

Updates an alias to associate it with a different key.

An alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). An alias must start with the word "alias" followed by a forward slash (alias/). An alias that begins with "aws" after the forward slash (alias/aws...) is reserved by Amazon Web Services (AWS).

An alias is not a property of a key. Therefore, an alias can be associated with and disassociated from an existing key without changing the properties of the key.

Note that you cannot create or update an alias that represents a key in another account.

Request Syntax

client.update_alias(
    AliasName='string',
    TargetKeyId='string'
)
type AliasName:

string

param AliasName:

[REQUIRED] String that contains the name of the alias to be modifed. The name must start with the word "alias" followed by a forward slash (alias/). Aliases that begin with "alias/AWS" are reserved.

type TargetKeyId:

string

param TargetKeyId:

[REQUIRED]

Unique identifier of the customer master key to be associated with the alias. This value can be a globally unique identifier or the fully specified ARN of a key.

  • Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

  • Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012

returns:

None

RetireGrant (updated) Link ¶
Changes (request) 
{'GrantId': 'string', 'KeyId': 'string'}

Retires a grant. You can retire a grant when you're done using it to clean up. You should revoke a grant when you intend to actively deny operations that depend on it. The following are permitted to call this API:

  • The account that created the grant

  • The RetiringPrincipal, if present

  • The GranteePrincipal, if RetireGrant is a grantee operation

The grant to retire must be identified by its grant token or by a combination of the key ARN and the grant ID. A grant token is a unique variable-length base64-encoded string. A grant ID is a 64 character unique identifier of a grant. Both are returned by the CreateGrant function.

Request Syntax

client.retire_grant(
    GrantToken='string',
    KeyId='string',
    GrantId='string'
)
type GrantToken:

string

param GrantToken:

Token that identifies the grant to be retired.

type KeyId:

string

param KeyId:

A unique identifier for the customer master key associated with the grant. This value can be a globally unique identifier or a fully specified ARN of the key.

  • Key ARN Example - arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

  • Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012

type GrantId:

string

param GrantId:

Unique identifier of the grant to be retired. The grant ID is returned by the CreateGrant function.

  • Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123

returns:

None