Creating a Grant
Function
This API is used to create a grant. A grantee can perform operations on a granted key.
Constraints
A Default Master Key (the alias suffix of which is /default) does not allow permission granting.
URI
POST /v1.0/{project_id}/kms/create-grant
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
project_id |
Yes |
String |
Project ID. |
Request Parameters
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
X-Auth-Token |
Yes |
String |
User token. The token can be obtained by calling the IAM API (value of X-Subject-Token in the response header). |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
key_id |
Yes |
String |
CMK ID. It should be 36 bytes and match the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$. Example: 0d0466b0-e727-4d9c-b35d-f84bb474a37f |
grantee_principal |
Yes |
String |
Grantee ID, which contains 1 to 64 bytes and matches the regular expression ^[a-zA-Z0-9]{1, 64}$. Example: 0d0466b00d0466b00d0466b00d0466b0 |
operations |
Yes |
Array of strings |
List of granted operations. Values: create-datakey, create-datakey-without-plaintext, encrypt-datakey, decrypt-datakey, describe-key, create-grant, retire-grant, encrypt-data, decrypt-data. A value containing only create-grant is invalid. |
name |
No |
String |
Grant name. The value is a string of 1 to 255 characters and matches the regular expression ^[a-zA-Z0-9:/_-]{1,255}$. |
retiring_principal |
No |
String |
ID of the user who can retire a grant. It contains 1 to 64 bytes and matches the regular expression ^[a-zA-Z0-9]{1, 64}$. Example: 0d0466b00d0466b00d0466b00d0466b0 |
grantee_principal_type |
No |
String |
Grant type. Values: user, domain. The default value is user. |
sequence |
No |
String |
36-byte sequence number of a request message. Example: 919c82d4-8046-4722-9094-35c3c6524cff |
Response Parameters
Status code: 200
Parameter |
Type |
Description |
|---|---|---|
grant_id |
String |
Grant ID, which contains 64 bytes. |
Status code: 400
Parameter |
Type |
Description |
|---|---|---|
error |
Object |
Error message. |
Parameter |
Type |
Description |
|---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error information. |
Status code: 403
Parameter |
Type |
Description |
|---|---|---|
error |
Object |
Error message. |
Parameter |
Type |
Description |
|---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error information. |
Status code: 404
Parameter |
Type |
Description |
|---|---|---|
error |
Object |
Error message. |
Parameter |
Type |
Description |
|---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error information. |
Example Requests
{
"key_id" : "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
"operations" : [ "describe-key", "create-datakey", "encrypt-datakey" ],
"grantee_principal" : "13gg44z4g2sglzk0egw0u726zoyzvrs8",
"grantee_principal_type" : "user",
"retiring_principal" : "13gg44z4g2sglzk0egw0u726zoyzvrs8"
}
Example Responses
Status code: 200
Request processing succeeded.
{
"grant_id" : "7c9a3286af4fcca5f0a385ad13e1d21a50e27b6dbcab50f37f30f93b8939827d"
}
Status code: 400
Invalid request parameters.
{
"error" : {
"error_code" : "KMS.XXX",
"error_msg" : "XXX"
}
}
Status code: 403
Authentication failed.
{
"error" : {
"error_code" : "KMS.XXX",
"error_msg" : "XXX"
}
}
Status code: 404
The requested resource does not exist or is not found.
{
"error" : {
"error_code" : "KMS.XXX",
"error_msg" : "XXX"
}
}
Status Codes
Status Code |
Description |
|---|---|
200 |
Request processing succeeded. |
400 |
Invalid request parameters. |
403 |
Authentication failed. |
404 |
The requested resource does not exist or is not found. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
