Creating a Grant
Function
This API is used to create a grant. Granted users can perform operations on the granted keys. The service default CMK whose suffix is /default cannot be granted.
Calling Method
For details, see Calling APIs.
URI
POST /v1.0/{project_id}/kms/create-grant
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
project_id |
Yes |
String |
Project ID |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is the user token. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
key_id |
Yes |
String |
A 36-byte key ID which matches the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$, for example, 0d0466b0-e727-4d9c-b35d-f84bb474a37f. |
|
grantee_principal |
Yes |
String |
ID of the granted user. The value contains 1 to 64 bytes and matches the regular expression ^[a-zA-Z0-9]{1,64}$, for example, 0d0466b00d0466b00d0466b00d0466b0. |
|
operations |
Yes |
Array of strings |
List of granted operations. Possible values are as follows: create-datakey: Create a DEK. create-datakey-without-plaintext: Create a DEK that does not contain plaintext. encrypt-datakey: Encrypt DEK. decrypt-datakey: Decrypt DEK. describe-key: Query the key information. create-grant: Create the grant. retire-grant: Retire the grant. encrypt-data: Encrypt data. decrypt-data: Decrypt data. The value cannot be only create-grant. |
|
name |
No |
String |
Grant name. The value is a string of 1 to 255 characters and matches the regular expression ^[a-zA-Z0-9:/_-]{1,255}$. |
|
retiring_principal |
No |
String |
ID of the user whose grant can be retired. The value contains 1 to 64 bytes and matches the regular expression ^[a-zA-Z0-9]{1,64}$, for example, 0d0466b00d0466b00d0466b00d0466b0. |
|
grantee_principal_type |
No |
String |
Grant type. Values: user, domain. The default value is user. |
|
sequence |
No |
String |
A 36-byte serial number of a request message, for example, 919c82d4-8046-4722-9094-35c3c6524cff |
Response Parameters
Status code: 200
|
Parameter |
Type |
Description |
|---|---|---|
|
grant_id |
String |
Grant ID, which contains 64 bytes. |
Status code: 400
|
Parameter |
Type |
Description |
|---|---|---|
|
error |
Object |
Error message |
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code returned by the error request |
|
error_msg |
String |
Error information returned by the error request |
Status code: 401
|
Parameter |
Type |
Description |
|---|---|---|
|
error |
Object |
Error message |
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code returned by the error request |
|
error_msg |
String |
Error information returned by the error request |
Status code: 403
|
Parameter |
Type |
Description |
|---|---|---|
|
error |
Object |
Error message |
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code returned by the error request |
|
error_msg |
String |
Error information returned by the error request |
Status code: 404
|
Parameter |
Type |
Description |
|---|---|---|
|
error |
Object |
Error message |
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code returned by the error request |
|
error_msg |
String |
Error information returned by the error request |
Status code: 500
|
Parameter |
Type |
Description |
|---|---|---|
|
error |
Object |
Error message |
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code returned by the error request |
|
error_msg |
String |
Error information returned by the error request |
Status code: 502
|
Parameter |
Type |
Description |
|---|---|---|
|
error |
Object |
Error message |
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code returned by the error request |
|
error_msg |
String |
Error information returned by the error request |
Status code: 504
|
Parameter |
Type |
Description |
|---|---|---|
|
error |
Object |
Error message |
|
Parameter |
Type |
Description |
|---|---|---|
|
error_code |
String |
Error code returned by the error request |
|
error_msg |
String |
Error information returned by the error request |
Example Requests
Grant user "13gg44z4g2sglzk0egw0u726zoyzvrs8"ID is "0d0466b0-e727-4d9c-b35d-f84bb474a37f" with permission to query, create, and encrypt a DEK.
{
"key_id" : "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
"operations" : [ "describe-key", "create-datakey", "encrypt-datakey" ],
"grantee_principal" : "13gg44z4g2sglzk0egw0u726zoyzvrs8",
"grantee_principal_type" : "user",
"retiring_principal" : "13gg44z4g2sglzk0egw0u726zoyzvrs8"
}
Example Responses
Status code: 200
Request succeeded.
{
"grant_id" : "7c9a3286af4fcca5f0a385ad13e1d21a50e27b6dbcab50f37f30f93b8939827d"
}
Status Codes
|
Status Code |
Description |
|---|---|
|
200 |
Request succeeded. |
|
400 |
Invalid request parameters. |
|
401 |
Username and password are required for the requested page. |
|
403 |
Authentication failed. |
|
404 |
The resource does not exist. |
|
500 |
Internal service error. |
|
502 |
Failed to complete the request. The server receives an invalid response from the upstream server. |
|
504 |
Gateway timed out. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
