Updated on 2022-09-15 GMT+08:00

Querying Grants on a CMK

Function

This API enables you to query grants on a CMK.

URI

POST /v1.0/{project_id}/kms/list-grants

Table 1 Path parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID.

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. The token can be obtained by calling the IAM API (value of X-Subject-Token in the response header).

Table 3 Request body parameters

Parameter

Mandatory

Type

Description

key_id

Yes

String

CMK ID. It should be 36 bytes and match the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$. Example: 0d0466b0-e727-4d9c-b35d-f84bb474a37f

limit

No

String

Number of returned grant records. If the number of retrieved results is greater than this value, true is returned for the response parameter truncated, indicating that multiple pages of results are retrieved. The value cannot exceed the maximum number of grants. Example: 100

marker

No

String

Start position of pagination query. If truncated is true in the response, you can send consecutive requests to obtain more records. Set marker to the value of next_marker in the response. Example: 10

sequence

No

String

36-byte sequence number of a request message. Example: 919c82d4-8046-4722-9094-35c3c6524cff

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

grants

Array of Grants objects

Grant list.

next_marker

String

Value of marker used for obtaining the next page of results. If truncated is false, next_marker is left blank.

truncated

String

Whether there is a next page of results:

  • true: There is a next page.

  • false: This is the last page.

total

Integer

Total number of grants.

Table 5 Grants

Parameter

Type

Description

key_id

String

CMK ID.

grant_id

String

Grant ID, which contains 64 bytes.

grantee_principal

String

Grantee ID, which contains 1 to 64 bytes and matches the regular expression ^[a-zA-Z0-9]{1, 64}$. Example: 0d0466b00d0466b00d0466b00d0466b0

grantee_principal_type

String

Grant type. Values: user, domain.

operations

Array of strings

List of granted operations. Values: create-datakey, create-datakey-without-plaintext, encrypt-datakey, decrypt-datakey, describe-key, create-grant, retire-grant, encrypt-data, decrypt-data. A value containing only create-grant is invalid.

issuing_principal

String

Grantor ID, which contains 1 to 64 bytes and matches the regular expression ^[a-zA-Z0-9]{1, 64}$. Example: 0d0466b00d0466b00d0466b00d0466b0

creation_date

String

Creation time. The timestamp indicates the total seconds past the start of the epoch date (January 1, 1970). Example: 1497341531000

name

String

Grant name. The value is a string of 1 to 255 characters and matches the regular expression ^[a-zA-Z0-9:/_-]{1,255}$.

retiring_principal

String

ID of the user who can retire a grant. It contains 1 to 64 bytes and matches the regular expression ^[a-zA-Z0-9]{1, 64}$. Example: 0d0466b00d0466b00d0466b00d0466b0

Status code: 400

Table 6 Response body parameters

Parameter

Type

Description

error

Object

Error message.

Table 7 ErrorDetail

Parameter

Type

Description

error_code

String

Error code.

error_msg

String

Error information.

Status code: 403

Table 8 Response body parameters

Parameter

Type

Description

error

Object

Error message.

Table 9 ErrorDetail

Parameter

Type

Description

error_code

String

Error code.

error_msg

String

Error information.

Status code: 404

Table 10 Response body parameters

Parameter

Type

Description

error

Object

Error message.

Table 11 ErrorDetail

Parameter

Type

Description

error_code

String

Error code.

error_msg

String

Error information.

Example Requests

{
  "key_id" : "0d0466b0-e727-4d9c-b35d-f84bb474a37f"
}

Example Responses

Status code: 200

Request processing succeeded.

{
  "grants" : [ {
    "operations" : [ "create-datakey", "describe-key" ],
    "issuing_principal" : "8b961fb414344d59825ba0c8c008c815",
    "key_id" : "737fd52b-36c4-4c91-972e-f6e202de9f6e",
    "grant_id" : "dd3f03e9229a5e47a41be6c27a630e60d5cbdbad2be89465d63109ad034db7d8",
    "grantee_principal" : "13gg44z4g2sglzk0egw0u726zoyzvrs8",
    "name" : "13gg44z4g2sglzk0egw0u726zoyzvrs8",
    "creation_date" : "1597062260000",
    "grantee_principal_type" : "user"
  } ],
  "next_marker" : "",
  "total" : 1,
  "truncated" : "false"
}

Status code: 400

Invalid request parameters.

{
  "error" : {
    "error_code" : "KMS.XXX",
    "error_msg" : "XXX"
  }
}

Status code: 403

Authentication failed.

{
  "error" : {
    "error_code" : "KMS.XXX",
    "error_msg" : "XXX"
  }
}

Status code: 404

The requested resource does not exist or is not found.

{
  "error" : {
    "error_code" : "KMS.XXX",
    "error_msg" : "XXX"
  }
}

Status Codes

Status Code

Description

200

Request processing succeeded.

400

Invalid request parameters.

403

Authentication failed.

404

The requested resource does not exist or is not found.

Error Codes

See Error Codes.