Help Center> Data Encryption Workshop> API Reference> APIs> Key Management APIs> Key Authorization Management> Creating a Grant
Updated on 2023-05-30 GMT+08:00
View PDF

Creating a Grant

Function

  • Description: This API is used to create a grant. A grantee can perform operations on a granted key.

  • Note:

    • The aliases of default master keys (aliases ended with /default) cannot be granted.

URI

POST /v1.0/{project_id}/kms/create-grant

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. It can be obtained by calling the IAM API that is used for obtaining a user token. The value of X-Subject-Token in the response header is the user token.
Table 3 Request body parameters

Parameter

Mandatory

Type

Description

key_id

Yes

String

Key ID. It should be 36 bytes and match the regular expression ^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$. Example: 0d0466b0-e727-4d9c-b35d-f84bb474a37f

grantee_principal

Yes

String

Indicates the ID of the authorized user. The value is between 1 to 64 bytes and meets the regular expression ^[a-zA-Z0-9]{1,64}$. Example: 0d0466b00d0466b00d0466b00d0466b0

operations

Yes

Array of strings

List of granted operations. Values: create-datakey, create-datakey-without-plaintext, encrypt-datakey, decrypt-datakey, describe-key, create-grant, retire-grant, encrypt-data, decrypt-data A value containing only create-grant is invalid.

  • create-datakey: Creating a DEK

  • create-datakey-without-plaintext: Creating a Plaintext-free DEK

  • encrypt-datakey: Encrypting a DEK

  • decrypt-datakey: Decrypting a DEK

  • describe-key: Querying Key Details

  • retire-grant: Creating a Grant

  • encrypt-data: Encrypting Data

  • decrypt-data: Decrypting Data

name

No

String

Grant name. The value can contain 1 to 255 characters and matches the regular expression ^[a-zA-Z0-9:/_-]{1,255}$.

retiring_principal

No

String

Indicates the ID of the retiring user. The value is between 1 to 64 bytes and meets the regular expression ^[a-zA-Z0-9]{1,64}$. Example: 0d0466b00d0466b00d0466b00d0466b0

grantee_principal_type

No

String

Authorization type. Values: user, domain. The default value is user.

sequence

No

String

36-byte sequence number of a request message. Example: 919c82d4-8046-4722-9094-35c3c6524cff

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

grant_id

String

Grant ID, which contains 64 bytes.

Status code: 400

Table 5 Response body parameters

Parameter

Type

Description

error

Object

Error message.
Table 6 ErrorDetail

Parameter

Type

Description

error_code

String

Error code returned for an error request.

error_msg

String

Error information returned for an error request.

Status code: 401

Table 7 Response body parameters

Parameter

Type

Description

error

Object

Error message.
Table 8 ErrorDetail

Parameter

Type

Description

error_code

String

Error code returned for an error request.

error_msg

String

Error information returned for an error request.

Status code: 403

Table 9 Response body parameters

Parameter

Type

Description

error

Object

Error message.
Table 10 ErrorDetail

Parameter

Type

Description

error_code

String

Error code returned for an error request.

error_msg

String

Error information returned for an error request.

Status code: 404

Table 11 Response body parameters

Parameter

Type

Description

error

Object

Error message.
Table 12 ErrorDetail

Parameter

Type

Description

error_code

String

Error code returned for an error request.

error_msg

String

Error information returned for an error request.

Status code: 500

Table 13 Response body parameters

Parameter

Type

Description

error

Object

Error message.
Table 14 ErrorDetail

Parameter

Type

Description

error_code

String

Error code returned for an error request.

error_msg

String

Error information returned for an error request.

Status code: 502

Table 15 Response body parameters

Parameter

Type

Description

error

Object

Error message.
Table 16 ErrorDetail

Parameter

Type

Description

error_code

String

Error code returned for an error request.

error_msg

String

Error information returned for an error request.

Status code: 504

Table 17 Response body parameters

Parameter

Type

Description

error

Object

Error message.
Table 18 ErrorDetail

Parameter

Type

Description

error_code

String

Error code returned for an error request.

error_msg

String

Error information returned for an error request.

Example Requests

{
  "key_id" : "0d0466b0-e727-4d9c-b35d-f84bb474a37f",
  "operations" : [ "describe-key", "create-datakey", "encrypt-datakey" ],
  "grantee_principal" : "13gg44z4g2sglzk0egw0u726zoyzvrs8",
  "grantee_principal_type" : "user",
  "retiring_principal" : "13gg44z4g2sglzk0egw0u726zoyzvrs8"
}

Example Responses

Status code: 200

Request processing succeeded.

{
  "grant_id" : "7c9a3286af4fcca5f0a385ad13e1d21a50e27b6dbcab50f37f30f93b8939827d"
}

Status Codes

Status Code

Description

200

Request processing succeeded.

400

Invalid request parameters.

401

You must enter a username and password to access the requested page.

403

Authentication failed.

404

The requested resource does not exist or is not found.

500

Internal service error.

502

Failed to complete the request. The server received an invalid response.

504

Gateway timed out.

Error Codes

See Error Codes.