Struct: kms.GrantConstraints
Overview
Use this structure to allow cryptographic operations (docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) in the grant only when the operation request includes the specified encryption context (docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context).
KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all cryptographic operations with a symmetric KMS key (docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks). Grant constraints are not applied to operations that do not support an encryption context, such as cryptographic operations with asymmetric KMS keys and management operations, such as DescribeKey or RetireGrant.
In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary.
However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case sensitive.
To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully case-sensitive encryption context, use the kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see kms:EncryptionContext: (docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context) in the Key Management Service Developer Guide .
Implemented Interfaces
s3crypto.Cipher, s3manager.ReadSeekerWriteTo, s3manager.WriterReadFrom
Structure Field Summary collapse
-
EncryptionContextEquals map[string]*string
A list of key-value pairs that must match the encryption context in the cryptographic operation (docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) request.
-
EncryptionContextSubset map[string]*string
A list of key-value pairs that must be included in the encryption context of the cryptographic operation (docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) request.
- _ struct{}
Service Operations collapse
-
GoString() string
operation
GoString returns the string representation.
-
SetEncryptionContextEquals(map[string]*string) *GrantConstraints
operation
SetEncryptionContextEquals sets the EncryptionContextEquals field's value.
-
SetEncryptionContextSubset(map[string]*string) *GrantConstraints
operation
SetEncryptionContextSubset sets the EncryptionContextSubset field's value.
-
String() string
operation
String returns the string representation.
Structure Field Details
EncryptionContextEquals map[string]*string
`type:"map"`
A list of key-value pairs that must match the encryption context in the cryptographic operation (docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.
EncryptionContextSubset map[string]*string
`type:"map"`
A list of key-value pairs that must be included in the encryption context of the cryptographic operation (docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.
_ struct{}
`type:"structure"`
Method Details
func (s GrantConstraints) GoString() string
GoString returns the string representation.
API parameter values that are decorated as “sensitive” in the API will not be included in the string output. The member name will be present, but the value will be replaced with “sensitive”.
12923 12924 12925 |
// File 'service/kms/api.go', line 12923
|
func (s *GrantConstraints) SetEncryptionContextEquals(v map[string]*string) *GrantConstraints
SetEncryptionContextEquals sets the EncryptionContextEquals field's value.
12928 12929 12930 12931 |
// File 'service/kms/api.go', line 12928
|
func (s *GrantConstraints) SetEncryptionContextSubset(v map[string]*string) *GrantConstraints
SetEncryptionContextSubset sets the EncryptionContextSubset field's value.
12934 12935 12936 12937 |
// File 'service/kms/api.go', line 12934
|
func (s GrantConstraints) String() string
String returns the string representation.
API parameter values that are decorated as “sensitive” in the API will not be included in the string output. The member name will be present, but the value will be replaced with “sensitive”.
12914 12915 12916 |
// File 'service/kms/api.go', line 12914
|