com.amazonaws.services.kms.model

Class GrantConstraints

java.lang.Object

com.amazonaws.services.kms.model.GrantConstraints

All Implemented Interfaces:

StructuredPojo, Serializable, Cloneable

@Generated(value="com.amazonaws:aws-java-sdk-code-generator")
public class GrantConstraints
extends Object
implements Serializable, Cloneable, StructuredPojo

Use this structure to allow cryptographic operations in the grant only when the operation request includes the specified encryption context.

AWS KMS applies the grant constraints only when the grant allows a cryptographic operation that accepts an encryption context as input, such as the following.

• Encrypt

• Decrypt

• GenerateDataKey

• GenerateDataKeyWithoutPlaintext

• ReEncrypt

AWS KMS does not apply the grant constraints to other operations, such as DescribeKey or ScheduleKeyDeletion.

In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary.

However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case sensitive.

To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully case-sensitive encryption context, use the kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see kms:EncryptionContext: in the AWS Key Management Service Developer Guide .

See Also:

AWS API Documentation, Serialized Form

Constructor Summary

Constructors

Constructor and Description
GrantConstraints()

Method Summary

Modifier and Type	Method and Description
GrantConstraints	addEncryptionContextEqualsEntry(String key, String value)
GrantConstraints	addEncryptionContextSubsetEntry(String key, String value)
GrantConstraints	clearEncryptionContextEqualsEntries() Removes all the entries added into EncryptionContextEquals.
GrantConstraints	clearEncryptionContextSubsetEntries() Removes all the entries added into EncryptionContextSubset.
GrantConstraints	clone()
boolean	equals(Object obj)
Map<String,String>	getEncryptionContextEquals() A list of key-value pairs that must match the encryption context in the cryptographic operation request.
Map<String,String>	getEncryptionContextSubset() A list of key-value pairs that must be included in the encryption context of the cryptographic operation request.
int	hashCode()
void	marshall(ProtocolMarshaller protocolMarshaller) Marshalls this structured data using the given ProtocolMarshaller.
void	setEncryptionContextEquals(Map<String,String> encryptionContextEquals) A list of key-value pairs that must match the encryption context in the cryptographic operation request.
void	setEncryptionContextSubset(Map<String,String> encryptionContextSubset) A list of key-value pairs that must be included in the encryption context of the cryptographic operation request.
String	toString() Returns a string representation of this object.
GrantConstraints	withEncryptionContextEquals(Map<String,String> encryptionContextEquals) A list of key-value pairs that must match the encryption context in the cryptographic operation request.
GrantConstraints	withEncryptionContextSubset(Map<String,String> encryptionContextSubset) A list of key-value pairs that must be included in the encryption context of the cryptographic operation request.

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

GrantConstraints

public GrantConstraints()

Method Detail

getEncryptionContextSubset

public Map<String,String> getEncryptionContextSubset()

A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

Returns:

A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

setEncryptionContextSubset

public void setEncryptionContextSubset(Map<String,String> encryptionContextSubset)

A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

Parameters:

encryptionContextSubset - A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

withEncryptionContextSubset

public GrantConstraints withEncryptionContextSubset(Map<String,String> encryptionContextSubset)

A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

Parameters:

encryptionContextSubset - A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

Returns:

Returns a reference to this object so that method calls can be chained together.

addEncryptionContextSubsetEntry

public GrantConstraints addEncryptionContextSubsetEntry(String key,
                                                        String value)

clearEncryptionContextSubsetEntries

public GrantConstraints clearEncryptionContextSubsetEntries()

Removes all the entries added into EncryptionContextSubset.

Returns:

Returns a reference to this object so that method calls can be chained together.

getEncryptionContextEquals

public Map<String,String> getEncryptionContextEquals()

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

Returns:

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

setEncryptionContextEquals

public void setEncryptionContextEquals(Map<String,String> encryptionContextEquals)

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

Parameters:

encryptionContextEquals - A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

withEncryptionContextEquals

public GrantConstraints withEncryptionContextEquals(Map<String,String> encryptionContextEquals)

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

Parameters:

encryptionContextEquals - A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

Returns:

Returns a reference to this object so that method calls can be chained together.

addEncryptionContextEqualsEntry

public GrantConstraints addEncryptionContextEqualsEntry(String key,
                                                        String value)

clearEncryptionContextEqualsEntries

public GrantConstraints clearEncryptionContextEqualsEntries()

Removes all the entries added into EncryptionContextEquals.

Returns:

Returns a reference to this object so that method calls can be chained together.

toString

public String toString()

Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be redacted from this string using a placeholder value.

Overrides:

toString in class Object

Returns:

A string representation of this object.

See Also:

Object.toString()

equals

public boolean equals(Object obj)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

clone

public GrantConstraints clone()

Overrides:

clone in class Object

marshall

public void marshall(ProtocolMarshaller protocolMarshaller)

Description copied from interface: StructuredPojo

Marshalls this structured data using the given ProtocolMarshaller.

Specified by:

marshall in interface StructuredPojo

Parameters:

protocolMarshaller - Implementation of ProtocolMarshaller used to marshall this object's data.