software.amazon.awssdk.services.kms.model

Class GrantConstraints

java.lang.Object

software.amazon.awssdk.services.kms.model.GrantConstraints

All Implemented Interfaces:

Serializable, SdkPojo, ToCopyableBuilder<GrantConstraints.Builder,GrantConstraints>

@Generated(value="software.amazon.awssdk:codegen")
public final class GrantConstraints
extends Object
implements SdkPojo, Serializable, ToCopyableBuilder<GrantConstraints.Builder,GrantConstraints>

Use this structure to allow cryptographic operations in the grant only when the operation request includes the specified encryption context.

KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all cryptographic operations with a symmetric KMS key. Grant constraints are not applied to operations that do not support an encryption context, such as cryptographic operations with asymmetric KMS keys and management operations, such as DescribeKey or RetireGrant.

In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary.

However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case sensitive.

To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully case-sensitive encryption context, use the kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see kms:EncryptionContext: in the Key Management Service Developer Guide .

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	GrantConstraints.Builder

Method Summary

Modifier and Type	Method and Description
static GrantConstraints.Builder	builder()
Map<String,String>	encryptionContextEquals() A list of key-value pairs that must match the encryption context in the cryptographic operation request.
Map<String,String>	encryptionContextSubset() A list of key-value pairs that must be included in the encryption context of the cryptographic operation request.
boolean	equals(Object obj)
boolean	equalsBySdkFields(Object obj)
<T> Optional<T>	getValueForField(String fieldName, Class<T> clazz)
boolean	hasEncryptionContextEquals() For responses, this returns true if the service returned a value for the EncryptionContextEquals property.
boolean	hasEncryptionContextSubset() For responses, this returns true if the service returned a value for the EncryptionContextSubset property.
int	hashCode()
List<SdkField<?>>	sdkFields()
static Class<? extends GrantConstraints.Builder>	serializableBuilderClass()
GrantConstraints.Builder	toBuilder()
String	toString() Returns a string representation of this object.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Methods inherited from interface software.amazon.awssdk.utils.builder.ToCopyableBuilder

copy

Method Detail

hasEncryptionContextSubset

public final boolean hasEncryptionContextSubset()

For responses, this returns true if the service returned a value for the EncryptionContextSubset property. This DOES NOT check that the value is non-empty (for which, you should check the isEmpty() method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified.

encryptionContextSubset

public final Map<String,String> encryptionContextSubset()

A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.

This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the hasEncryptionContextSubset() method.

Returns:

A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

hasEncryptionContextEquals

public final boolean hasEncryptionContextEquals()

For responses, this returns true if the service returned a value for the EncryptionContextEquals property. This DOES NOT check that the value is non-empty (for which, you should check the isEmpty() method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified.

encryptionContextEquals

public final Map<String,String> encryptionContextEquals()

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.

This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the hasEncryptionContextEquals() method.

Returns:

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

toBuilder

public GrantConstraints.Builder toBuilder()

Specified by:

toBuilder in interface ToCopyableBuilder<GrantConstraints.Builder,GrantConstraints>

builder

public static GrantConstraints.Builder builder()

serializableBuilderClass

public static Class<? extends GrantConstraints.Builder> serializableBuilderClass()

hashCode

public final int hashCode()

Overrides:

hashCode in class Object

equals

public final boolean equals(Object obj)

Overrides:

equals in class Object

equalsBySdkFields

public final boolean equalsBySdkFields(Object obj)

Specified by:

equalsBySdkFields in interface SdkPojo

toString

public final String toString()

Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be redacted from this string using a placeholder value.

Overrides:

toString in class Object

getValueForField

public final <T> Optional<T> getValueForField(String fieldName,
                                              Class<T> clazz)

sdkFields

public final List<SdkField<?>> sdkFields()

Specified by:

sdkFields in interface SdkPojo