Resource: aws_kms_grant

Provides a resource-based access control mechanism for a KMS customer master key.

Example Usage

resource "aws_kms_key" "a" {}

data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = "lambda.amazonaws.com"
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "a" {
  name               = "iam-role-for-grant"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

resource "aws_kms_grant" "a" {
  name              = "my-grant"
  key_id            = aws_kms_key.a.key_id
  grantee_principal = aws_iam_role.a.arn
  operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]

  constraints {
    encryption_context_equals = {
      Department = "Finance"
    }
  }
}

Argument Reference

This resource supports the following arguments:

The constraints block supports the following arguments:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import KMS Grants using the Key ID and Grant ID separated by a colon (:). For example:

import {
  to = aws_kms_grant.test
  id = "1234abcd-12ab-34cd-56ef-1234567890ab:abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514"
}

Using terraform import, import KMS Grants using the Key ID and Grant ID separated by a colon (:). For example:

% terraform import aws_kms_grant.test 1234abcd-12ab-34cd-56ef-1234567890ab:abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514