{ "description": "Grant is the Schema for the Grants API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "GrantSpec defines the desired state of Grant.", "properties": { "constraints": { "description": "Specifies a grant constraint.\n\nDo not include confidential or sensitive information in this field. This\nfield may be displayed in plaintext in CloudTrail logs and other output.\n\nKMS supports the EncryptionContextEquals and EncryptionContextSubset grant\nconstraints, which allow the permissions in the grant only when the encryption\ncontext in the request matches (EncryptionContextEquals) or includes (EncryptionContextSubset)\nthe encryption context specified in the constraint.\n\nThe encryption context grant constraints are supported only on grant operations\n(https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)\nthat include an EncryptionContext parameter, such as cryptographic operations\non symmetric encryption KMS keys. Grants with grant constraints can include\nthe DescribeKey and RetireGrant operations, but the constraint doesn't apply\nto these operations. If a grant with a grant constraint includes the CreateGrant\noperation, the constraint requires that any grants created with the CreateGrant\npermission have an equally strict or stricter encryption context constraint.\n\nYou cannot use an encryption context grant constraint for cryptographic operations\nwith asymmetric KMS keys or HMAC KMS keys. Operations with these keys don't\nsupport an encryption context.\n\nEach constraint value can include up to 8 encryption context pairs. The encryption\ncontext value in each constraint cannot exceed 384 characters. For information\nabout grant constraints, see Using grant constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints)\nin the Key Management Service Developer Guide. For more information about\nencryption context, see Encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)\nin the Key Management Service Developer Guide .", "properties": { "encryptionContextEquals": { "additionalProperties": { "type": "string" }, "type": "object" }, "encryptionContextSubset": { "additionalProperties": { "type": "string" }, "type": "object" } }, "type": "object", "additionalProperties": false }, "grantTokens": { "description": "A list of grant tokens.\n\nUse a grant token when your permission to call this operation comes from\na new grant that has not yet achieved eventual consistency. For more information,\nsee Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)\nand Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)\nin the Key Management Service Developer Guide.", "items": { "type": "string" }, "type": "array" }, "granteePrincipal": { "description": "The identity that gets the permissions specified in the grant.\n\nTo specify the grantee principal, use the Amazon Resource Name (ARN) of an\nAmazon Web Services principal. Valid principals include Amazon Web Services\naccounts, IAM users, IAM roles, federated users, and assumed role users.\nFor help with the ARN syntax for a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns)\nin the Identity and Access Management User Guide .", "type": "string" }, "keyID": { "description": "Identifies the KMS key for the grant. The grant gives principals permission\nto use this KMS key.\n\nSpecify the key ID or key ARN of the KMS key. To specify a KMS key in adifferent\nAmazon Web Services account, you must use the key ARN.\n\nFor example:\n\n - Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab\n\n - Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab\n\nTo get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.", "type": "string" }, "keyRef": { "description": "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t name: my-api", "properties": { "from": { "description": "AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "name": { "description": "A friendly name for the grant. Use this value to prevent the unintended creation\nof duplicate grants when retrying this request.\n\nDo not include confidential or sensitive information in this field. This\nfield may be displayed in plaintext in CloudTrail logs and other output.\n\nWhen this value is absent, all CreateGrant requests result in a new grant\nwith a unique GrantId even if all the supplied parameters are identical.\nThis can result in unintended duplicates when you retry the CreateGrant request.\n\nWhen this value is present, you can retry a CreateGrant request with identical\nparameters; if the grant already exists, the original GrantId is returned\nwithout creating a new grant. Note that the returned grant token is unique\nwith every CreateGrant request, even when a duplicate GrantId is returned.\nAll grant tokens for the same grant ID can be used interchangeably.", "type": "string" }, "operations": { "description": "A list of operations that the grant permits.\n\nThis list must include only operations that are permitted in a grant. Also,\nthe operation must be supported on the KMS key. For example, you cannot create\na grant for a symmetric encryption KMS key that allows the Sign operation,\nor a grant for an asymmetric KMS key that allows the GenerateDataKey operation.\nIf you try, KMS returns a ValidationError exception. For details, see Grant\noperations (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)\nin the Key Management Service Developer Guide.", "items": { "type": "string" }, "type": "array" }, "retiringPrincipal": { "description": "The principal that has permission to use the RetireGrant operation to retire\nthe grant.\n\nTo specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)\nof an Amazon Web Services principal. Valid principals include Amazon Web\nServices accounts, IAM users, IAM roles, federated users, and assumed role\nusers. For help with the ARN syntax for a principal, see IAM ARNs (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns)\nin the Identity and Access Management User Guide .\n\nThe grant determines the retiring principal. Other principals might have\npermission to retire the grant or revoke the grant. For details, see RevokeGrant\nand Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete)\nin the Key Management Service Developer Guide.", "type": "string" } }, "required": [ "granteePrincipal", "operations" ], "type": "object", "additionalProperties": false }, "status": { "description": "GrantStatus defines the observed state of Grant", "properties": { "ackResourceMetadata": { "description": "All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource", "properties": { "arn": { "description": "ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270", "type": "string" }, "ownerAccountID": { "description": "OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.", "type": "string" }, "region": { "description": "Region is the AWS region in which the resource exists or will exist.", "type": "string" } }, "required": [ "ownerAccountID", "region" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource", "items": { "description": "Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states of the CR and its backend AWS\nservice API resource", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the Condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "grantID": { "description": "The unique identifier for the grant.\n\nYou can use the GrantId in a ListGrants, RetireGrant, or RevokeGrant operation.", "type": "string" }, "grantToken": { "description": "The grant token.\n\nUse a grant token when your permission to call this operation comes from\na new grant that has not yet achieved eventual consistency. For more information,\nsee Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)\nand Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)\nin the Key Management Service Developer Guide.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }