aws-sdk-kms 1.125.0 → 1.128.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44466e74f7e07d9f61fcbee606018257fba134bf9c92db73acf9fe5a92215868
-  data.tar.gz: 3f566bc6ab1342aeec3493816de438632f95af581ffbf4ebaf80224f1bf0b102
+  metadata.gz: 73210444b9fa683dcdacac83f659ddf907506ad8e74e6cacf39421dde614383a
+  data.tar.gz: 247f1d057d4a3b9f397ab499769ee97095a355ec15463c6ad91d82967a498287
 SHA512:
-  metadata.gz: 267934fc68e734fb9f762aab74a4fa8a9c4b1dfad9bbdf284d8880da0835e28e51e8e52b8808c5e2b95ff57b823bf16d6e0d51d045e479416da40bbf0520bfa2
-  data.tar.gz: 68e3b0cbb7c0caa85d35ed59f62d49265cfcf7c9fe2b9157e5b7cdbc89764ea2da3468476c3042df5132e6502e89fd5f7eaed16c49b5a0084b2842ea72e898c8
+  metadata.gz: 7fd145827e2919287e137f20f3145b7daa1b648f1f1da435f4f29a5eeeb2b3354de6a35383b24075cd3e471aeac58ef017dcee6f4a6f2d14fea6e7e748cd2ada
+  data.tar.gz: 63b5bda764beef1d9bb4da0f14fe562569531912198bd3fea13859fd222b1a35f8c86c0b8ee9fa4f2f3a96aabfa1ccaf3dcd1207e763d52f7b7af4fb3a9e703e

data/CHANGELOG.md

@@ -1,6 +1,21 @@
 Unreleased Changes
 ------------------
 
+1.128.0 (2026-05-21)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
+1.127.0 (2026-05-20)
+------------------
+
+* Feature - AWS KMS now supports creating grants for AWS service principals using new GranteeServicePrincipal and RetiringServicePrincipal parameters. This release adds SourceArn grant constraint and three condition keys for controlling CreateGrant access. For more information, see Grants in AWS KMS.
+
+1.126.0 (2026-05-19)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
 1.125.0 (2026-05-13)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.125.0
+1.128.0

data/lib/aws-sdk-kms/client.rb

@@ -199,7 +199,7 @@ module Aws::KMS
     #     the required types.
     #
     #   @option options [Boolean] :correct_clock_skew (true)
-    #     Used only in `standard` and adaptive retry modes. Specifies whether to apply
+    #     Used only in `standard` and `adaptive` retry modes. Specifies whether to apply
     #     a clock skew correction and retry requests with skewed client clocks.
     #
     #   @option options [String] :defaults_mode ("legacy")
@@ -323,17 +323,15 @@ module Aws::KMS
     #   @option options [String] :retry_mode ("legacy")
     #     Specifies which retry algorithm to use. Values are:
     #
-    #     * `legacy` - The pre-existing retry behavior.  This is default value if
-    #       no retry mode is provided.
+    #     * `legacy` - The pre-existing retry behavior. This is the default
+    #       value if no retry mode is provided.
     #
     #     * `standard` - A standardized set of retry rules across the AWS SDKs.
     #       This includes support for retry quotas, which limit the number of
     #       unsuccessful retries a client can make.
     #
-    #     * `adaptive` - An experimental retry mode that includes all the
-    #       functionality of `standard` mode along with automatic client side
-    #       throttling.  This is a provisional mode that may change behavior
-    #       in the future.
+    #     * `adaptive` - A retry mode that includes all the functionality of
+    #       `standard` mode along with automatic client side throttling.
     #
     #   @option options [String] :sdk_ua_app_id
     #     A unique and opaque application ID that is appended to the
@@ -1247,6 +1245,12 @@ module Aws::KMS
     # temporary permissions because you can create one, use its permissions,
     # and delete it without changing your key policies or IAM policies.
     #
+    # You can create a grant for an Amazon Web Services principal (IAM user,
+    # IAM role, or Amazon Web Services account) by specifying the
+    # `GranteePrincipal` parameter. You can also create a grant for an
+    # Amazon Web Services service principal by specifying the
+    # `GranteeServicePrincipal` parameter.
+    #
     # For detailed information about grants, including grant terminology,
     # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
     # Guide</i> </i>. For examples of creating grants in several programming
@@ -1320,7 +1324,7 @@ module Aws::KMS
     #   To get the key ID and key ARN for a KMS key, use ListKeys or
     #   DescribeKey.
     #
-    # @option params [required, String] :grantee_principal
+    # @option params [String] :grantee_principal
     #   The identity that gets the permissions specified in the grant.
     #
     #   To specify the grantee principal, use the Amazon Resource Name (ARN)
@@ -1330,6 +1334,9 @@ module Aws::KMS
     #   [IAM ARNs][1] in the <i> <i>Identity and Access Management User
     #   Guide</i> </i>.
     #
+    #   You must specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
@@ -1350,6 +1357,9 @@ module Aws::KMS
     #   see RevokeGrant and [Retiring and revoking grants][3] in the *Key
     #   Management Service Developer Guide*.
     #
+    #   You can specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
@@ -1378,39 +1388,52 @@ module Aws::KMS
     #   This field may be displayed in plaintext in CloudTrail logs and other
     #   output.
     #
-    #   KMS supports the `EncryptionContextEquals` and
-    #   `EncryptionContextSubset` grant constraints, which allow the
-    #   permissions in the grant only when the encryption context in the
-    #   request matches (`EncryptionContextEquals`) or includes
-    #   (`EncryptionContextSubset`) the encryption context specified in the
-    #   constraint.
-    #
-    #   The encryption context grant constraints are supported only on [grant
-    #   operations][1] that include an `EncryptionContext` parameter, such as
-    #   cryptographic operations on symmetric encryption KMS keys. Grants with
-    #   grant constraints can include the DescribeKey and RetireGrant
-    #   operations, but the constraint doesn't apply to these operations. If
-    #   a grant with a grant constraint includes the `CreateGrant` operation,
-    #   the constraint requires that any grants created with the `CreateGrant`
-    #   permission have an equally strict or stricter encryption context
-    #   constraint.
-    #
-    #   You cannot use an encryption context grant constraint for
-    #   cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
-    #   Operations with these keys don't support an encryption context.
-    #
-    #   Each constraint value can include up to 8 encryption context pairs.
-    #   The encryption context value in each constraint cannot exceed 384
-    #   characters. For information about grant constraints, see [Using grant
-    #   constraints][2] in the *Key Management Service Developer Guide*. For
-    #   more information about encryption context, see [Encryption context][3]
-    #   in the <i> <i>Key Management Service Developer Guide</i> </i>.
+    #   KMS supports the following grant constraints.
+    #
+    #   * `EncryptionContextEquals` and `EncryptionContextSubset` — These
+    #     encryption context grant constraints allow the permissions in the
+    #     grant only when the encryption context in the request matches
+    #     (`EncryptionContextEquals`) or includes (`EncryptionContextSubset`)
+    #     the encryption context specified in the constraint.
+    #
+    #     Encryption context grant constraints are supported only on [grant
+    #     operations][1] that include an `EncryptionContext` parameter, such
+    #     as cryptographic operations on symmetric encryption KMS keys. You
+    #     cannot use an encryption context grant constraint for cryptographic
+    #     operations with asymmetric KMS keys or HMAC KMS keys. Operations
+    #     with these keys don't support an encryption context. Grants with
+    #     encryption context grant constraints can include the DescribeKey and
+    #     RetireGrant operations, but the constraint doesn't apply to these
+    #     operations. If a grant with an encryption context grant constraint
+    #     includes the `CreateGrant` operation, the constraint requires that
+    #     any grants created with the `CreateGrant` permission have an equally
+    #     strict or stricter encryption context constraint.
+    #
+    #     Each constraint value can include up to 8 encryption context pairs.
+    #     The encryption context value in each constraint cannot exceed 384
+    #     characters. For more information about encryption context, see
+    #     [Encryption context][2] in the <i> <i>Key Management Service
+    #     Developer Guide</i> </i>.
+    #
+    #   * `SourceArn` — This grant constraint allows the permissions in the
+    #     grant only when the request is made on behalf of a specific Amazon
+    #     Web Services resource, identified by its [Amazon Resource Name
+    #     (ARN)][3]. This is effectively the same as having the
+    #     [aws:SourceArn][4] global condition key in the grant. The SourceArn
+    #     constraint is supported on grants for all types of KMS keys and can
+    #     also be applied to the DescribeKey operation when specified in the
+    #     request. However, it does not apply to RetireGrant operation.
+    #
+    #   For information about grant constraints, see [Using grant
+    #   constraints][5] in the *Key Management Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
     #
     # @option params [Array<String>] :grant_tokens
     #   A list of grant tokens.
@@ -1456,6 +1479,32 @@ module Aws::KMS
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #
+    # @option params [String] :grantee_service_principal
+    #   The Amazon Web Services [service principal][1] that gets the
+    #   permissions specified in the grant.
+    #
+    #   When you specify a `GranteeServicePrincipal`, you must also specify a
+    #   `SourceArn` grant constraint. In addition, you must specify either a
+    #   `RetiringPrincipal` or a `RetiringServicePrincipal`.
+    #
+    #   You must specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
+    #
+    # @option params [String] :retiring_service_principal
+    #   The Amazon Web Services [service principal][1] that has permission to
+    #   use the RetireGrant operation to retire the grant.
+    #
+    #   You can specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
+    #
     # @return [Types::CreateGrantResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateGrantResponse#grant_token #grant_token} => String
@@ -1481,11 +1530,38 @@ module Aws::KMS
     #     grant_token: "AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNGY3NiKIAgEBAgB4Pa6VDCWW__MSrqnre1HIN0Grt00ViSSuUjhqOC8OT3YAAADfMIHcBgkqhkiG9w0BBwaggc4wgcsCAQAwgcUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmqLyBTAegIn9XlK5AgEQgIGXZQjkBcl1dykDdqZBUQ6L1OfUivQy7JVYO2-ZJP7m6f1g8GzV47HX5phdtONAP7K_HQIflcgpkoCqd_fUnE114mSmiagWkbQ5sqAVV3ov-VeqgrvMe5ZFEWLMSluvBAqdjHEdMIkHMlhlj4ENZbzBfo9Wxk8b8SnwP4kc4gGivedzFXo-dwN8fxjjq_ZZ9JFOj2ijIbj5FyogDCN0drOfi8RORSEuCEmPvjFRMFAwcmwFkN2NPp89amA", # The grant token.
     #   }
     #
+    # @example Example: To create a grant for a service principal
+    #
+    #   # The following example creates a grant that allows the specified AWS service principal to encrypt and decrypt data with
+    #   # the specified KMS key. The grant includes a SourceArn constraint that restricts the grant permissions to requests
+    #   # associated with the specified DynamoDB table.
+    #
+    #   resp = client.create_grant({
+    #     constraints: {
+    #       source_arn: "arn:aws:dynamodb:us-east-2:444455556666:table/ExampleTable", 
+    #     }, # The SourceArn grant constraint restricts the grant permissions to requests associated with the specified AWS resource.
+    #     grantee_service_principal: "service-name.amazonaws.com", # The AWS service principal that is given permission to perform the operations specified in the grant.
+    #     key_id: "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key to which the grant applies. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #     operations: [
+    #       "Encrypt", 
+    #       "Decrypt", 
+    #       "GenerateDataKey", 
+    #       "DescribeKey", 
+    #     ], # A list of operations that the grant allows.
+    #     retiring_service_principal: "service-name.amazonaws.com", # The AWS service principal that can retire the grant.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     grant_id: "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", # The unique identifier of the grant.
+    #     grant_token: "AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNGY3NiKIAgEBAgB4Pa6VDCWW...", # The grant token.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.create_grant({
     #     key_id: "KeyIdType", # required
-    #     grantee_principal: "PrincipalIdType", # required
+    #     grantee_principal: "PrincipalIdType",
     #     retiring_principal: "PrincipalIdType",
     #     operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateMac, VerifyMac, DeriveSharedSecret
     #     constraints: {
@@ -1495,10 +1571,13 @@ module Aws::KMS
     #       encryption_context_equals: {
     #         "EncryptionContextKey" => "EncryptionContextValue",
     #       },
+    #       source_arn: "GrantConstraintSourceArnType",
     #     },
     #     grant_tokens: ["GrantTokenType"],
     #     name: "GrantNameType",
     #     dry_run: false,
+    #     grantee_service_principal: "ServicePrincipalType",
+    #     retiring_service_principal: "ServicePrincipalType",
     #   })
     #
     # @example Response structure
@@ -7456,7 +7535,7 @@ module Aws::KMS
     # Gets a list of all grants for the specified KMS key.
     #
     # You must specify the KMS key in all requests. You can filter the grant
-    # list by grant ID or grantee principal.
+    # list by grant ID, grantee principal, or grantee service principal.
     #
     # For detailed information about grants, including grant terminology,
     # see [Grants in KMS][1] in the <i> <i>Key Management Service Developer
@@ -7464,12 +7543,18 @@ module Aws::KMS
     # languages, see [Use CreateGrant with an Amazon Web Services SDK or
     # CLI][2].
     #
-    # <note markdown="1"> The `GranteePrincipal` field in the `ListGrants` response usually
-    # contains the user or role designated as the grantee principal in the
-    # grant. However, when the grantee principal in the grant is an Amazon
-    # Web Services service, the `GranteePrincipal` field contains the
-    # [service principal][3], which might represent several different
-    # grantee principals.
+    # <note markdown="1"> When a grant is created with the `GranteePrincipal` field, the
+    # `ListGrants` response usually contains the user or role designated as
+    # the grantee principal in the grant. However, if the grantee principal
+    # is an Amazon Web Services service, the `GranteePrincipal` field
+    # contains an Amazon Web Services [service principal][3], which might
+    # correspond to several different grantee principals, such as an IAM
+    # user, IAM role, or Amazon Web Services account.
+    #
+    #  When a grant is created with the `GranteeServicePrincipal` field, the
+    # `ListGrants` response always includes a `GranteeServicePrincipal` that
+    # indicates the grantee is actually an Amazon Web Services [service
+    # principal][3].
     #
     #  </note>
     #
@@ -7538,6 +7623,17 @@ module Aws::KMS
     #   Returns only grants where the specified principal is the grantee
     #   principal for the grant.
     #
+    #   You can specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
+    # @option params [String] :grantee_service_principal
+    #   Returns only grants where the specified Amazon Web Services service
+    #   principal is the grantee service principal for the grant. This filter
+    #   is only usable by callers in a service principal.
+    #
+    #   You can specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
     # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ListGrantsResponse#grants #grants} => Array&lt;Types::GrantListEntry&gt;
@@ -7613,6 +7709,40 @@ module Aws::KMS
     #     truncated: true, # A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not.
     #   }
     #
+    # @example Example: To list grants for a grantee service principal
+    #
+    #   # The following example lists grants for the specified KMS key that were created with a GranteeServicePrincipal. The
+    #   # response includes the GranteeServicePrincipal, RetiringServicePrincipal, and SourceArn constraint fields.
+    #
+    #   resp = client.list_grants({
+    #     grantee_service_principal: "service-name.amazonaws.com", # Returns only grants where the specified AWS service principal is the grantee service principal.
+    #     key_id: "1234abcd-12ab-34cd-56ef-1234567890ab", # The identifier of the KMS key whose grants you want to list. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     grants: [
+    #       {
+    #         constraints: {
+    #           source_arn: "arn:aws:dynamodb:us-east-2:111122223333:table/ExampleTable", 
+    #         }, 
+    #         creation_date: Time.parse("2026-03-06T10:15:00-08:00"), 
+    #         grant_id: "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", 
+    #         grantee_service_principal: "service-name.amazonaws.com", 
+    #         issuing_account: "arn:aws:iam::111122223333:root", 
+    #         key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #         operations: [
+    #           "Encrypt", 
+    #           "Decrypt", 
+    #           "GenerateDataKey", 
+    #           "DescribeKey", 
+    #         ], 
+    #         retiring_service_principal: "service-name.amazonaws.com", 
+    #       }, 
+    #     ], # A list of grants.
+    #     truncated: false, # A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.list_grants({
@@ -7621,6 +7751,7 @@ module Aws::KMS
     #     key_id: "KeyIdType", # required
     #     grant_id: "GrantIdType",
     #     grantee_principal: "PrincipalIdType",
+    #     grantee_service_principal: "ServicePrincipalType",
     #   })
     #
     # @example Response structure
@@ -7639,6 +7770,9 @@ module Aws::KMS
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
     #   resp.grants[0].constraints.encryption_context_equals["EncryptionContextKey"] #=> String
+    #   resp.grants[0].constraints.source_arn #=> String
+    #   resp.grants[0].grantee_service_principal #=> String
+    #   resp.grants[0].retiring_service_principal #=> String
     #   resp.next_marker #=> String
     #   resp.truncated #=> Boolean
     #
@@ -8141,7 +8275,8 @@ module Aws::KMS
     end
 
     # Returns information about all grants in the Amazon Web Services
-    # account and Region that have the specified retiring principal.
+    # account and Region that have the specified retiring principal or
+    # retiring service principal.
     #
     # You can specify any principal in your Amazon Web Services account. The
     # grants that are returned include grants for KMS keys in your Amazon
@@ -8166,12 +8301,16 @@ module Aws::KMS
     # **Required permissions**: [kms:ListRetirableGrants][3] (IAM policy) in
     # your Amazon Web Services account.
     #
-    # <note markdown="1"> KMS authorizes `ListRetirableGrants` requests by evaluating the caller
-    # account's kms:ListRetirableGrants permissions. The authorized
-    # resource in `ListRetirableGrants` calls is the retiring principal
-    # specified in the request. KMS does not evaluate the caller's
-    # permissions to verify their access to any KMS keys or grants that
-    # might be returned by the `ListRetirableGrants` call.
+    # <note markdown="1"> When listing retirable grants by `RetiringPrincipal`, KMS authorizes
+    # `ListRetirableGrants` requests by evaluating the caller account's
+    # kms:ListRetirableGrants permissions. The authorized resource in
+    # `ListRetirableGrants` calls is the retiring principal specified in the
+    # request. KMS does not evaluate the caller's permissions to verify
+    # their access to any KMS keys or grants that might be returned by the
+    # `ListRetirableGrants` call.
+    #
+    #  The `RetiringServicePrincipal` filter is only usable by callers in a
+    # service principal.
     #
     #  </note>
     #
@@ -8208,7 +8347,7 @@ module Aws::KMS
     #   response with truncated results. Set it to the value of `NextMarker`
     #   from the truncated response you just received.
     #
-    # @option params [required, String] :retiring_principal
+    # @option params [String] :retiring_principal
     #   The retiring principal for which to list grants. Enter a principal in
     #   your Amazon Web Services account.
     #
@@ -8219,11 +8358,21 @@ module Aws::KMS
     #   principal, see [IAM ARNs][2] in the <i> <i>Identity and Access
     #   Management User Guide</i> </i>.
     #
+    #   You must specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #
+    # @option params [String] :retiring_service_principal
+    #   The retiring service principal for which to list grants. This filter
+    #   is only usable by callers in a service principal.
+    #
+    #   You must specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
     # @return [Types::ListGrantsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ListGrantsResponse#grants #grants} => Array&lt;Types::GrantListEntry&gt;
@@ -8260,12 +8409,45 @@ module Aws::KMS
     #     truncated: false, # A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not.
     #   }
     #
+    # @example Example: To list grants that the specified service principal can retire
+    #
+    #   # The following example lists the grants that the specified AWS service principal can retire.
+    #
+    #   resp = client.list_retirable_grants({
+    #     retiring_service_principal: "service-name.amazonaws.com", # The retiring service principal whose grants you want to list. Use the AWS service principal name of the service (for example, service-name.amazonaws.com).
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     grants: [
+    #       {
+    #         constraints: {
+    #           source_arn: "arn:aws:dynamodb:us-east-2:444455556666:table/ExampleTable", 
+    #         }, 
+    #         creation_date: Time.parse("2026-03-06T10:15:00-08:00"), 
+    #         grant_id: "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", 
+    #         grantee_service_principal: "service-name.amazonaws.com", 
+    #         issuing_account: "arn:aws:iam::444455556666:root", 
+    #         key_id: "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab", 
+    #         operations: [
+    #           "Encrypt", 
+    #           "Decrypt", 
+    #           "GenerateDataKey", 
+    #           "DescribeKey", 
+    #         ], 
+    #         retiring_service_principal: "service-name.amazonaws.com", 
+    #       }, 
+    #     ], # A list of grants that the specified service principal can retire.
+    #     truncated: false, # A boolean that indicates whether there are more items in the list. Returns true when there are more items, or false when there are not.
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.list_retirable_grants({
     #     limit: 1,
     #     marker: "MarkerType",
-    #     retiring_principal: "PrincipalIdType", # required
+    #     retiring_principal: "PrincipalIdType",
+    #     retiring_service_principal: "ServicePrincipalType",
     #   })
     #
     # @example Response structure
@@ -8284,6 +8466,9 @@ module Aws::KMS
     #   resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
     #   resp.grants[0].constraints.encryption_context_equals #=> Hash
     #   resp.grants[0].constraints.encryption_context_equals["EncryptionContextKey"] #=> String
+    #   resp.grants[0].constraints.source_arn #=> String
+    #   resp.grants[0].grantee_service_principal #=> String
+    #   resp.grants[0].retiring_service_principal #=> String
     #   resp.next_marker #=> String
     #   resp.truncated #=> Boolean
     #
@@ -8518,6 +8703,13 @@ module Aws::KMS
     # key state. For details, see [Key states of KMS keys][6] in the *Key
     # Management Service Developer Guide*.
     #
+    # <note markdown="1"> When using grants with `SourceArn` constraints for `ReEncrypt`
+    # operations, the grants on both the source KMS key (for
+    # `ReEncryptFrom`) and the destination KMS key (for `ReEncryptTo`) must
+    # specify the same `SourceArn` value.
+    #
+    #  </note>
+    #
     # **Cross-account use**: Yes. The source KMS key and destination KMS key
     # can be in different Amazon Web Services accounts. Either or both KMS
     # keys can be in a different account than the caller. To specify a KMS
@@ -11363,7 +11555,7 @@ module Aws::KMS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-kms'
-      context[:gem_version] = '1.125.0'
+      context[:gem_version] = '1.128.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-kms/client_api.rb

@@ -118,6 +118,7 @@ module Aws::KMS
     GetParametersForImportResponse = Shapes::StructureShape.new(name: 'GetParametersForImportResponse')
     GetPublicKeyRequest = Shapes::StructureShape.new(name: 'GetPublicKeyRequest')
     GetPublicKeyResponse = Shapes::StructureShape.new(name: 'GetPublicKeyResponse')
+    GrantConstraintSourceArnType = Shapes::StringShape.new(name: 'GrantConstraintSourceArnType')
     GrantConstraints = Shapes::StructureShape.new(name: 'GrantConstraints')
     GrantIdType = Shapes::StringShape.new(name: 'GrantIdType')
     GrantList = Shapes::ListShape.new(name: 'GrantList')
@@ -217,6 +218,7 @@ module Aws::KMS
     RotationsListEntry = Shapes::StructureShape.new(name: 'RotationsListEntry')
     ScheduleKeyDeletionRequest = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionRequest')
     ScheduleKeyDeletionResponse = Shapes::StructureShape.new(name: 'ScheduleKeyDeletionResponse')
+    ServicePrincipalType = Shapes::StringShape.new(name: 'ServicePrincipalType')
     SignRequest = Shapes::StructureShape.new(name: 'SignRequest')
     SignResponse = Shapes::StructureShape.new(name: 'SignResponse')
     SigningAlgorithmSpec = Shapes::StringShape.new(name: 'SigningAlgorithmSpec')
@@ -326,13 +328,15 @@ module Aws::KMS
     CreateCustomKeyStoreResponse.struct_class = Types::CreateCustomKeyStoreResponse
 
     CreateGrantRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
-    CreateGrantRequest.add_member(:grantee_principal, Shapes::ShapeRef.new(shape: PrincipalIdType, required: true, location_name: "GranteePrincipal"))
+    CreateGrantRequest.add_member(:grantee_principal, Shapes::ShapeRef.new(shape: PrincipalIdType, location_name: "GranteePrincipal"))
     CreateGrantRequest.add_member(:retiring_principal, Shapes::ShapeRef.new(shape: PrincipalIdType, location_name: "RetiringPrincipal"))
     CreateGrantRequest.add_member(:operations, Shapes::ShapeRef.new(shape: GrantOperationList, required: true, location_name: "Operations"))
     CreateGrantRequest.add_member(:constraints, Shapes::ShapeRef.new(shape: GrantConstraints, location_name: "Constraints"))
     CreateGrantRequest.add_member(:grant_tokens, Shapes::ShapeRef.new(shape: GrantTokenList, location_name: "GrantTokens"))
     CreateGrantRequest.add_member(:name, Shapes::ShapeRef.new(shape: GrantNameType, location_name: "Name"))
     CreateGrantRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: NullableBooleanType, location_name: "DryRun"))
+    CreateGrantRequest.add_member(:grantee_service_principal, Shapes::ShapeRef.new(shape: ServicePrincipalType, location_name: "GranteeServicePrincipal"))
+    CreateGrantRequest.add_member(:retiring_service_principal, Shapes::ShapeRef.new(shape: ServicePrincipalType, location_name: "RetiringServicePrincipal"))
     CreateGrantRequest.struct_class = Types::CreateGrantRequest
 
     CreateGrantResponse.add_member(:grant_token, Shapes::ShapeRef.new(shape: GrantTokenType, location_name: "GrantToken"))
@@ -631,6 +635,7 @@ module Aws::KMS
 
     GrantConstraints.add_member(:encryption_context_subset, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextSubset"))
     GrantConstraints.add_member(:encryption_context_equals, Shapes::ShapeRef.new(shape: EncryptionContextType, location_name: "EncryptionContextEquals"))
+    GrantConstraints.add_member(:source_arn, Shapes::ShapeRef.new(shape: GrantConstraintSourceArnType, location_name: "SourceArn"))
     GrantConstraints.struct_class = Types::GrantConstraints
 
     GrantList.member = Shapes::ShapeRef.new(shape: GrantListEntry)
@@ -644,6 +649,8 @@ module Aws::KMS
     GrantListEntry.add_member(:issuing_account, Shapes::ShapeRef.new(shape: PrincipalIdType, location_name: "IssuingAccount"))
     GrantListEntry.add_member(:operations, Shapes::ShapeRef.new(shape: GrantOperationList, location_name: "Operations"))
     GrantListEntry.add_member(:constraints, Shapes::ShapeRef.new(shape: GrantConstraints, location_name: "Constraints"))
+    GrantListEntry.add_member(:grantee_service_principal, Shapes::ShapeRef.new(shape: ServicePrincipalType, location_name: "GranteeServicePrincipal"))
+    GrantListEntry.add_member(:retiring_service_principal, Shapes::ShapeRef.new(shape: ServicePrincipalType, location_name: "RetiringServicePrincipal"))
     GrantListEntry.struct_class = Types::GrantListEntry
 
     GrantOperationList.member = Shapes::ShapeRef.new(shape: GrantOperation)
@@ -772,6 +779,7 @@ module Aws::KMS
     ListGrantsRequest.add_member(:key_id, Shapes::ShapeRef.new(shape: KeyIdType, required: true, location_name: "KeyId"))
     ListGrantsRequest.add_member(:grant_id, Shapes::ShapeRef.new(shape: GrantIdType, location_name: "GrantId"))
     ListGrantsRequest.add_member(:grantee_principal, Shapes::ShapeRef.new(shape: PrincipalIdType, location_name: "GranteePrincipal"))
+    ListGrantsRequest.add_member(:grantee_service_principal, Shapes::ShapeRef.new(shape: ServicePrincipalType, location_name: "GranteeServicePrincipal"))
     ListGrantsRequest.struct_class = Types::ListGrantsRequest
 
     ListGrantsResponse.add_member(:grants, Shapes::ShapeRef.new(shape: GrantList, location_name: "Grants"))
@@ -821,7 +829,8 @@ module Aws::KMS
 
     ListRetirableGrantsRequest.add_member(:limit, Shapes::ShapeRef.new(shape: LimitType, location_name: "Limit"))
     ListRetirableGrantsRequest.add_member(:marker, Shapes::ShapeRef.new(shape: MarkerType, location_name: "Marker"))
-    ListRetirableGrantsRequest.add_member(:retiring_principal, Shapes::ShapeRef.new(shape: PrincipalIdType, required: true, location_name: "RetiringPrincipal"))
+    ListRetirableGrantsRequest.add_member(:retiring_principal, Shapes::ShapeRef.new(shape: PrincipalIdType, location_name: "RetiringPrincipal"))
+    ListRetirableGrantsRequest.add_member(:retiring_service_principal, Shapes::ShapeRef.new(shape: ServicePrincipalType, location_name: "RetiringServicePrincipal"))
     ListRetirableGrantsRequest.struct_class = Types::ListRetirableGrantsRequest
 
     MacAlgorithmSpecList.member = Shapes::ShapeRef.new(shape: MacAlgorithmSpec)

data/lib/aws-sdk-kms/types.rb

@@ -605,6 +605,9 @@ module Aws::KMS
     #   see [IAM ARNs][1] in the <i> <i>Identity and Access Management User
     #   Guide</i> </i>.
     #
+    #   You must specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
@@ -626,6 +629,9 @@ module Aws::KMS
     #   details, see RevokeGrant and [Retiring and revoking grants][3] in
     #   the *Key Management Service Developer Guide*.
     #
+    #   You can specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
@@ -656,40 +662,55 @@ module Aws::KMS
     #   This field may be displayed in plaintext in CloudTrail logs and
     #   other output.
     #
-    #   KMS supports the `EncryptionContextEquals` and
-    #   `EncryptionContextSubset` grant constraints, which allow the
-    #   permissions in the grant only when the encryption context in the
-    #   request matches (`EncryptionContextEquals`) or includes
-    #   (`EncryptionContextSubset`) the encryption context specified in the
-    #   constraint.
-    #
-    #   The encryption context grant constraints are supported only on
-    #   [grant operations][1] that include an `EncryptionContext` parameter,
-    #   such as cryptographic operations on symmetric encryption KMS keys.
-    #   Grants with grant constraints can include the DescribeKey and
-    #   RetireGrant operations, but the constraint doesn't apply to these
-    #   operations. If a grant with a grant constraint includes the
-    #   `CreateGrant` operation, the constraint requires that any grants
-    #   created with the `CreateGrant` permission have an equally strict or
-    #   stricter encryption context constraint.
-    #
-    #   You cannot use an encryption context grant constraint for
-    #   cryptographic operations with asymmetric KMS keys or HMAC KMS keys.
-    #   Operations with these keys don't support an encryption context.
-    #
-    #   Each constraint value can include up to 8 encryption context pairs.
-    #   The encryption context value in each constraint cannot exceed 384
-    #   characters. For information about grant constraints, see [Using
-    #   grant constraints][2] in the *Key Management Service Developer
-    #   Guide*. For more information about encryption context, see
-    #   [Encryption context][3] in the <i> <i>Key Management Service
-    #   Developer Guide</i> </i>.
+    #   KMS supports the following grant constraints.
+    #
+    #   * `EncryptionContextEquals` and `EncryptionContextSubset` — These
+    #     encryption context grant constraints allow the permissions in the
+    #     grant only when the encryption context in the request matches
+    #     (`EncryptionContextEquals`) or includes
+    #     (`EncryptionContextSubset`) the encryption context specified in
+    #     the constraint.
+    #
+    #     Encryption context grant constraints are supported only on [grant
+    #     operations][1] that include an `EncryptionContext` parameter, such
+    #     as cryptographic operations on symmetric encryption KMS keys. You
+    #     cannot use an encryption context grant constraint for
+    #     cryptographic operations with asymmetric KMS keys or HMAC KMS
+    #     keys. Operations with these keys don't support an encryption
+    #     context. Grants with encryption context grant constraints can
+    #     include the DescribeKey and RetireGrant operations, but the
+    #     constraint doesn't apply to these operations. If a grant with an
+    #     encryption context grant constraint includes the `CreateGrant`
+    #     operation, the constraint requires that any grants created with
+    #     the `CreateGrant` permission have an equally strict or stricter
+    #     encryption context constraint.
+    #
+    #     Each constraint value can include up to 8 encryption context
+    #     pairs. The encryption context value in each constraint cannot
+    #     exceed 384 characters. For more information about encryption
+    #     context, see [Encryption context][2] in the <i> <i>Key Management
+    #     Service Developer Guide</i> </i>.
+    #
+    #   * `SourceArn` — This grant constraint allows the permissions in the
+    #     grant only when the request is made on behalf of a specific Amazon
+    #     Web Services resource, identified by its [Amazon Resource Name
+    #     (ARN)][3]. This is effectively the same as having the
+    #     [aws:SourceArn][4] global condition key in the grant. The
+    #     SourceArn constraint is supported on grants for all types of KMS
+    #     keys and can also be applied to the DescribeKey operation when
+    #     specified in the request. However, it does not apply to
+    #     RetireGrant operation.
+    #
+    #   For information about grant constraints, see [Using grant
+    #   constraints][5] in the *Key Management Service Developer Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
-    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
-    #   [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn
+    #   [5]: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints
     #   @return [Types::GrantConstraints]
     #
     # @!attribute [rw] grant_tokens
@@ -739,6 +760,34 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html
     #   @return [Boolean]
     #
+    # @!attribute [rw] grantee_service_principal
+    #   The Amazon Web Services [service principal][1] that gets the
+    #   permissions specified in the grant.
+    #
+    #   When you specify a `GranteeServicePrincipal`, you must also specify
+    #   a `SourceArn` grant constraint. In addition, you must specify either
+    #   a `RetiringPrincipal` or a `RetiringServicePrincipal`.
+    #
+    #   You must specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
+    #   @return [String]
+    #
+    # @!attribute [rw] retiring_service_principal
+    #   The Amazon Web Services [service principal][1] that has permission
+    #   to use the RetireGrant operation to retire the grant.
+    #
+    #   You can specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrantRequest AWS API Documentation
     #
     class CreateGrantRequest < Struct.new(
@@ -749,7 +798,9 @@ module Aws::KMS
       :constraints,
       :grant_tokens,
       :name,
-      :dry_run)
+      :dry_run,
+      :grantee_service_principal,
+      :retiring_service_principal)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3851,36 +3902,49 @@ module Aws::KMS
     end
 
     # Use this structure to allow [cryptographic operations][1] in the grant
-    # only when the operation request includes the specified [encryption
-    # context][2].
+    # only when the operation request meets the specified constraints.
     #
-    # KMS applies the grant constraints only to cryptographic operations
-    # that support an encryption context, that is, all cryptographic
-    # operations with a symmetric KMS key. Grant constraints are not applied
-    # to operations that do not support an encryption context, such as
-    # cryptographic operations with asymmetric KMS keys and management
-    # operations, such as DescribeKey or RetireGrant.
+    # KMS supports the following grant constraints:
     #
-    # In a cryptographic operation, the encryption context in the decryption
-    # operation must be an exact, case-sensitive match for the keys and
-    # values in the encryption context of the encryption operation. Only the
-    # order of the pairs can vary.
+    # * `EncryptionContextEquals` and `EncryptionContextSubset` — These
+    #   encryption context constraints apply only to cryptographic
+    #   operations that support an encryption context, that is, all
+    #   cryptographic operations with a symmetric KMS key. Encryption
+    #   context grant constraints are not applied to operations that do not
+    #   support an encryption context, such as cryptographic operations with
+    #   asymmetric KMS keys and management operations, such as DescribeKey
+    #   or RetireGrant.
     #
-    #  However, in a grant constraint, the key in each key-value pair is not
-    # case sensitive, but the value is case sensitive.
+    #   In a cryptographic operation, the encryption context in the
+    #   decryption operation must be an exact, case-sensitive match for the
+    #   keys and values in the encryption context of the encryption
+    #   operation. Only the order of the pairs can vary.
     #
-    #  To avoid confusion, do not use multiple encryption context pairs that
-    # differ only by case. To require a fully case-sensitive encryption
-    # context, use the `kms:EncryptionContext:` and
-    # `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
-    # details, see [kms:EncryptionContext:context-key][3] in the <i> <i>Key
-    # Management Service Developer Guide</i> </i>.
+    #    However, in a grant constraint, the key in each key-value pair is
+    #   not case sensitive, but the value is case sensitive.
+    #
+    #    To avoid confusion, do not use multiple encryption context pairs
+    #   that differ only by case. To require a fully case-sensitive
+    #   encryption context, use the `kms:EncryptionContext:` and
+    #   `kms:EncryptionContextKeys` conditions in an IAM or key policy. For
+    #   details, see [kms:EncryptionContext:context-key][2] in the <i>
+    #   <i>Key Management Service Developer Guide</i> </i>.
+    #
+    # * `SourceArn` — This grant constraint allows the permissions in the
+    #   grant only when the request is made on behalf of a specific Amazon
+    #   Web Services resource, identified by its [Amazon Resource Name
+    #   (ARN)][3]. This is effectively the same as having the
+    #   [aws:SourceArn][4] global condition key in the grant. The SourceArn
+    #   constraint is supported on grants for all types of KMS keys and can
+    #   also be applied to the DescribeKey operation when specified in the
+    #   request. However, it does not apply to RetireGrant operation.
     #
     #
     #
     # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
-    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html
-    # [3]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context
+    # [3]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn
     #
     # @!attribute [rw] encryption_context_subset
     #   A list of key-value pairs that must be included in the encryption
@@ -3905,11 +3969,26 @@ module Aws::KMS
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations
     #   @return [Hash<String,String>]
     #
+    # @!attribute [rw] source_arn
+    #   The [ Amazon Resource Name (ARN)][1] of an Amazon Web Services
+    #   resource on behalf of which the request is made. This is effectively
+    #   the same as having the [aws:SourceArn][2] global condition key in
+    #   the grant. The SourceArn constraint ensures that the principal can
+    #   use the KMS key only when the request is made on behalf of the
+    #   specified resource.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantConstraints AWS API Documentation
     #
     class GrantConstraints < Struct.new(
       :encryption_context_subset,
-      :encryption_context_equals)
+      :encryption_context_equals,
+      :source_arn)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3937,12 +4016,13 @@ module Aws::KMS
     # @!attribute [rw] grantee_principal
     #   The identity that gets the permissions in the grant.
     #
-    #   The `GranteePrincipal` field in the `ListGrants` response usually
-    #   contains the user or role designated as the grantee principal in the
-    #   grant. However, when the grantee principal in the grant is an Amazon
-    #   Web Services service, the `GranteePrincipal` field contains the
-    #   [service principal][1], which might represent several different
-    #   grantee principals.
+    #   When a grant is created with the `GranteePrincipal` field, the
+    #   `ListGrants` response usually contains the user or role designated
+    #   as the grantee principal in the grant. However, if the grantee
+    #   principal is an Amazon Web Services service, the `GranteePrincipal`
+    #   field contains an Amazon Web Services [service principal][1], which
+    #   might correspond to several different grantee principals, such as an
+    #   IAM user, IAM role, or Amazon Web Services account.
     #
     #
     #
@@ -3962,10 +4042,28 @@ module Aws::KMS
     #   @return [Array<String>]
     #
     # @!attribute [rw] constraints
-    #   A list of key-value pairs that must be present in the encryption
-    #   context of certain subsequent operations that the grant allows.
+    #   The constraints on the grant, such as encryption context pairs or a
+    #   SourceArn, that restrict the subsequent operations the grant allows.
     #   @return [Types::GrantConstraints]
     #
+    # @!attribute [rw] grantee_service_principal
+    #   The Amazon Web Services [service principal][1] that gets the
+    #   permissions in the grant.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
+    #   @return [String]
+    #
+    # @!attribute [rw] retiring_service_principal
+    #   The Amazon Web Services [service principal][1] that can retire the
+    #   grant.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GrantListEntry AWS API Documentation
     #
     class GrantListEntry < Struct.new(
@@ -3977,7 +4075,9 @@ module Aws::KMS
       :retiring_principal,
       :issuing_account,
       :operations,
-      :constraints)
+      :constraints,
+      :grantee_service_principal,
+      :retiring_service_principal)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4887,6 +4987,18 @@ module Aws::KMS
     # @!attribute [rw] grantee_principal
     #   Returns only grants where the specified principal is the grantee
     #   principal for the grant.
+    #
+    #   You can specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
+    #   @return [String]
+    #
+    # @!attribute [rw] grantee_service_principal
+    #   Returns only grants where the specified Amazon Web Services service
+    #   principal is the grantee service principal for the grant. This
+    #   filter is only usable by callers in a service principal.
+    #
+    #   You can specify either `GranteePrincipal` or
+    #   `GranteeServicePrincipal`, but not both.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrantsRequest AWS API Documentation
@@ -4896,7 +5008,8 @@ module Aws::KMS
       :marker,
       :key_id,
       :grant_id,
-      :grantee_principal)
+      :grantee_principal,
+      :grantee_service_principal)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -5241,18 +5354,30 @@ module Aws::KMS
     #   syntax for a principal, see [IAM ARNs][2] in the <i> <i>Identity and
     #   Access Management User Guide</i> </i>.
     #
+    #   You must specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
     #   @return [String]
     #
+    # @!attribute [rw] retiring_service_principal
+    #   The retiring service principal for which to list grants. This filter
+    #   is only usable by callers in a service principal.
+    #
+    #   You must specify either `RetiringPrincipal` or
+    #   `RetiringServicePrincipal`, but not both.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrantsRequest AWS API Documentation
     #
     class ListRetirableGrantsRequest < Struct.new(
       :limit,
       :marker,
-      :retiring_principal)
+      :retiring_principal,
+      :retiring_service_principal)
       SENSITIVE = []
       include Aws::Structure
     end

data/lib/aws-sdk-kms.rb

@@ -54,7 +54,7 @@ module Aws::KMS
   autoload :EndpointProvider, 'aws-sdk-kms/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-kms/endpoints'
 
-  GEM_VERSION = '1.125.0'
+  GEM_VERSION = '1.128.0'
 
 end
 

data/sig/client.rbs

@@ -136,16 +136,19 @@ module Aws
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#create_grant-instance_method
       def create_grant: (
                           key_id: ::String,
-                          grantee_principal: ::String,
+                          ?grantee_principal: ::String,
                           ?retiring_principal: ::String,
                           operations: Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac" | "DeriveSharedSecret")],
                           ?constraints: {
                             encryption_context_subset: Hash[::String, ::String]?,
-                            encryption_context_equals: Hash[::String, ::String]?
+                            encryption_context_equals: Hash[::String, ::String]?,
+                            source_arn: ::String?
                           },
                           ?grant_tokens: Array[::String],
                           ?name: ::String,
-                          ?dry_run: bool
+                          ?dry_run: bool,
+                          ?grantee_service_principal: ::String,
+                          ?retiring_service_principal: ::String
                         ) -> _CreateGrantResponseSuccess
                       | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _CreateGrantResponseSuccess
 
@@ -167,7 +170,7 @@ module Aws
                           {
                             tag_key: ::String,
                             tag_value: ::String
-                          },
+                          }
                         ],
                         ?multi_region: bool,
                         ?xks_key_id: ::String
@@ -554,7 +557,8 @@ module Aws
                          ?marker: ::String,
                          key_id: ::String,
                          ?grant_id: ::String,
-                         ?grantee_principal: ::String
+                         ?grantee_principal: ::String,
+                         ?grantee_service_principal: ::String
                        ) -> _ListGrantsResponseSuccess
                      | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _ListGrantsResponseSuccess
 
@@ -624,9 +628,10 @@ module Aws
       def list_retirable_grants: (
                                    ?limit: ::Integer,
                                    ?marker: ::String,
-                                   retiring_principal: ::String
+                                   ?retiring_principal: ::String,
+                                   ?retiring_service_principal: ::String
                                  ) -> _ListRetirableGrantsResponseSuccess
-                               | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _ListRetirableGrantsResponseSuccess
+                               | (?Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _ListRetirableGrantsResponseSuccess
 
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/KMS/Client.html#put_key_policy-instance_method
       def put_key_policy: (
@@ -679,7 +684,7 @@ module Aws
                              {
                                tag_key: ::String,
                                tag_value: ::String
-                             },
+                             }
                            ]
                          ) -> _ReplicateKeyResponseSuccess
                        | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _ReplicateKeyResponseSuccess
@@ -749,7 +754,7 @@ module Aws
                             {
                               tag_key: ::String,
                               tag_value: ::String
-                            },
+                            }
                           ]
                         ) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
                       | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]

data/sig/types.rbs

@@ -105,6 +105,8 @@ module Aws::KMS
       attr_accessor grant_tokens: ::Array[::String]
       attr_accessor name: ::String
       attr_accessor dry_run: bool
+      attr_accessor grantee_service_principal: ::String
+      attr_accessor retiring_service_principal: ::String
       SENSITIVE: []
     end
 
@@ -504,6 +506,7 @@ module Aws::KMS
     class GrantConstraints
       attr_accessor encryption_context_subset: ::Hash[::String, ::String]
       attr_accessor encryption_context_equals: ::Hash[::String, ::String]
+      attr_accessor source_arn: ::String
       SENSITIVE: []
     end
 
@@ -517,6 +520,8 @@ module Aws::KMS
       attr_accessor issuing_account: ::String
       attr_accessor operations: ::Array[("Decrypt" | "Encrypt" | "GenerateDataKey" | "GenerateDataKeyWithoutPlaintext" | "ReEncryptFrom" | "ReEncryptTo" | "Sign" | "Verify" | "GetPublicKey" | "CreateGrant" | "RetireGrant" | "DescribeKey" | "GenerateDataKeyPair" | "GenerateDataKeyPairWithoutPlaintext" | "GenerateMac" | "VerifyMac" | "DeriveSharedSecret")]
       attr_accessor constraints: Types::GrantConstraints
+      attr_accessor grantee_service_principal: ::String
+      attr_accessor retiring_service_principal: ::String
       SENSITIVE: []
     end
 
@@ -687,6 +692,7 @@ module Aws::KMS
       attr_accessor key_id: ::String
       attr_accessor grant_id: ::String
       attr_accessor grantee_principal: ::String
+      attr_accessor grantee_service_principal: ::String
       SENSITIVE: []
     end
 
@@ -757,6 +763,7 @@ module Aws::KMS
       attr_accessor limit: ::Integer
       attr_accessor marker: ::String
       attr_accessor retiring_principal: ::String
+      attr_accessor retiring_service_principal: ::String
       SENSITIVE: []
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-kms
 version: !ruby/object:Gem::Version
-  version: 1.125.0
+  version: 1.128.0
 platform: ruby
 authors:
 - Amazon Web Services
@@ -18,7 +18,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.247.0
+        version: 3.248.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -28,7 +28,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.247.0
+        version: 3.248.0
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
   requirement: !ruby/object:Gem::Requirement