@aws-sdk/client-kms 3.1050.0 → 3.1052.0

package/dist-cjs/schemas/schemas_0.js

@@ -153,6 +153,7 @@ const _GPKRe = "GetPublicKeyResponse";
 const _GR = "GenerateRandom";
 const _GRR = "GenerateRandomRequest";
 const _GRRe = "GenerateRandomResponse";
+const _GSP = "GranteeServicePrincipal";
 const _GT = "GrantTokens";
 const _GTr = "GrantToken";
 const _I = "Id";
@@ -291,6 +292,7 @@ const _RPID = "RotationPeriodInDays";
 const _RPe = "ReplicaPolicy";
 const _RR = "ReplicaRegion";
 const _RSAK = "RawSecretAccessKey";
+const _RSP = "RetiringServicePrincipal";
 const _RT = "ReplicaTags";
 const _RTo = "RotationType";
 const _Re = "Region";
@@ -298,6 +300,7 @@ const _Ro = "Rotations";
 const _S = "Signature";
 const _SA = "SigningAlgorithms";
 const _SAi = "SigningAlgorithm";
+const _SAo = "SourceArn";
 const _SEA = "SourceEncryptionAlgorithm";
 const _SEC = "SourceEncryptionContext";
 const _SKD = "ScheduleKeyDeletion";
@@ -728,8 +731,8 @@ exports.CreateCustomKeyStoreResponse$ = [3, n0, _CCKSRre,
 ];
 exports.CreateGrantRequest$ = [3, n0, _CGR,
     0,
-    [_KI, _GP, _O, _RP, _C, _GT, _N, _DR],
-    [0, 0, 64 | 0, 0, () => exports.GrantConstraints$, 64 | 0, 0, 2], 3
+    [_KI, _O, _GP, _RP, _C, _GT, _N, _DR, _GSP, _RSP],
+    [0, 64 | 0, 0, 0, () => exports.GrantConstraints$, 64 | 0, 0, 2, 0, 0], 2
 ];
 exports.CreateGrantResponse$ = [3, n0, _CGRr,
     0,
@@ -968,13 +971,13 @@ exports.GetPublicKeyResponse$ = [3, n0, _GPKRe,
 ];
 exports.GrantConstraints$ = [3, n0, _GC,
     0,
-    [_ECS, _ECE],
-    [128 | 0, 128 | 0]
+    [_ECS, _ECE, _SAo],
+    [128 | 0, 128 | 0, 0]
 ];
 exports.GrantListEntry$ = [3, n0, _GLE,
     0,
-    [_KI, _GI, _N, _CD, _GP, _RP, _IA, _O, _C],
-    [0, 0, 0, 4, 0, 0, 0, 64 | 0, () => exports.GrantConstraints$]
+    [_KI, _GI, _N, _CD, _GP, _RP, _IA, _O, _C, _GSP, _RSP],
+    [0, 0, 0, 4, 0, 0, 0, 64 | 0, () => exports.GrantConstraints$, 0, 0]
 ];
 exports.ImportKeyMaterialRequest$ = [3, n0, _IKMR,
     0,
@@ -1013,8 +1016,8 @@ exports.ListAliasesResponse$ = [3, n0, _LARi,
 ];
 exports.ListGrantsRequest$ = [3, n0, _LGR,
     0,
-    [_KI, _L, _M, _GI, _GP],
-    [0, 1, 0, 0, 0], 1
+    [_KI, _L, _M, _GI, _GP, _GSP],
+    [0, 1, 0, 0, 0, 0], 1
 ];
 exports.ListGrantsResponse$ = [3, n0, _LGRi,
     0,
@@ -1063,8 +1066,8 @@ exports.ListResourceTagsResponse$ = [3, n0, _LRTRi,
 ];
 exports.ListRetirableGrantsRequest$ = [3, n0, _LRGR,
     0,
-    [_RP, _L, _M],
-    [0, 1, 0], 1
+    [_L, _M, _RP, _RSP],
+    [1, 0, 0, 0]
 ];
 exports.MultiRegionConfiguration$ = [3, n0, _MRC,
     0,

package/dist-es/schemas/schemas_0.js

@@ -146,6 +146,7 @@ const _GPKRe = "GetPublicKeyResponse";
 const _GR = "GenerateRandom";
 const _GRR = "GenerateRandomRequest";
 const _GRRe = "GenerateRandomResponse";
+const _GSP = "GranteeServicePrincipal";
 const _GT = "GrantTokens";
 const _GTr = "GrantToken";
 const _I = "Id";
@@ -284,6 +285,7 @@ const _RPID = "RotationPeriodInDays";
 const _RPe = "ReplicaPolicy";
 const _RR = "ReplicaRegion";
 const _RSAK = "RawSecretAccessKey";
+const _RSP = "RetiringServicePrincipal";
 const _RT = "ReplicaTags";
 const _RTo = "RotationType";
 const _Re = "Region";
@@ -291,6 +293,7 @@ const _Ro = "Rotations";
 const _S = "Signature";
 const _SA = "SigningAlgorithms";
 const _SAi = "SigningAlgorithm";
+const _SAo = "SourceArn";
 const _SEA = "SourceEncryptionAlgorithm";
 const _SEC = "SourceEncryptionContext";
 const _SKD = "ScheduleKeyDeletion";
@@ -721,8 +724,8 @@ export var CreateCustomKeyStoreResponse$ = [3, n0, _CCKSRre,
 ];
 export var CreateGrantRequest$ = [3, n0, _CGR,
     0,
-    [_KI, _GP, _O, _RP, _C, _GT, _N, _DR],
-    [0, 0, 64 | 0, 0, () => GrantConstraints$, 64 | 0, 0, 2], 3
+    [_KI, _O, _GP, _RP, _C, _GT, _N, _DR, _GSP, _RSP],
+    [0, 64 | 0, 0, 0, () => GrantConstraints$, 64 | 0, 0, 2, 0, 0], 2
 ];
 export var CreateGrantResponse$ = [3, n0, _CGRr,
     0,
@@ -961,13 +964,13 @@ export var GetPublicKeyResponse$ = [3, n0, _GPKRe,
 ];
 export var GrantConstraints$ = [3, n0, _GC,
     0,
-    [_ECS, _ECE],
-    [128 | 0, 128 | 0]
+    [_ECS, _ECE, _SAo],
+    [128 | 0, 128 | 0, 0]
 ];
 export var GrantListEntry$ = [3, n0, _GLE,
     0,
-    [_KI, _GI, _N, _CD, _GP, _RP, _IA, _O, _C],
-    [0, 0, 0, 4, 0, 0, 0, 64 | 0, () => GrantConstraints$]
+    [_KI, _GI, _N, _CD, _GP, _RP, _IA, _O, _C, _GSP, _RSP],
+    [0, 0, 0, 4, 0, 0, 0, 64 | 0, () => GrantConstraints$, 0, 0]
 ];
 export var ImportKeyMaterialRequest$ = [3, n0, _IKMR,
     0,
@@ -1006,8 +1009,8 @@ export var ListAliasesResponse$ = [3, n0, _LARi,
 ];
 export var ListGrantsRequest$ = [3, n0, _LGR,
     0,
-    [_KI, _L, _M, _GI, _GP],
-    [0, 1, 0, 0, 0], 1
+    [_KI, _L, _M, _GI, _GP, _GSP],
+    [0, 1, 0, 0, 0, 0], 1
 ];
 export var ListGrantsResponse$ = [3, n0, _LGRi,
     0,
@@ -1056,8 +1059,8 @@ export var ListResourceTagsResponse$ = [3, n0, _LRTRi,
 ];
 export var ListRetirableGrantsRequest$ = [3, n0, _LRGR,
     0,
-    [_RP, _L, _M],
-    [0, 1, 0], 1
+    [_L, _M, _RP, _RSP],
+    [1, 0, 0, 0]
 ];
 export var MultiRegionConfiguration$ = [3, n0, _MRC,
     0,

package/dist-types/KMS.d.ts

@@ -286,6 +286,7 @@ export interface KMS {
     /**
      * @see {@link ListRetirableGrantsCommand}
      */
+    listRetirableGrants(): Promise<ListRetirableGrantsCommandOutput>;
     listRetirableGrants(args: ListRetirableGrantsCommandInput, options?: __HttpHandlerOptions): Promise<ListRetirableGrantsCommandOutput>;
     listRetirableGrants(args: ListRetirableGrantsCommandInput, cb: (err: any, data?: ListRetirableGrantsCommandOutput) => void): void;
     listRetirableGrants(args: ListRetirableGrantsCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: ListRetirableGrantsCommandOutput) => void): void;
@@ -441,7 +442,7 @@ export interface KMS {
      * @param paginationConfig - optional pagination config.
      * @returns AsyncIterable of {@link ListRetirableGrantsCommandOutput}.
      */
-    paginateListRetirableGrants(args: ListRetirableGrantsCommandInput, paginationConfig?: Omit<PaginationConfiguration, "client">): Paginator<ListRetirableGrantsCommandOutput>;
+    paginateListRetirableGrants(args?: ListRetirableGrantsCommandInput, paginationConfig?: Omit<PaginationConfiguration, "client">): Paginator<ListRetirableGrantsCommandOutput>;
 }
 /**
  * <fullname>Key Management Service</fullname>

package/dist-types/commands/CreateGrantCommand.d.ts

@@ -35,6 +35,10 @@ declare const CreateGrantCommand_base: {
  *       grants are considered along with key policies and IAM policies. Grants are often used for
  *       temporary permissions because you can create one, use its permissions, and delete it without
  *       changing your key policies or IAM policies. </p>
+ *          <p>You can create a grant for an Amazon Web Services principal (IAM user, IAM role, or Amazon Web Services account) by
+ *       specifying the <code>GranteePrincipal</code> parameter. You can also create a grant for an
+ *       Amazon Web Services service principal by specifying the <code>GranteeServicePrincipal</code>
+ *       parameter.</p>
  *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the
  *         <i>
  *                <i>Key Management Service Developer Guide</i>
@@ -104,7 +108,7 @@ declare const CreateGrantCommand_base: {
  * const client = new KMSClient(config);
  * const input = { // CreateGrantRequest
  *   KeyId: "STRING_VALUE", // required
- *   GranteePrincipal: "STRING_VALUE", // required
+ *   GranteePrincipal: "STRING_VALUE",
  *   RetiringPrincipal: "STRING_VALUE",
  *   Operations: [ // GrantOperationList // required
  *     "Decrypt" || "Encrypt" || "GenerateDataKey" || "GenerateDataKeyWithoutPlaintext" || "ReEncryptFrom" || "ReEncryptTo" || "Sign" || "Verify" || "GetPublicKey" || "CreateGrant" || "RetireGrant" || "DescribeKey" || "GenerateDataKeyPair" || "GenerateDataKeyPairWithoutPlaintext" || "GenerateMac" || "VerifyMac" || "DeriveSharedSecret",
@@ -116,12 +120,15 @@ declare const CreateGrantCommand_base: {
  *     EncryptionContextEquals: {
  *       "<keys>": "STRING_VALUE",
  *     },
+ *     SourceArn: "STRING_VALUE",
  *   },
  *   GrantTokens: [ // GrantTokenList
  *     "STRING_VALUE",
  *   ],
  *   Name: "STRING_VALUE",
  *   DryRun: true || false,
+ *   GranteeServicePrincipal: "STRING_VALUE",
+ *   RetiringServicePrincipal: "STRING_VALUE",
  * };
  * const command = new CreateGrantCommand(input);
  * const response = await client.send(command);
@@ -213,6 +220,33 @@ declare const CreateGrantCommand_base: {
  * *\/
  * ```
  *
+ * @example To create a grant for a service principal
+ * ```javascript
+ * // The following example creates a grant that allows the specified AWS service principal to encrypt and decrypt data with the specified KMS key. The grant includes a SourceArn constraint that restricts the grant permissions to requests associated with the specified DynamoDB table.
+ * const input = {
+ *   Constraints: {
+ *     SourceArn: "arn:aws:dynamodb:us-east-2:444455556666:table/ExampleTable"
+ *   },
+ *   GranteeServicePrincipal: "service-name.amazonaws.com",
+ *   KeyId: "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+ *   Operations: [
+ *     "Encrypt",
+ *     "Decrypt",
+ *     "GenerateDataKey",
+ *     "DescribeKey"
+ *   ],
+ *   RetiringServicePrincipal: "service-name.amazonaws.com"
+ * };
+ * const command = new CreateGrantCommand(input);
+ * const response = await client.send(command);
+ * /* response is
+ * {
+ *   GrantId: "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+ *   GrantToken: "AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNGY3NiKIAgEBAgB4Pa6VDCWW..."
+ * }
+ * *\/
+ * ```
+ *
  * @public
  */
 export declare class CreateGrantCommand extends CreateGrantCommand_base {

package/dist-types/commands/ListGrantsCommand.d.ts

@@ -30,19 +30,21 @@ declare const ListGrantsCommand_base: {
 };
 /**
  * <p>Gets a list of all grants for the specified KMS key. </p>
- *          <p>You must specify the KMS key in all requests. You can filter the grant list by grant ID or
- *       grantee principal.</p>
+ *          <p>You must specify the KMS key in all requests. You can filter the grant list by grant ID,
+ *       grantee principal, or grantee service principal.</p>
  *          <p>For detailed information about grants, including grant terminology, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the
  *         <i>
  *                <i>Key Management Service Developer Guide</i>
  *             </i>. For examples of creating grants in several
  *       programming languages, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/example_kms_CreateGrant_section.html">Use CreateGrant with an Amazon Web Services SDK or CLI</a>. </p>
  *          <note>
- *             <p>The <code>GranteePrincipal</code> field in the <code>ListGrants</code> response usually contains the
- *         user or role designated as the grantee principal in the grant. However, when the grantee
- *         principal in the grant is an Amazon Web Services service, the <code>GranteePrincipal</code> field contains
- *         the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services">service
- *           principal</a>, which might represent several different grantee principals.</p>
+ *             <p>When a grant is created with the <code>GranteePrincipal</code> field, the <code>ListGrants</code>
+ *         response usually contains the user or role designated as the grantee principal in the grant. However, if the grantee principal
+ *         is an Amazon Web Services service, the <code>GranteePrincipal</code> field contains an Amazon Web Services <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services">service principal</a>, which
+ *         might correspond to several different grantee principals, such as an IAM user, IAM role, or Amazon Web Services account.</p>
+ *             <p>When a grant is created with the <code>GranteeServicePrincipal</code> field, the <code>ListGrants</code>
+ * 	      response always includes a <code>GranteeServicePrincipal</code> that indicates the grantee is actually
+ *         an Amazon Web Services <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services">service principal</a>.</p>
  *          </note>
  *          <p>
  *             <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key
@@ -91,6 +93,7 @@ declare const ListGrantsCommand_base: {
  *   KeyId: "STRING_VALUE", // required
  *   GrantId: "STRING_VALUE",
  *   GranteePrincipal: "STRING_VALUE",
+ *   GranteeServicePrincipal: "STRING_VALUE",
  * };
  * const command = new ListGrantsCommand(input);
  * const response = await client.send(command);
@@ -114,7 +117,10 @@ declare const ListGrantsCommand_base: {
  * //         EncryptionContextEquals: {
  * //           "<keys>": "STRING_VALUE",
  * //         },
+ * //         SourceArn: "STRING_VALUE",
  * //       },
+ * //       GranteeServicePrincipal: "STRING_VALUE",
+ * //       RetiringServicePrincipal: "STRING_VALUE",
  * //     },
  * //   ],
  * //   NextMarker: "STRING_VALUE",

package/dist-types/commands/ListRetirableGrantsCommand.d.ts

@@ -23,14 +23,14 @@ export interface ListRetirableGrantsCommandOutput extends ListGrantsResponse, __
 }
 declare const ListRetirableGrantsCommand_base: {
     new (input: ListRetirableGrantsCommandInput): import("@smithy/core/client").CommandImpl<ListRetirableGrantsCommandInput, ListRetirableGrantsCommandOutput, KMSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
-    new (input: ListRetirableGrantsCommandInput): import("@smithy/core/client").CommandImpl<ListRetirableGrantsCommandInput, ListRetirableGrantsCommandOutput, KMSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    new (...[input]: [] | [ListRetirableGrantsCommandInput]): import("@smithy/core/client").CommandImpl<ListRetirableGrantsCommandInput, ListRetirableGrantsCommandOutput, KMSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
     getEndpointParameterInstructions(): {
         [x: string]: unknown;
     };
 };
 /**
  * <p>Returns information about all grants in the Amazon Web Services account and Region that have the
- *       specified retiring principal. </p>
+ *       specified retiring principal or retiring service principal. </p>
  *          <p>You can specify any principal in your Amazon Web Services account. The grants that are returned include
  *       grants for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this
  *       operation to determine which grants you may retire. To retire a grant, use the <a>RetireGrant</a> operation.</p>
@@ -50,11 +50,14 @@ declare const ListRetirableGrantsCommand_base: {
  *             <b>Required permissions</b>: <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ListRetirableGrants</a> (IAM policy) in your
  *       Amazon Web Services account.</p>
  *          <note>
- *             <p>KMS authorizes <code>ListRetirableGrants</code> requests by evaluating the caller
+ *             <p>When listing retirable grants by <code>RetiringPrincipal</code>, KMS authorizes
+ *         <code>ListRetirableGrants</code> requests by evaluating the caller
  *         account's kms:ListRetirableGrants permissions. The authorized resource in
- *           <code>ListRetirableGrants</code> calls is the retiring principal specified in the request.
+ *         <code>ListRetirableGrants</code> calls is the retiring principal specified in the request.
  *         KMS does not evaluate the caller's permissions to verify their access to any KMS keys or
  *         grants that might be returned by the <code>ListRetirableGrants</code> call.</p>
+ *             <p>The <code>RetiringServicePrincipal</code> filter is only usable by callers in a
+ *         service principal.</p>
  *          </note>
  *          <p>
  *             <b>Related operations:</b>
@@ -95,7 +98,8 @@ declare const ListRetirableGrantsCommand_base: {
  * const input = { // ListRetirableGrantsRequest
  *   Limit: Number("int"),
  *   Marker: "STRING_VALUE",
- *   RetiringPrincipal: "STRING_VALUE", // required
+ *   RetiringPrincipal: "STRING_VALUE",
+ *   RetiringServicePrincipal: "STRING_VALUE",
  * };
  * const command = new ListRetirableGrantsCommand(input);
  * const response = await client.send(command);
@@ -119,7 +123,10 @@ declare const ListRetirableGrantsCommand_base: {
  * //         EncryptionContextEquals: {
  * //           "<keys>": "STRING_VALUE",
  * //         },
+ * //         SourceArn: "STRING_VALUE",
  * //       },
+ * //       GranteeServicePrincipal: "STRING_VALUE",
+ * //       RetiringServicePrincipal: "STRING_VALUE",
  * //     },
  * //   ],
  * //   NextMarker: "STRING_VALUE",

package/dist-types/commands/ReEncryptCommand.d.ts

@@ -73,6 +73,12 @@ declare const ReEncryptCommand_base: {
  *          </ul>
  *          <p>The KMS key that you use for this operation must be in a compatible key state. For
  * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
+ *          <note>
+ *             <p>When using grants with <code>SourceArn</code> constraints for
+ *           <code>ReEncrypt</code> operations, the grants on both the source KMS key (for
+ *           <code>ReEncryptFrom</code>) and the destination KMS key (for <code>ReEncryptTo</code>)
+ *         must specify the same <code>SourceArn</code> value. </p>
+ *          </note>
  *          <p>
  *             <b>Cross-account use</b>: Yes. The source KMS key and
  *       destination KMS key can be in different Amazon Web Services accounts. Either or both KMS keys can be in a

package/dist-types/models/models_0.d.ts

@@ -336,25 +336,41 @@ export interface CreateCustomKeyStoreResponse {
 }
 /**
  * <p>Use this structure to allow <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-cryptography.html#cryptographic-operations">cryptographic operations</a> in the grant only when the operation request
- *       includes the specified <a href="https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html">encryption context</a>. </p>
- *          <p>KMS applies the grant constraints only to cryptographic operations that support an
- *       encryption context, that is, all cryptographic operations with a symmetric KMS key. Grant
- *       constraints are not applied to operations that do not support an encryption context, such as
- *       cryptographic operations with asymmetric KMS keys and management operations, such as <a>DescribeKey</a> or <a>RetireGrant</a>.</p>
- *          <important>
- *             <p>In a cryptographic operation, the encryption context in the decryption operation must be
- *         an exact, case-sensitive match for the keys and values in the encryption context of the
- *         encryption operation. Only the order of the pairs can vary.</p>
- *             <p>However, in a grant constraint, the key in each key-value pair is not case sensitive,
- *         but the value is case sensitive.</p>
- *             <p>To avoid confusion, do not use multiple encryption context pairs that differ only by
- *         case. To require a fully case-sensitive encryption context, use the
- *           <code>kms:EncryptionContext:</code> and <code>kms:EncryptionContextKeys</code> conditions
- *         in an IAM or key policy. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context">kms:EncryptionContext:context-key</a> in the
- *         <i>
- *                   <i>Key Management Service Developer Guide</i>
- *                </i>.</p>
- *          </important>
+ *       meets the specified constraints.</p>
+ *          <p>KMS supports the following grant constraints:</p>
+ *          <ul>
+ *             <li>
+ *                <p>
+ *                   <code>EncryptionContextEquals</code> and <code>EncryptionContextSubset</code> —
+ *           These encryption context constraints apply only to cryptographic operations that support
+ *           an encryption context, that is, all cryptographic operations with a symmetric KMS key.
+ *           Encryption context grant constraints are not applied to operations that do not support an
+ *           encryption context, such as cryptographic operations with asymmetric KMS keys and
+ *           management operations, such as <a>DescribeKey</a> or <a>RetireGrant</a>.</p>
+ *                <important>
+ *                   <p>In a cryptographic operation, the encryption context in the decryption operation must be
+ *               an exact, case-sensitive match for the keys and values in the encryption context of the
+ *               encryption operation. Only the order of the pairs can vary.</p>
+ *                   <p>However, in a grant constraint, the key in each key-value pair is not case sensitive,
+ *               but the value is case sensitive.</p>
+ *                   <p>To avoid confusion, do not use multiple encryption context pairs that differ only by
+ *               case. To require a fully case-sensitive encryption context, use the
+ *                 <code>kms:EncryptionContext:</code> and <code>kms:EncryptionContextKeys</code> conditions
+ *               in an IAM or key policy. For details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context">kms:EncryptionContext:context-key</a> in the
+ *               <i>
+ *                         <i>Key Management Service Developer Guide</i>
+ *                      </i>.</p>
+ *                </important>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <code>SourceArn</code> — This grant constraint allows the permissions in the grant only when the
+ *         request is made on behalf of a specific Amazon Web Services resource, identified by its <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Name (ARN)</a>. This is effectively
+ *         the same as having the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn">aws:SourceArn</a> global condition key in the grant. The SourceArn constraint is supported on grants
+ *         for all types of KMS keys and can also be applied to the <a>DescribeKey</a> operation when
+ *         specified in the request. However, it does not apply to <a>RetireGrant</a> operation.</p>
+ *             </li>
+ *          </ul>
  * @public
  */
 export interface GrantConstraints {
@@ -373,6 +389,14 @@ export interface GrantConstraints {
      * @public
      */
     EncryptionContextEquals?: Record<string, string> | undefined;
+    /**
+     * <p>The <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">
+     *     Amazon Resource Name (ARN)</a> of an Amazon Web Services resource on behalf of which the request is made.
+     *     This is effectively the same as having the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn">aws:SourceArn</a> global condition key in the grant. The SourceArn constraint ensures
+     *     that the principal can use the KMS key only when the request is made on behalf of the specified resource.</p>
+     * @public
+     */
+    SourceArn?: string | undefined;
 }
 /**
  * @public
@@ -406,9 +430,11 @@ export interface CreateGrantRequest {
      *         <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns">IAM ARNs</a> in the <i>
      *                <i>Identity and Access Management User Guide</i>
      *             </i>.</p>
+     *          <p>You must specify either <code>GranteePrincipal</code> or
+     *         <code>GranteeServicePrincipal</code>, but not both.</p>
      * @public
      */
-    GranteePrincipal: string | undefined;
+    GranteePrincipal?: string | undefined;
     /**
      * <p>The principal that has permission to use the <a>RetireGrant</a> operation to
      *       retire the grant. </p>
@@ -422,6 +448,8 @@ export interface CreateGrantRequest {
      *       retire the grant or revoke the grant. For details, see <a>RevokeGrant</a> and
      *         <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-delete.html">Retiring and revoking
      *         grants</a> in the <i>Key Management Service Developer Guide</i>. </p>
+     *          <p>You can specify either <code>RetiringPrincipal</code> or
+     *         <code>RetiringServicePrincipal</code>, but not both.</p>
      * @public
      */
     RetiringPrincipal?: string | undefined;
@@ -441,28 +469,42 @@ export interface CreateGrantRequest {
      *          <important>
      *             <p>Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.</p>
      *          </important>
-     *          <p>KMS supports the <code>EncryptionContextEquals</code> and
-     *         <code>EncryptionContextSubset</code> grant constraints, which allow the permissions in the
-     *       grant only when the encryption context in the request matches
-     *         (<code>EncryptionContextEquals</code>) or includes (<code>EncryptionContextSubset</code>)
-     *       the encryption context specified in the constraint. </p>
-     *          <p>The encryption context grant constraints are supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations">grant operations</a> that include
-     *       an <code>EncryptionContext</code> parameter, such as cryptographic operations on symmetric
-     *       encryption KMS keys. Grants with grant constraints can include the <a>DescribeKey</a> and <a>RetireGrant</a> operations, but the constraint doesn't apply to these
-     *       operations. If a grant with a grant constraint includes the <code>CreateGrant</code>
-     *       operation, the constraint requires that any grants created with the <code>CreateGrant</code>
-     *       permission have an equally strict or stricter encryption context constraint.</p>
-     *          <p>You cannot use an encryption context grant constraint for cryptographic operations with
-     *       asymmetric KMS keys or HMAC KMS keys. Operations with these keys don't support an encryption
-     *       context.</p>
-     *          <p>Each constraint value can include up to 8 encryption context pairs. The encryption context
-     *       value in each constraint cannot exceed 384 characters. For information about grant
-     *       constraints, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints">Using grant
-     *         constraints</a> in the <i>Key Management Service Developer Guide</i>. For more information about encryption context,
-     *       see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption
-     *         context</a> in the <i>
-     *                <i>Key Management Service Developer Guide</i>
-     *             </i>. </p>
+     *          <p>KMS supports the following grant constraints.</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>EncryptionContextEquals</code> and <code>EncryptionContextSubset</code> — These
+     *           encryption context grant constraints allow the permissions in the grant only when the
+     *           encryption context in the request matches (<code>EncryptionContextEquals</code>) or
+     *           includes (<code>EncryptionContextSubset</code>) the encryption context specified in the
+     *           constraint.</p>
+     *                <p>Encryption context grant constraints are supported only on <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations">grant operations</a> that
+     *           include an <code>EncryptionContext</code> parameter, such as cryptographic operations on
+     *           symmetric encryption KMS keys. You cannot use an encryption context grant constraint for
+     *           cryptographic operations with asymmetric KMS keys or HMAC KMS keys. Operations with these
+     *           keys don't support an encryption context. Grants with encryption context grant constraints
+     *           can include the <a>DescribeKey</a> and <a>RetireGrant</a> operations,
+     *           but the constraint doesn't apply to these operations. If a grant with an encryption context
+     *           grant constraint includes the <code>CreateGrant</code> operation, the constraint requires
+     *           that any grants created with the <code>CreateGrant</code> permission have an equally strict
+     *           or stricter encryption context constraint. </p>
+     *                <p>Each constraint value can include up to 8 encryption context pairs. The encryption
+     *           context value in each constraint cannot exceed 384 characters. For more information about
+     *           encryption context, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption context</a> in the <i>
+     *                      <i>Key Management Service Developer Guide</i>
+     *                   </i>.</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>SourceArn</code> — This grant constraint allows the permissions in the grant only when the
+     *         request is made on behalf of a specific Amazon Web Services resource, identified by its <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Name (ARN)</a>. This is effectively
+     *         the same as having the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn">aws:SourceArn</a> global condition key in the grant. The SourceArn constraint is supported on grants
+     *         for all types of KMS keys and can also be applied to the <a>DescribeKey</a> operation when
+     *         specified in the request. However, it does not apply to <a>RetireGrant</a> operation.</p>
+     *             </li>
+     *          </ul>
+     *          <p>For information about grant constraints, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints">Using grant
+     *         constraints</a> in the <i>Key Management Service Developer Guide</i>. </p>
      * @public
      */
     Constraints?: GrantConstraints | undefined;
@@ -496,6 +538,27 @@ export interface CreateGrantRequest {
      * @public
      */
     DryRun?: boolean | undefined;
+    /**
+     * <p>The Amazon Web Services <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services">service
+     *         principal</a> that gets the permissions specified in the grant. </p>
+     *          <p>When you specify a <code>GranteeServicePrincipal</code>, you must also specify a
+     *       <code>SourceArn</code> grant constraint. In addition, you must specify either a
+     *       <code>RetiringPrincipal</code> or a <code>RetiringServicePrincipal</code>.
+     *     </p>
+     *          <p>You must specify either <code>GranteePrincipal</code> or
+     *         <code>GranteeServicePrincipal</code>, but not both.</p>
+     * @public
+     */
+    GranteeServicePrincipal?: string | undefined;
+    /**
+     * <p>The Amazon Web Services <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services">service
+     *         principal</a> that has permission to use the <a>RetireGrant</a>
+     *       operation to retire the grant.</p>
+     *          <p>You can specify either <code>RetiringPrincipal</code> or
+     *         <code>RetiringServicePrincipal</code>, but not both.</p>
+     * @public
+     */
+    RetiringServicePrincipal?: string | undefined;
 }
 /**
  * @public
@@ -3214,11 +3277,10 @@ export interface GrantListEntry {
     CreationDate?: Date | undefined;
     /**
      * <p>The identity that gets the permissions in the grant.</p>
-     *          <p>The <code>GranteePrincipal</code> field in the <code>ListGrants</code> response usually contains the
-     *         user or role designated as the grantee principal in the grant. However, when the grantee
-     *         principal in the grant is an Amazon Web Services service, the <code>GranteePrincipal</code> field contains
-     *         the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services">service
-     *           principal</a>, which might represent several different grantee principals.</p>
+     *          <p>When a grant is created with the <code>GranteePrincipal</code> field, the <code>ListGrants</code>
+     *         response usually contains the user or role designated as the grantee principal in the grant. However, if the grantee principal
+     *         is an Amazon Web Services service, the <code>GranteePrincipal</code> field contains an Amazon Web Services <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services">service principal</a>, which
+     *         might correspond to several different grantee principals, such as an IAM user, IAM role, or Amazon Web Services account.</p>
      * @public
      */
     GranteePrincipal?: string | undefined;
@@ -3238,11 +3300,23 @@ export interface GrantListEntry {
      */
     Operations?: GrantOperation[] | undefined;
     /**
-     * <p>A list of key-value pairs that must be present in the encryption context of certain
-     *       subsequent operations that the grant allows.</p>
+     * <p>The constraints on the grant, such as encryption context pairs or a SourceArn,
+     *      that restrict the subsequent operations the grant allows.</p>
      * @public
      */
     Constraints?: GrantConstraints | undefined;
+    /**
+     * <p>The Amazon Web Services <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services">service
+     *         principal</a> that gets the permissions in the grant.</p>
+     * @public
+     */
+    GranteeServicePrincipal?: string | undefined;
+    /**
+     * <p>The Amazon Web Services <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services">service
+     *         principal</a> that can retire the grant.</p>
+     * @public
+     */
+    RetiringServicePrincipal?: string | undefined;
 }
 /**
  * @public
@@ -3505,9 +3579,19 @@ export interface ListGrantsRequest {
     /**
      * <p>Returns only grants where the specified principal is the grantee principal for the
      *       grant.</p>
+     *          <p>You can specify either <code>GranteePrincipal</code> or
+     *         <code>GranteeServicePrincipal</code>, but not both.</p>
      * @public
      */
     GranteePrincipal?: string | undefined;
+    /**
+     * <p>Returns only grants where the specified Amazon Web Services service principal is the grantee service
+     *       principal for the grant. This filter is only usable by callers in a service principal.</p>
+     *          <p>You can specify either <code>GranteePrincipal</code> or
+     *         <code>GranteeServicePrincipal</code>, but not both.</p>
+     * @public
+     */
+    GranteeServicePrincipal?: string | undefined;
 }
 /**
  * @public
@@ -3897,9 +3981,19 @@ export interface ListRetirableGrantsRequest {
      *         <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns">IAM ARNs</a> in the <i>
      *                <i>Identity and Access Management User Guide</i>
      *             </i>.</p>
+     *          <p>You must specify either <code>RetiringPrincipal</code> or
+     *         <code>RetiringServicePrincipal</code>, but not both.</p>
+     * @public
+     */
+    RetiringPrincipal?: string | undefined;
+    /**
+     * <p>The retiring service principal for which to list grants. This filter is only usable by
+     *       callers in a service principal.</p>
+     *          <p>You must specify either <code>RetiringPrincipal</code> or
+     *         <code>RetiringServicePrincipal</code>, but not both.</p>
      * @public
      */
-    RetiringPrincipal: string | undefined;
+    RetiringServicePrincipal?: string | undefined;
 }
 /**
  * @public

package/dist-types/ts3.4/KMS.d.ts

@@ -711,6 +711,7 @@ export interface KMS {
     options: __HttpHandlerOptions,
     cb: (err: any, data?: ListResourceTagsCommandOutput) => void
   ): void;
+  listRetirableGrants(): Promise<ListRetirableGrantsCommandOutput>;
   listRetirableGrants(
     args: ListRetirableGrantsCommandInput,
     options?: __HttpHandlerOptions
@@ -983,7 +984,7 @@ export interface KMS {
     >
   ): Paginator<ListResourceTagsCommandOutput>;
   paginateListRetirableGrants(
-    args: ListRetirableGrantsCommandInput,
+    args?: ListRetirableGrantsCommandInput,
     paginationConfig?: Pick<
       PaginationConfiguration,
       Exclude<keyof PaginationConfiguration, "client">

package/dist-types/ts3.4/commands/ListRetirableGrantsCommand.d.ts

@@ -27,7 +27,7 @@ declare const ListRetirableGrantsCommand_base: {
     ServiceOutputTypes
   >;
   new (
-    input: ListRetirableGrantsCommandInput
+    ...[input]: [] | [ListRetirableGrantsCommandInput]
   ): import("@smithy/core/client").CommandImpl<
     ListRetirableGrantsCommandInput,
     ListRetirableGrantsCommandOutput,

package/dist-types/ts3.4/models/models_0.d.ts

@@ -76,16 +76,19 @@ export interface CreateCustomKeyStoreResponse {
 export interface GrantConstraints {
   EncryptionContextSubset?: Record<string, string> | undefined;
   EncryptionContextEquals?: Record<string, string> | undefined;
+  SourceArn?: string | undefined;
 }
 export interface CreateGrantRequest {
   KeyId: string | undefined;
-  GranteePrincipal: string | undefined;
+  GranteePrincipal?: string | undefined;
   RetiringPrincipal?: string | undefined;
   Operations: GrantOperation[] | undefined;
   Constraints?: GrantConstraints | undefined;
   GrantTokens?: string[] | undefined;
   Name?: string | undefined;
   DryRun?: boolean | undefined;
+  GranteeServicePrincipal?: string | undefined;
+  RetiringServicePrincipal?: string | undefined;
 }
 export interface CreateGrantResponse {
   GrantToken?: string | undefined;
@@ -418,6 +421,8 @@ export interface GrantListEntry {
   IssuingAccount?: string | undefined;
   Operations?: GrantOperation[] | undefined;
   Constraints?: GrantConstraints | undefined;
+  GranteeServicePrincipal?: string | undefined;
+  RetiringServicePrincipal?: string | undefined;
 }
 export interface ImportKeyMaterialRequest {
   KeyId: string | undefined;
@@ -453,6 +458,7 @@ export interface ListGrantsRequest {
   KeyId: string | undefined;
   GrantId?: string | undefined;
   GranteePrincipal?: string | undefined;
+  GranteeServicePrincipal?: string | undefined;
 }
 export interface ListGrantsResponse {
   Grants?: GrantListEntry[] | undefined;
@@ -513,7 +519,8 @@ export interface ListResourceTagsResponse {
 export interface ListRetirableGrantsRequest {
   Limit?: number | undefined;
   Marker?: string | undefined;
-  RetiringPrincipal: string | undefined;
+  RetiringPrincipal?: string | undefined;
+  RetiringServicePrincipal?: string | undefined;
 }
 export interface PutKeyPolicyRequest {
   KeyId: string | undefined;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-kms",
   "description": "AWS SDK for JavaScript Kms Client for Node.js, Browser and React Native",
-  "version": "3.1050.0",
+  "version": "3.1052.0",
   "scripts": {
     "build": "concurrently 'yarn:build:types' 'yarn:build:es' && yarn build:cjs",
     "build:cjs": "node ../../scripts/compilation/inline client-kms",
@@ -23,13 +23,13 @@
   "dependencies": {
     "@aws-crypto/sha256-browser": "5.2.0",
     "@aws-crypto/sha256-js": "5.2.0",
-    "@aws-sdk/core": "^3.974.12",
-    "@aws-sdk/credential-provider-node": "^3.972.43",
-    "@aws-sdk/types": "^3.973.8",
-    "@smithy/core": "^3.24.2",
-    "@smithy/fetch-http-handler": "^5.4.2",
-    "@smithy/node-http-handler": "^4.7.2",
-    "@smithy/types": "^4.14.1",
+    "@aws-sdk/core": "^3.974.13",
+    "@aws-sdk/credential-provider-node": "^3.972.44",
+    "@aws-sdk/types": "^3.973.9",
+    "@smithy/core": "^3.24.3",
+    "@smithy/fetch-http-handler": "^5.4.3",
+    "@smithy/node-http-handler": "^4.7.3",
+    "@smithy/types": "^4.14.2",
     "tslib": "^2.6.2"
   },
   "devDependencies": {