:doc:`KMS <../../kms>` / Client / revoke_grant

************
revoke_grant
************



.. py:method:: KMS.Client.revoke_grant(**kwargs)

  

  Deletes the specified grant. You revoke a grant to terminate the permissions that the grant allows. For more information, see `Retiring and revoking grants <https://docs.aws.amazon.com/kms/latest/developerguide/grant-delete.html>`__ in the *Key Management Service Developer Guide* .

   

  When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as *eventual consistency*. For details, see `Eventual consistency <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency>`__ in the *Key Management Service Developer Guide* .

   

  For detailed information about grants, including grant terminology, see `Grants in KMS <https://docs.aws.amazon.com/kms/latest/developerguide/grants.html>`__ in the *Key Management Service Developer Guide* . For examples of creating grants in several programming languages, see `Use CreateGrant with an Amazon Web Services SDK or CLI <https://docs.aws.amazon.com/kms/latest/developerguide/example_kms_CreateGrant_section.html>`__.

   

  **Cross-account use**: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the ``KeyId`` parameter.

   

  **Required permissions**: `kms\:RevokeGrant <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html>`__ (key policy).

   

  **Related operations:**

   

  
  *  CreateGrant
   
  *  ListGrants
   
  *  ListRetirableGrants
   
  *  RetireGrant
  

   

  **Eventual consistency**: The KMS API follows an eventual consistency model. For more information, see `KMS eventual consistency <https://docs.aws.amazon.com/kms/latest/developerguide/accessing-kms.html#programming-eventual-consistency>`__.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant>`_  


  **Request Syntax**
  ::

    response = client.revoke_grant(
        KeyId='string',
        GrantId='string',
        DryRun=True|False
    )
    
  :type KeyId: string
  :param KeyId: **[REQUIRED]** 

    A unique identifier for the KMS key associated with the grant. To get the key ID and key ARN for a KMS key, use  ListKeys or  DescribeKey.

     

    Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different Amazon Web Services account, you must use the key ARN.

     

    For example:

     

    
    * Key ID: ``1234abcd-12ab-34cd-56ef-1234567890ab``
     
    * Key ARN: ``arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab``
    

     

    To get the key ID and key ARN for a KMS key, use  ListKeys or  DescribeKey.

    

  
  :type GrantId: string
  :param GrantId: **[REQUIRED]** 

    Identifies the grant to revoke. To get the grant ID, use  CreateGrant,  ListGrants, or  ListRetirableGrants.

    

  
  :type DryRun: boolean
  :param DryRun: 

    Checks if your request will succeed. ``DryRun`` is an optional parameter.

     

    To learn more about how to use this parameter, see `Testing your permissions <https://docs.aws.amazon.com/kms/latest/developerguide/testing-permissions.html>`__ in the *Key Management Service Developer Guide*.

    

  
  
  :returns: None
  **Exceptions**
  
  *   :py:class:`KMS.Client.exceptions.NotFoundException`

  
  *   :py:class:`KMS.Client.exceptions.DependencyTimeoutException`

  
  *   :py:class:`KMS.Client.exceptions.InvalidArnException`

  
  *   :py:class:`KMS.Client.exceptions.InvalidGrantIdException`

  
  *   :py:class:`KMS.Client.exceptions.KMSInternalException`

  
  *   :py:class:`KMS.Client.exceptions.KMSInvalidStateException`

  
  *   :py:class:`KMS.Client.exceptions.DryRunOperationException`

  

  **Examples**

  The following example revokes a grant.
  ::

    response = client.revoke_grant(
        # The identifier of the grant to revoke.
        GrantId='0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60',
        # The identifier of the KMS key associated with the grant. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
        KeyId='1234abcd-12ab-34cd-56ef-1234567890ab',
    )
    
    print(response)

  
  Expected Output:
  ::

    {
        'ResponseMetadata': {
            '...': '...',
        },
    }

  