/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include namespace Aws { namespace Utils { namespace Json { class JsonValue; class JsonView; } // namespace Json } // namespace Utils namespace KMS { namespace Model { /** *

Use this structure to allow cryptographic * operations in the grant only when the operation request includes the * specified encryption * context.

AWS KMS applies the grant constraints only to cryptographic * operations that support an encryption context, that is, all cryptographic * operations with a symmetric * CMK. Grant constraints are not applied to operations that do not support an * encryption context, such as cryptographic operations with asymmetric CMKs and * management operations, such as DescribeKey or * ScheduleKeyDeletion.

In a cryptographic operation, the * encryption context in the decryption operation must be an exact, case-sensitive * match for the keys and values in the encryption context of the encryption * operation. Only the order of the pairs can vary.

However, in a grant * constraint, the key in each key-value pair is not case sensitive, but the value * is case sensitive.

To avoid confusion, do not use multiple encryption * context pairs that differ only by case. To require a fully case-sensitive * encryption context, use the kms:EncryptionContext: and * kms:EncryptionContextKeys conditions in an IAM or key policy. For * details, see kms:EncryptionContext: * in the AWS Key Management Service Developer Guide .

A list of key-value pairs that must be included in the encryption context of * the cryptographic * operation request. The grant allows the cryptographic operation only when * the encryption context in the request includes the key-value pairs specified in * this constraint, although it can include additional key-value pairs.

*/ inline const Aws::Map& GetEncryptionContextSubset() const{ return m_encryptionContextSubset; } /** *

*/ inline bool EncryptionContextSubsetHasBeenSet() const { return m_encryptionContextSubsetHasBeenSet; } /** *

*/ inline void SetEncryptionContextSubset(const Aws::Map& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset = value; } /** *

*/ inline void SetEncryptionContextSubset(Aws::Map&& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset = std::move(value); } /** *

*/ inline GrantConstraints& WithEncryptionContextSubset(const Aws::Map& value) { SetEncryptionContextSubset(value); return *this;} /** *

*/ inline GrantConstraints& WithEncryptionContextSubset(Aws::Map&& value) { SetEncryptionContextSubset(std::move(value)); return *this;} /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(const Aws::String& key, const Aws::String& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(key, value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(Aws::String&& key, const Aws::String& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(std::move(key), value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(const Aws::String& key, Aws::String&& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(key, std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(Aws::String&& key, Aws::String&& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(std::move(key), std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(const char* key, Aws::String&& value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(key, std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(Aws::String&& key, const char* value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(std::move(key), value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextSubset(const char* key, const char* value) { m_encryptionContextSubsetHasBeenSet = true; m_encryptionContextSubset.emplace(key, value); return *this; } /** *

A list of key-value pairs that must match the encryption context in the cryptographic * operation request. The grant allows the operation only when the encryption * context in the request is the same as the encryption context specified in this * constraint.

*/ inline const Aws::Map& GetEncryptionContextEquals() const{ return m_encryptionContextEquals; } /** *

*/ inline bool EncryptionContextEqualsHasBeenSet() const { return m_encryptionContextEqualsHasBeenSet; } /** *

*/ inline void SetEncryptionContextEquals(const Aws::Map& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals = value; } /** *

*/ inline void SetEncryptionContextEquals(Aws::Map&& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals = std::move(value); } /** *

*/ inline GrantConstraints& WithEncryptionContextEquals(const Aws::Map& value) { SetEncryptionContextEquals(value); return *this;} /** *

*/ inline GrantConstraints& WithEncryptionContextEquals(Aws::Map&& value) { SetEncryptionContextEquals(std::move(value)); return *this;} /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(const Aws::String& key, const Aws::String& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(key, value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(Aws::String&& key, const Aws::String& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(std::move(key), value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(const Aws::String& key, Aws::String&& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(key, std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(Aws::String&& key, Aws::String&& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(std::move(key), std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(const char* key, Aws::String&& value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(key, std::move(value)); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(Aws::String&& key, const char* value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(std::move(key), value); return *this; } /** *

*/ inline GrantConstraints& AddEncryptionContextEquals(const char* key, const char* value) { m_encryptionContextEqualsHasBeenSet = true; m_encryptionContextEquals.emplace(key, value); return *this; } private: Aws::Map m_encryptionContextSubset; bool m_encryptionContextSubsetHasBeenSet; Aws::Map m_encryptionContextEquals; bool m_encryptionContextEqualsHasBeenSet; }; } // namespace Model } // namespace KMS } // namespace Aws

See Also: