Struct rusoto_kms::GrantConstraints

pub struct GrantConstraints {
    pub encryption_context_equals: Option<HashMap<String, String>>,
    pub encryption_context_subset: Option<HashMap<String, String>>,
}

Use this structure to allow cryptographic operations in the grant only when the operation request includes the specified encryption context.

AWS KMS applies the grant constraints only when the grant allows a cryptographic operation that accepts an encryption context as input, such as the following.

• Encrypt

• Decrypt

• GenerateDataKey

• GenerateDataKeyWithoutPlaintext

• ReEncrypt

AWS KMS does not apply the grant constraints to other operations, such as DescribeKey or ScheduleKeyDeletion.

In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary.

However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case sensitive.

To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully case-sensitive encryption context, use the kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see kms:EncryptionContext: in the AWS Key Management Service Developer Guide .

Fields

encryption_context_equals: Option<HashMap<String, String>>

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

encryption_context_subset: Option<HashMap<String, String>>

A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

Trait Implementations

impl PartialEq<GrantConstraints> for GrantConstraints

fn eq(&self, other: &GrantConstraints) -> bool

This method tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &GrantConstraints) -> bool

This method tests for !=.

impl Default for GrantConstraints

fn default() -> GrantConstraints

Returns the "default value" for a type.

impl Clone for GrantConstraints

fn clone(&self) -> GrantConstraints

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for GrantConstraints

fn fmt(&self, f: &mut Formatter) -> Result

Formats the value using the given formatter.

impl Serialize for GrantConstraints

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error> where
    __S: Serializer, 

Serialize this value into the given Serde serializer.

impl<'de> Deserialize<'de> for GrantConstraints

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error> where
    __D: Deserializer<'de>, 

Deserialize this value from the given Serde deserializer.