view planemo/lib/python3.7/site-packages/boto/kms/layer1.py @ 0:d30785e31577 draft

"planemo upload commit 6eee67778febed82ddd413c3ca40b3183a3898f1"
author guerler
date Fri, 31 Jul 2020 00:18:57 -0400
parents
children
line wrap: on
line source

# Copyright (c) 2014 Amazon.com, Inc. or its affiliates.  All Rights Reserved
#
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish, dis-
# tribute, sublicense, and/or sell copies of the Software, and to permit
# persons to whom the Software is furnished to do so, subject to the fol-
# lowing conditions:
#
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
#

import boto
from boto.compat import json
from boto.connection import AWSQueryConnection
from boto.regioninfo import RegionInfo
from boto.exception import JSONResponseError
from boto.kms import exceptions
from boto.compat import six
import base64


class KMSConnection(AWSQueryConnection):
    """
    AWS Key Management Service
    AWS Key Management Service (KMS) is an encryption and key
    management web service. This guide describes the KMS actions that
    you can call programmatically. For general information about KMS,
    see (need an address here). For the KMS developer guide, see (need
    address here).

    AWS provides SDKs that consist of libraries and sample code for
    various programming languages and platforms (Java, Ruby, .Net,
    iOS, Android, etc.). The SDKs provide a convenient way to create
    programmatic access to KMS and AWS. For example, the SDKs take
    care of tasks such as signing requests (see below), managing
    errors, and retrying requests automatically. For more information
    about the AWS SDKs, including how to download and install them,
    see `Tools for Amazon Web Services`_.

    We recommend that you use the AWS SDKs to make programmatic API
    calls to KMS. However, you can also use the KMS Query API to make
    to make direct calls to the KMS web service.

    **Signing Requests**

    Requests must be signed by using an access key ID and a secret
    access key. We strongly recommend that you do not use your AWS
    account access key ID and secret key for everyday work with KMS.
    Instead, use the access key ID and secret access key for an IAM
    user, or you can use the AWS Security Token Service to generate
    temporary security credentials that you can use to sign requests.

    All KMS operations require `Signature Version 4`_.

    **Recording API Requests**

    KMS supports AWS CloudTrail, a service that records AWS API calls
    and related events for your AWS account and delivers them to an
    Amazon S3 bucket that you specify. By using the information
    collected by CloudTrail, you can determine what requests were made
    to KMS, who made the request, when it was made, and so on. To
    learn more about CloudTrail, including how to turn it on and find
    your log files, see the `AWS CloudTrail User Guide`_

    **Additional Resources**

    For more information about credentials and request signing, see
    the following:


    + `AWS Security Credentials`_. This topic provides general
      information about the types of credentials used for accessing AWS.
    + `AWS Security Token Service`_. This guide describes how to
      create and use temporary security credentials.
    + `Signing AWS API Requests`_. This set of topics walks you
      through the process of signing a request using an access key ID
      and a secret access key.
    """
    APIVersion = "2014-11-01"
    DefaultRegionName = "us-east-1"
    DefaultRegionEndpoint = "kms.us-east-1.amazonaws.com"
    ServiceName = "KMS"
    TargetPrefix = "TrentService"
    ResponseError = JSONResponseError

    _faults = {
        "InvalidGrantTokenException": exceptions.InvalidGrantTokenException,
        "DisabledException": exceptions.DisabledException,
        "LimitExceededException": exceptions.LimitExceededException,
        "DependencyTimeoutException": exceptions.DependencyTimeoutException,
        "InvalidMarkerException": exceptions.InvalidMarkerException,
        "AlreadyExistsException": exceptions.AlreadyExistsException,
        "InvalidCiphertextException": exceptions.InvalidCiphertextException,
        "KeyUnavailableException": exceptions.KeyUnavailableException,
        "InvalidAliasNameException": exceptions.InvalidAliasNameException,
        "UnsupportedOperationException": exceptions.UnsupportedOperationException,
        "InvalidArnException": exceptions.InvalidArnException,
        "KMSInternalException": exceptions.KMSInternalException,
        "InvalidKeyUsageException": exceptions.InvalidKeyUsageException,
        "MalformedPolicyDocumentException": exceptions.MalformedPolicyDocumentException,
        "NotFoundException": exceptions.NotFoundException,
    }


    def __init__(self, **kwargs):
        region = kwargs.pop('region', None)
        if not region:
            region = RegionInfo(self, self.DefaultRegionName,
                                self.DefaultRegionEndpoint)

        if 'host' not in kwargs or kwargs['host'] is None:
            kwargs['host'] = region.endpoint

        super(KMSConnection, self).__init__(**kwargs)
        self.region = region

    def _required_auth_capability(self):
        return ['hmac-v4']

    def create_alias(self, alias_name, target_key_id):
        """
        Creates a display name for a customer master key. An alias can
        be used to identify a key and should be unique. The console
        enforces a one-to-one mapping between the alias and a key. An
        alias name can contain only alphanumeric characters, forward
        slashes (/), underscores (_), and dashes (-). An alias must
        start with the word "alias" followed by a forward slash
        (alias/). An alias that begins with "aws" after the forward
        slash (alias/aws...) is reserved by Amazon Web Services (AWS).

        :type alias_name: string
        :param alias_name: String that contains the display name. Aliases that
            begin with AWS are reserved.

        :type target_key_id: string
        :param target_key_id: An identifier of the key for which you are
            creating the alias. This value cannot be another alias.

        """
        params = {
            'AliasName': alias_name,
            'TargetKeyId': target_key_id,
        }
        return self.make_request(action='CreateAlias',
                                 body=json.dumps(params))

    def create_grant(self, key_id, grantee_principal,
                     retiring_principal=None, operations=None,
                     constraints=None, grant_tokens=None):
        """
        Adds a grant to a key to specify who can access the key and
        under what conditions. Grants are alternate permission
        mechanisms to key policies. If absent, access to the key is
        evaluated based on IAM policies attached to the user. By
        default, grants do not expire. Grants can be listed, retired,
        or revoked as indicated by the following APIs. Typically, when
        you are finished using a grant, you retire it. When you want
        to end a grant immediately, revoke it. For more information
        about grants, see `Grants`_.

        #. ListGrants
        #. RetireGrant
        #. RevokeGrant

        :type key_id: string
        :param key_id: A unique key identifier for a customer master key. This
            value can be a globally unique identifier, an ARN, or an alias.

        :type grantee_principal: string
        :param grantee_principal: Principal given permission by the grant to
            use the key identified by the `keyId` parameter.

        :type retiring_principal: string
        :param retiring_principal: Principal given permission to retire the
            grant. For more information, see RetireGrant.

        :type operations: list
        :param operations: List of operations permitted by the grant. This can
            be any combination of one or more of the following values:

        #. Decrypt
        #. Encrypt
        #. GenerateDataKey
        #. GenerateDataKeyWithoutPlaintext
        #. ReEncryptFrom
        #. ReEncryptTo
        #. CreateGrant

        :type constraints: dict
        :param constraints: Specifies the conditions under which the actions
            specified by the `Operations` parameter are allowed.

        :type grant_tokens: list
        :param grant_tokens: List of grant tokens.

        """
        params = {
            'KeyId': key_id,
            'GranteePrincipal': grantee_principal,
        }
        if retiring_principal is not None:
            params['RetiringPrincipal'] = retiring_principal
        if operations is not None:
            params['Operations'] = operations
        if constraints is not None:
            params['Constraints'] = constraints
        if grant_tokens is not None:
            params['GrantTokens'] = grant_tokens
        return self.make_request(action='CreateGrant',
                                 body=json.dumps(params))

    def create_key(self, policy=None, description=None, key_usage=None):
        """
        Creates a customer master key. Customer master keys can be
        used to encrypt small amounts of data (less than 4K) directly,
        but they are most commonly used to encrypt or envelope data
        keys that are then used to encrypt customer data. For more
        information about data keys, see GenerateDataKey and
        GenerateDataKeyWithoutPlaintext.

        :type policy: string
        :param policy: Policy to be attached to the key. This is required and
            delegates back to the account. The key is the root of trust.

        :type description: string
        :param description: Description of the key. We recommend that you
            choose a description that helps your customer decide whether the
            key is appropriate for a task.

        :type key_usage: string
        :param key_usage: Specifies the intended use of the key. Currently this
            defaults to ENCRYPT/DECRYPT, and only symmetric encryption and
            decryption are supported.

        """
        params = {}
        if policy is not None:
            params['Policy'] = policy
        if description is not None:
            params['Description'] = description
        if key_usage is not None:
            params['KeyUsage'] = key_usage
        return self.make_request(action='CreateKey',
                                 body=json.dumps(params))

    def decrypt(self, ciphertext_blob, encryption_context=None,
                grant_tokens=None):
        """
        Decrypts ciphertext. Ciphertext is plaintext that has been
        previously encrypted by using the Encrypt function.

        :type ciphertext_blob: blob
        :param ciphertext_blob: Ciphertext including metadata.

        :type encryption_context: map
        :param encryption_context: The encryption context. If this was
            specified in the Encrypt function, it must be specified here or the
            decryption operation will fail. For more information, see
            `Encryption Context`_.

        :type grant_tokens: list
        :param grant_tokens: A list of grant tokens that represent grants which
            can be used to provide long term permissions to perform decryption.

        """
        if not isinstance(ciphertext_blob, six.binary_type):
            raise TypeError(
                "Value of argument ``ciphertext_blob`` "
                "must be of type %s." % six.binary_type)
        ciphertext_blob = base64.b64encode(ciphertext_blob)
        params = {'CiphertextBlob': ciphertext_blob.decode('utf-8'), }
        if encryption_context is not None:
            params['EncryptionContext'] = encryption_context
        if grant_tokens is not None:
            params['GrantTokens'] = grant_tokens
        response = self.make_request(action='Decrypt',
                                     body=json.dumps(params))
        if response.get('Plaintext') is not None:
            response['Plaintext'] = base64.b64decode(
                response['Plaintext'].encode('utf-8'))
        return response

    def delete_alias(self, alias_name):
        """
        Deletes the specified alias.

        :type alias_name: string
        :param alias_name: The alias to be deleted.

        """
        params = {'AliasName': alias_name, }
        return self.make_request(action='DeleteAlias',
                                 body=json.dumps(params))

    def describe_key(self, key_id):
        """
        Provides detailed information about the specified customer
        master key.

        :type key_id: string
        :param key_id: Unique identifier of the customer master key to be
            described. This can be an ARN, an alias, or a globally unique
            identifier.

        """
        params = {'KeyId': key_id, }
        return self.make_request(action='DescribeKey',
                                 body=json.dumps(params))

    def disable_key(self, key_id):
        """
        Marks a key as disabled, thereby preventing its use.

        :type key_id: string
        :param key_id: Unique identifier of the customer master key to be
            disabled. This can be an ARN, an alias, or a globally unique
            identifier.

        """
        params = {'KeyId': key_id, }
        return self.make_request(action='DisableKey',
                                 body=json.dumps(params))

    def disable_key_rotation(self, key_id):
        """
        Disables rotation of the specified key.

        :type key_id: string
        :param key_id: Unique identifier of the customer master key for which
            rotation is to be disabled. This can be an ARN, an alias, or a
            globally unique identifier.

        """
        params = {'KeyId': key_id, }
        return self.make_request(action='DisableKeyRotation',
                                 body=json.dumps(params))

    def enable_key(self, key_id):
        """
        Marks a key as enabled, thereby permitting its use. You can
        have up to 25 enabled keys at one time.

        :type key_id: string
        :param key_id: Unique identifier of the customer master key to be
            enabled. This can be an ARN, an alias, or a globally unique
            identifier.

        """
        params = {'KeyId': key_id, }
        return self.make_request(action='EnableKey',
                                 body=json.dumps(params))

    def enable_key_rotation(self, key_id):
        """
        Enables rotation of the specified customer master key.

        :type key_id: string
        :param key_id: Unique identifier of the customer master key for which
            rotation is to be enabled. This can be an ARN, an alias, or a
            globally unique identifier.

        """
        params = {'KeyId': key_id, }
        return self.make_request(action='EnableKeyRotation',
                                 body=json.dumps(params))

    def encrypt(self, key_id, plaintext, encryption_context=None,
                grant_tokens=None):
        """
        Encrypts plaintext into ciphertext by using a customer master
        key.

        :type key_id: string
        :param key_id: Unique identifier of the customer master. This can be an
            ARN, an alias, or the Key ID.

        :type plaintext: blob
        :param plaintext: Data to be encrypted.

        :type encryption_context: map
        :param encryption_context: Name:value pair that specifies the
            encryption context to be used for authenticated encryption. For
            more information, see `Authenticated Encryption`_.

        :type grant_tokens: list
        :param grant_tokens: A list of grant tokens that represent grants which
            can be used to provide long term permissions to perform encryption.

        """
        if not isinstance(plaintext, six.binary_type):
            raise TypeError(
                "Value of argument ``plaintext`` "
                "must be of type %s." % six.binary_type)
        plaintext = base64.b64encode(plaintext)
        params = {'KeyId': key_id, 'Plaintext': plaintext.decode('utf-8'), }
        if encryption_context is not None:
            params['EncryptionContext'] = encryption_context
        if grant_tokens is not None:
            params['GrantTokens'] = grant_tokens
        response = self.make_request(action='Encrypt',
                                     body=json.dumps(params))
        if response.get('CiphertextBlob') is not None:
            response['CiphertextBlob'] = base64.b64decode(
                response['CiphertextBlob'].encode('utf-8'))
        return response

    def generate_data_key(self, key_id, encryption_context=None,
                          number_of_bytes=None, key_spec=None,
                          grant_tokens=None):
        """
        Generates a secure data key. Data keys are used to encrypt and
        decrypt data. They are wrapped by customer master keys.

        :type key_id: string
        :param key_id: Unique identifier of the key. This can be an ARN, an
            alias, or a globally unique identifier.

        :type encryption_context: map
        :param encryption_context: Name/value pair that contains additional
            data to be authenticated during the encryption and decryption
            processes that use the key. This value is logged by AWS CloudTrail
            to provide context around the data encrypted by the key.

        :type number_of_bytes: integer
        :param number_of_bytes: Integer that contains the number of bytes to
            generate. Common values are 128, 256, 512, 1024 and so on. 1024 is
            the current limit.

        :type key_spec: string
        :param key_spec: Value that identifies the encryption algorithm and key
            size to generate a data key for. Currently this can be AES_128 or
            AES_256.

        :type grant_tokens: list
        :param grant_tokens: A list of grant tokens that represent grants which
            can be used to provide long term permissions to generate a key.

        """
        params = {'KeyId': key_id, }
        if encryption_context is not None:
            params['EncryptionContext'] = encryption_context
        if number_of_bytes is not None:
            params['NumberOfBytes'] = number_of_bytes
        if key_spec is not None:
            params['KeySpec'] = key_spec
        if grant_tokens is not None:
            params['GrantTokens'] = grant_tokens
        response = self.make_request(action='GenerateDataKey',
                                     body=json.dumps(params))
        if response.get('CiphertextBlob') is not None:
            response['CiphertextBlob'] = base64.b64decode(
                response['CiphertextBlob'].encode('utf-8'))
        if response.get('Plaintext') is not None:
            response['Plaintext'] = base64.b64decode(
                response['Plaintext'].encode('utf-8'))
        return response

    def generate_data_key_without_plaintext(self, key_id,
                                            encryption_context=None,
                                            key_spec=None,
                                            number_of_bytes=None,
                                            grant_tokens=None):
        """
        Returns a key wrapped by a customer master key without the
        plaintext copy of that key. To retrieve the plaintext, see
        GenerateDataKey.

        :type key_id: string
        :param key_id: Unique identifier of the key. This can be an ARN, an
            alias, or a globally unique identifier.

        :type encryption_context: map
        :param encryption_context: Name:value pair that contains additional
            data to be authenticated during the encryption and decryption
            processes.

        :type key_spec: string
        :param key_spec: Value that identifies the encryption algorithm and key
            size. Currently this can be AES_128 or AES_256.

        :type number_of_bytes: integer
        :param number_of_bytes: Integer that contains the number of bytes to
            generate. Common values are 128, 256, 512, 1024 and so on.

        :type grant_tokens: list
        :param grant_tokens: A list of grant tokens that represent grants which
            can be used to provide long term permissions to generate a key.

        """
        params = {'KeyId': key_id, }
        if encryption_context is not None:
            params['EncryptionContext'] = encryption_context
        if key_spec is not None:
            params['KeySpec'] = key_spec
        if number_of_bytes is not None:
            params['NumberOfBytes'] = number_of_bytes
        if grant_tokens is not None:
            params['GrantTokens'] = grant_tokens
        response = self.make_request(action='GenerateDataKeyWithoutPlaintext',
                                     body=json.dumps(params))
        if response.get('CiphertextBlob') is not None:
            response['CiphertextBlob'] = base64.b64decode(
                response['CiphertextBlob'].encode('utf-8'))
        return response

    def generate_random(self, number_of_bytes=None):
        """
        Generates an unpredictable byte string.

        :type number_of_bytes: integer
        :param number_of_bytes: Integer that contains the number of bytes to
            generate. Common values are 128, 256, 512, 1024 and so on. The
            current limit is 1024 bytes.

        """
        params = {}
        if number_of_bytes is not None:
            params['NumberOfBytes'] = number_of_bytes
        response = self.make_request(action='GenerateRandom',
                                     body=json.dumps(params))
        if response.get('Plaintext') is not None:
            response['Plaintext'] = base64.b64decode(
                response['Plaintext'].encode('utf-8'))
        return response

    def get_key_policy(self, key_id, policy_name):
        """
        Retrieves a policy attached to the specified key.

        :type key_id: string
        :param key_id: Unique identifier of the key. This can be an ARN, an
            alias, or a globally unique identifier.

        :type policy_name: string
        :param policy_name: String that contains the name of the policy.
            Currently, this must be "default". Policy names can be discovered
            by calling ListKeyPolicies.

        """
        params = {'KeyId': key_id, 'PolicyName': policy_name, }
        return self.make_request(action='GetKeyPolicy',
                                 body=json.dumps(params))

    def get_key_rotation_status(self, key_id):
        """
        Retrieves a Boolean value that indicates whether key rotation
        is enabled for the specified key.

        :type key_id: string
        :param key_id: Unique identifier of the key. This can be an ARN, an
            alias, or a globally unique identifier.

        """
        params = {'KeyId': key_id, }
        return self.make_request(action='GetKeyRotationStatus',
                                 body=json.dumps(params))

    def list_aliases(self, limit=None, marker=None):
        """
        Lists all of the key aliases in the account.

        :type limit: integer
        :param limit: Specify this parameter when paginating results to
            indicate the maximum number of aliases you want in each response.
            If there are additional aliases beyond the maximum you specify, the
            `Truncated` response element will be set to `true.`

        :type marker: string
        :param marker: Use this parameter when paginating results, and only in
            a subsequent request after you've received a response where the
            results are truncated. Set it to the value of the `NextMarker`
            element in the response you just received.

        """
        params = {}
        if limit is not None:
            params['Limit'] = limit
        if marker is not None:
            params['Marker'] = marker
        return self.make_request(action='ListAliases',
                                 body=json.dumps(params))

    def list_grants(self, key_id, limit=None, marker=None):
        """
        List the grants for a specified key.

        :type key_id: string
        :param key_id: Unique identifier of the key. This can be an ARN, an
            alias, or a globally unique identifier.

        :type limit: integer
        :param limit: Specify this parameter only when paginating results to
            indicate the maximum number of grants you want listed in the
            response. If there are additional grants beyond the maximum you
            specify, the `Truncated` response element will be set to `true.`

        :type marker: string
        :param marker: Use this parameter only when paginating results, and
            only in a subsequent request after you've received a response where
            the results are truncated. Set it to the value of the `NextMarker`
            in the response you just received.

        """
        params = {'KeyId': key_id, }
        if limit is not None:
            params['Limit'] = limit
        if marker is not None:
            params['Marker'] = marker
        return self.make_request(action='ListGrants',
                                 body=json.dumps(params))

    def list_key_policies(self, key_id, limit=None, marker=None):
        """
        Retrieves a list of policies attached to a key.

        :type key_id: string
        :param key_id: Unique identifier of the key. This can be an ARN, an
            alias, or a globally unique identifier.

        :type limit: integer
        :param limit: Specify this parameter only when paginating results to
            indicate the maximum number of policies you want listed in the
            response. If there are additional policies beyond the maximum you
            specify, the `Truncated` response element will be set to `true.`

        :type marker: string
        :param marker: Use this parameter only when paginating results, and
            only in a subsequent request after you've received a response where
            the results are truncated. Set it to the value of the `NextMarker`
            in the response you just received.

        """
        params = {'KeyId': key_id, }
        if limit is not None:
            params['Limit'] = limit
        if marker is not None:
            params['Marker'] = marker
        return self.make_request(action='ListKeyPolicies',
                                 body=json.dumps(params))

    def list_keys(self, limit=None, marker=None):
        """
        Lists the customer master keys.

        :type limit: integer
        :param limit: Specify this parameter only when paginating results to
            indicate the maximum number of keys you want listed in the
            response. If there are additional keys beyond the maximum you
            specify, the `Truncated` response element will be set to `true.`

        :type marker: string
        :param marker: Use this parameter only when paginating results, and
            only in a subsequent request after you've received a response where
            the results are truncated. Set it to the value of the `NextMarker`
            in the response you just received.

        """
        params = {}
        if limit is not None:
            params['Limit'] = limit
        if marker is not None:
            params['Marker'] = marker
        return self.make_request(action='ListKeys',
                                 body=json.dumps(params))

    def put_key_policy(self, key_id, policy_name, policy):
        """
        Attaches a policy to the specified key.

        :type key_id: string
        :param key_id: Unique identifier of the key. This can be an ARN, an
            alias, or a globally unique identifier.

        :type policy_name: string
        :param policy_name: Name of the policy to be attached. Currently, the
            only supported name is "default".

        :type policy: string
        :param policy: The policy, in JSON format, to be attached to the key.

        """
        params = {
            'KeyId': key_id,
            'PolicyName': policy_name,
            'Policy': policy,
        }
        return self.make_request(action='PutKeyPolicy',
                                 body=json.dumps(params))

    def re_encrypt(self, ciphertext_blob, destination_key_id,
                   source_encryption_context=None,
                   destination_encryption_context=None, grant_tokens=None):
        """
        Encrypts data on the server side with a new customer master
        key without exposing the plaintext of the data on the client
        side. The data is first decrypted and then encrypted. This
        operation can also be used to change the encryption context of
        a ciphertext.

        :type ciphertext_blob: blob
        :param ciphertext_blob: Ciphertext of the data to re-encrypt.

        :type source_encryption_context: map
        :param source_encryption_context: Encryption context used to encrypt
            and decrypt the data specified in the `CiphertextBlob` parameter.

        :type destination_key_id: string
        :param destination_key_id: Key identifier of the key used to re-encrypt
            the data.

        :type destination_encryption_context: map
        :param destination_encryption_context: Encryption context to be used
            when the data is re-encrypted.

        :type grant_tokens: list
        :param grant_tokens: Grant tokens that identify the grants that have
            permissions for the encryption and decryption process.

        """
        if not isinstance(ciphertext_blob, six.binary_type):
            raise TypeError(
                "Value of argument ``ciphertext_blob`` "
                "must be of type %s." % six.binary_type)
        ciphertext_blob = base64.b64encode(ciphertext_blob)
        params = {
            'CiphertextBlob': ciphertext_blob,
            'DestinationKeyId': destination_key_id,
        }
        if source_encryption_context is not None:
            params['SourceEncryptionContext'] = source_encryption_context
        if destination_encryption_context is not None:
            params['DestinationEncryptionContext'] = destination_encryption_context
        if grant_tokens is not None:
            params['GrantTokens'] = grant_tokens
        response = self.make_request(action='ReEncrypt',
                                     body=json.dumps(params))
        if response.get('CiphertextBlob') is not None:
            response['CiphertextBlob'] = base64.b64decode(
                response['CiphertextBlob'].encode('utf-8'))
        return response

    def retire_grant(self, grant_token):
        """
        Retires a grant. You can retire a grant when you're done using
        it to clean up. You should revoke a grant when you intend to
        actively deny operations that depend on it.

        :type grant_token: string
        :param grant_token: Token that identifies the grant to be retired.

        """
        params = {'GrantToken': grant_token, }
        return self.make_request(action='RetireGrant',
                                 body=json.dumps(params))

    def revoke_grant(self, key_id, grant_id):
        """
        Revokes a grant. You can revoke a grant to actively deny
        operations that depend on it.

        :type key_id: string
        :param key_id: Unique identifier of the key associated with the grant.

        :type grant_id: string
        :param grant_id: Identifier of the grant to be revoked.

        """
        params = {'KeyId': key_id, 'GrantId': grant_id, }
        return self.make_request(action='RevokeGrant',
                                 body=json.dumps(params))

    def update_key_description(self, key_id, description):
        """
        

        :type key_id: string
        :param key_id:

        :type description: string
        :param description:

        """
        params = {'KeyId': key_id, 'Description': description, }
        return self.make_request(action='UpdateKeyDescription',
                                 body=json.dumps(params))

    def make_request(self, action, body):
        headers = {
            'X-Amz-Target': '%s.%s' % (self.TargetPrefix, action),
            'Host': self.region.endpoint,
            'Content-Type': 'application/x-amz-json-1.1',
            'Content-Length': str(len(body)),
        }
        http_request = self.build_base_http_request(
            method='POST', path='/', auth_path='/', params={},
            headers=headers, data=body)
        response = self._mexe(http_request, sender=None,
                              override_num_retries=10)
        response_body = response.read().decode('utf-8')
        boto.log.debug(response_body)
        if response.status == 200:
            if response_body:
                return json.loads(response_body)
        else:
            json_body = json.loads(response_body)
            fault_name = json_body.get('__type', None)
            exception_class = self._faults.get(fault_name, self.ResponseError)
            raise exception_class(response.status, response.reason,
                                  body=json_body)