In this recipe, we granted permission to only one operation. We can grant permission to multiple operations like so:

aws kms create-grant 
    --key-id 1ab77c7a-7ca4-4387-a4c5-2fba3cb5c0f5 
    --grantee-principal arn:aws:iam::135301570106:user/testuser 
    --operations "Encrypt" "Decrypt" 
    --profile awssecadmin

Let's quickly go through some important concepts related to granting and revoking permissions programmatically within AWS:

• The supported grant operations are Encrypt, Decrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, and DescribeKey. 
• We can use the encrypt subcommand of the AWS KMS API to convert plain text into ciphertext with the help of a key. 
• We can use the decrypt subcommand of AWS KMS API to convert ciphertext into plain text with the help of the same key that was used for encryption.
• We can use the re-encrypt subcommand of the AWS KMS API to decrypt and re-encrypt data on the server-side with a new CMK without exposing the plain text on the client-side. This subcommand can also be used to change the encryption context of a ciphertext.
• Encryption context is an optional additional set of key-value pairs that form an additional authentication check. The same encryption context that is used for encryption needs to be used for decryption and re-encryption. Since the encryption context is not a secret, it will appear in plain text within AWS CloudTrail logs, making it useful for monitoring and auditing cryptographic operations.
• Grants are an alternative to the key policies.
• Within the same account, we can use the key ID or key ARN with the create-grant subcommand. For users in other accounts, ARN needs to be specified.
• The create-grant subcommand has a constraints parameter that accepts an encryption context. 
• When we create grants, the permissions may not be reflected immediately due to the eventual consistency model followed by AWS. By using the grant tokens received from the create grant command in further requests, we can avoid any delay due to eventual consistency.
• The list-grants subcommand is used to list all the grants for a key and provides the following additional parameters for paginating the result: starting-token, page-size, and max-items. 
• The AWS CLI pagination parameters, starting-token, page-size, and max-items, have the following functions:
  • The max-items parameter states the maximum number of items that need to be returned by the API.
  • If there are more results from the API calls than specified by max-items, then a NextToken is provided in the response, which needs to be passed as starting-token in the next request.
  • The page-size parameter specifies the maximum number of elements to retrieve in a single API call. For example, if page-size is 10 and max-items is 100, 10 API calls will be made in the background and then 100 items will be returned.
• The revoke-grant subcommand can be run by the root user of the account that created it, RetiringPrincipal of the grant, or GranteePrincipal if they've been given the grant for the RetireGrant operation. 
• The AWS documentation recommends that, when cleaning up, we retire a grant when we're done using it using the retire-grand subcommand, but should revoke a grant using the revoke-grand subcommand when we intend to actively deny operations that depend on it.
• The list-retirable-grants subcommand can be used to list all grants with the specified RetiringPrincipal.
• The list-retirable-grants subcommand provides the following parameters to limit the retriable grants that need to be returned: limit and marker. limit is the maximum items that need to be returned, while marker is the value of the NextMarker that is returned with the previous request when more items than specified by the limit parameter need to be returned.