import type { IGrantable } from '../../aws-iam';
import * as iam from '../../aws-iam';
import type { IKeyRef } from '../../interfaces/generated/aws-kms-interfaces.generated';
/**
 * Collection of grant methods for an IKey
 */
export declare class KeyGrants {
    /**
     * Creates grants for an IKeyRef
     */
    static fromKey(resource: IKeyRef, trustAccountIdentities?: boolean): KeyGrants;
    protected readonly resource: IKeyRef;
    private readonly trustAccountIdentities?;
    private readonly policyResource?;
    private constructor();
    /**
     * Grant the indicated permissions on this key to the given principal
     *
     * This modifies both the principal's policy as well as the resource policy,
     * since the default CloudFormation setup for KMS keys is that the policy
     * must not be empty and so default grants won't work.
     *
     */
    actions(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
    /**
     * Grant admins permissions using this key to the given principal
     *
     * Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions
     * to use the key in cryptographic operations (e.g., encrypt, decrypt).
     */
    admin(grantee: IGrantable): iam.Grant;
    /**
     * Grant decryption permissions using this key to the given principal
     *
     */
    decrypt(grantee: IGrantable): iam.Grant;
    /**
     * Grant encryption permissions using this key to the given principal
     *
     */
    encrypt(grantee: IGrantable): iam.Grant;
    /**
     * Grant encryption and decryption permissions using this key to the given principal
     *
     */
    encryptDecrypt(grantee: IGrantable): iam.Grant;
    /**
     * Grant sign permissions using this key to the given principal
     *
     */
    sign(grantee: IGrantable): iam.Grant;
    /**
     * Grant verify permissions using this key to the given principal
     *
     */
    verify(grantee: IGrantable): iam.Grant;
    /**
     * Grant sign and verify permissions using this key to the given principal
     *
     */
    signVerify(grantee: IGrantable): iam.Grant;
    /**
     * Grant permissions to generating MACs to the given principal
     *
     */
    generateMac(grantee: IGrantable): iam.Grant;
    /**
     * Grant permissions to verifying MACs to the given principal
     *
     */
    verifyMac(grantee: IGrantable): iam.Grant;
    private granteeStackDependsOnKeyStack;
    private isGranteeFromAnotherRegion;
    private isGranteeFromAnotherAccount;
}