feat(kms): make trustAccountIdentities optional in KeyGrants

[otaviomacedo]

Reason for this change

The KeyGrants.fromKey() method requires the user to decide whether they want to add permission to both the principal and the resource or just the principal. This is hard to reason about and most of the time customers just want a sensible default.

Description of changes

The parameter trustAccountIdentities to KeyGrants.fromKey() is being made optional, and defaults to the value of the @aws-cdk/aws-kms:defaultKeyPolicies feature flag.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

✅ The pull request has been merged at 4a3ca05

This pull request spent 6 seconds in the queue, with no time running CI.
The checks were run in-place.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(kms): make trustAccountIdentities optional in KeyGrants #36786
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(kms): make trustAccountIdentities optional in KeyGrants #36786
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.