#!/bin/bash
#set -x

MY_ACCOUNT=$(aws sts get-caller-identity --output json | jq -r .Account)

for r in $(aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text); do
  keyAlias="arn:aws:kms:${r}:${MY_ACCOUNT}:alias/zdt/amis"
  keyArn=$(aws kms describe-key --region $r --key-id $keyAlias --output json 2>/dev/null | jq -r '.KeyMetadata.Arn')

  if [ -n "$keyArn" ]; then
    aws kms list-grants --region $r --key-id $keyArn --output json | jq '.Grants[]'
  fi
done