codeperl
diff --git a/‎localstack/services/kms/models.py
Lines changed: 3 additions & 3 deletions b/‎localstack/services/kms/models.py
Lines changed: 3 additions & 3 deletions
diff --git a/‎localstack/services/kms/provider.py
Lines changed: 6 additions & 5 deletions b/‎localstack/services/kms/provider.py
Lines changed: 6 additions & 5 deletions
diff --git a/‎tests/integration/test_kms.py
Lines changed: 31 additions & 0 deletions b/‎tests/integration/test_kms.py
Lines changed: 31 additions & 0 deletions
@@ -8,7 +8,7 @@
 import uuid
 from collections import namedtuple
 from dataclasses import dataclass
-from typing import Dict, List
+from typing import Dict, List, Tuple
 
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.primitives import hashes
@@ -517,8 +517,8 @@ class KmsStore(BaseStore):
     #
     # maps grant ids to grants
     grants: Dict[str, KmsGrant] = LocalAttribute(default=dict)
-    # maps from grant names (used for idempotency) to grant ids
-    grant_names: Dict[str, str] = LocalAttribute(default=dict)
+    # maps from (grant names (used for idempotency), key id) to grant ids
+    grant_names: Dict[Tuple[str, str], str] = LocalAttribute(default=dict)
     # maps grant tokens to grant ids
     grant_tokens: Dict[str, str] = LocalAttribute(default=dict)
 
 
@@ -274,17 +274,18 @@ def create_grant(
         # KeyId can potentially hold one of multiple different types of key identifiers. Here we find a key no
         # matter which type of id is used.
         key = store.get_key(request.get("KeyId"))
-        request["KeyId"] = key.metadata.get("KeyId")
+        key_id = key.metadata.get("KeyId")
+        request["KeyId"] = key_id
         self._validate_grant_request(request, store)
         grant_name = request.get("Name")
-        if grant_name and grant_name in store.grant_names:
-            grant = store.grants[store.grant_names[grant_name]]
+        if grant_name and (grant_name, key_id) in store.grant_names:
+            grant = store.grants[store.grant_names[(grant_name, key_id)]]
         else:
             grant = KmsGrant(request)
             grant_id = grant.metadata["GrantId"]
             store.grants[grant_id] = grant
             if grant_name:
-                store.grant_names[grant_name] = grant_id
+                store.grant_names[(grant_name, key_id)] = grant_id
             store.grant_tokens[grant.token] = grant_id
 
         # At the moment we do not support multiple GrantTokens for grant creation request. Instead, we always use
@@ -379,7 +380,7 @@ def _delete_grant(
         # In AWS grants have one or more tokens. But we have a simplified modeling of grants, where they have exactly
         # one token.
         store.grant_tokens.pop(grant.token)
-        store.grant_names.pop(grant.metadata.get("Name"), None)
+        store.grant_names.pop((grant.metadata.get("Name"), key_id), None)
         store.grants.pop(grant_id)
 
     def revoke_grant(
 
@@ -256,6 +256,37 @@ def test_create_grant_with_valid_key(self, kms_client, kms_key, user_arn):
         grants_after = kms_client.list_grants(KeyId=key_id)["Grants"]
         assert len(grants_after) == len(grants_before) + 1
 
+    @pytest.mark.aws_validated
+    def test_create_grant_with_same_name_two_keys(self, kms_client, kms_create_key, user_arn):
+        first_key_id = kms_create_key()["KeyId"]
+        second_key_id = kms_create_key()["KeyId"]
+
+        grant_name = "TestGrantName"
+
+        first_grant = kms_client.create_grant(
+            KeyId=first_key_id,
+            GranteePrincipal=user_arn,
+            Name=grant_name,
+            Operations=["Decrypt", "DescribeKey"],
+        )
+        assert "GrantId" in first_grant
+        assert "GrantToken" in first_grant
+
+        second_grant = kms_client.create_grant(
+            KeyId=second_key_id,
+            GranteePrincipal=user_arn,
+            Name=grant_name,
+            Operations=["Decrypt", "DescribeKey"],
+        )
+        assert "GrantId" in second_grant
+        assert "GrantToken" in second_grant
+
+        first_grants_after = kms_client.list_grants(KeyId=first_key_id)["Grants"]
+        assert len(first_grants_after) == 1
+
+        second_grants_after = kms_client.list_grants(KeyId=second_key_id)["Grants"]
+        assert len(second_grants_after) == 1
+
     @pytest.mark.aws_validated
     def test_revoke_grant(self, kms_client, kms_grant_and_key):
         grant = kms_grant_and_key[0]