2023/11/27 - AWS S3 Control - 20 new api methods
Changes Adding new params - Key and Prefix, to S3 API operations for supporting S3 Access Grants. Note - These updates will not change any of the existing S3 API functionality.
Deletes the resource policy of the S3 Access Grants instance. The resource policy is used to manage cross-account access to your S3 Access Grants instance. By deleting the resource policy, you delete any cross-account permissions to your S3 Access Grants instance.
Permissions
You must have the s3:DeleteAccessGrantsInstanceResourcePolicy permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.delete_access_grants_instance_resource_policy( AccountId='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
None
Dissociates the Amazon Web Services IAM Identity Center instance from the S3 Access Grants instance.
Permissions
You must have the s3:DissociateAccessGrantsIdentityCenter permission to use this operation.
Additional Permissions
You must have the sso:DeleteApplication permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.dissociate_access_grants_identity_center( AccountId='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
None
Returns the list of access grants in your S3 Access Grants instance.
Permissions
You must have the s3:ListAccessGrants permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.list_access_grants( AccountId='string', NextToken='string', MaxResults=123, GranteeType='DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM', GranteeIdentifier='string', Permission='READ'|'WRITE'|'READWRITE', GrantScope='string', ApplicationArn='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants request in order to retrieve the next page of results.
integer
The maximum number of access grants that you would like returned in the List Access Grants response. If the results include the pagination token NextToken, make another call using the NextToken to determine if there are more results.
string
The type of the grantee to which access has been granted. It can be one of the following values:
IAM - An IAM user or role.
DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
string
The unique identifer of the Grantee. If the grantee type is IAM, the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.
string
The type of permission granted to your S3 data, which can be set to one of the following values:
READ – Grant read-only access to the S3 data.
WRITE – Grant write-only access to the S3 data.
READWRITE – Grant both read and write access to the S3 data.
string
The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.
string
The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.
dict
Response Syntax
{ 'NextToken': 'string', 'AccessGrantsList': [ { 'CreatedAt': datetime(2015, 1, 1), 'AccessGrantId': 'string', 'AccessGrantArn': 'string', 'Grantee': { 'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM', 'GranteeIdentifier': 'string' }, 'Permission': 'READ'|'WRITE'|'READWRITE', 'AccessGrantsLocationId': 'string', 'AccessGrantsLocationConfiguration': { 'S3SubPrefix': 'string' }, 'GrantScope': 'string', 'ApplicationArn': 'string' }, ] }
Response Structure
(dict) --
NextToken (string) --
A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants request in order to retrieve the next page of results.
AccessGrantsList (list) --
A container for a list of grants in an S3 Access Grants instance.
(dict) --
Information about the access grant.
CreatedAt (datetime) --
The date and time when you created the S3 Access Grants instance.
AccessGrantId (string) --
The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.
AccessGrantArn (string) --
The Amazon Resource Name (ARN) of the access grant.
Grantee (dict) --
The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to Amazon Web Services IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.
GranteeType (string) --
The type of the grantee to which access has been granted. It can be one of the following values:
IAM - An IAM user or role.
DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
GranteeIdentifier (string) --
The unique identifier of the Grantee. If the grantee type is IAM, the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.
Permission (string) --
The type of access granted to your S3 data, which can be set to one of the following values:
READ – Grant read-only access to the S3 data.
WRITE – Grant write-only access to the S3 data.
READWRITE – Grant both read and write access to the S3 data.
AccessGrantsLocationId (string) --
The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
AccessGrantsLocationConfiguration (dict) --
The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access.
S3SubPrefix (string) --
The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3://, the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/*. Or the S3SubPrefx can be <bucket-name>/<prefix-name>*, so the full grant scope path would be or s3://<bucket-name>/<prefix-name>*.
If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.
GrantScope (string) --
The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.
ApplicationArn (string) --
The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.
Associate your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance. Use this action if you want to create access grants for users or groups from your corporate identity directory. First, you must add your corporate identity directory to Amazon Web Services IAM Identity Center. Then, you can associate this IAM Identity Center instance with your S3 Access Grants instance.
Permissions
You must have the s3:AssociateAccessGrantsIdentityCenter permission to use this operation.
Additional Permissions
You must also have the following permissions: sso:CreateApplication, sso:PutApplicationGrant, and sso:PutApplicationAuthenticationMethod.
See also: AWS API Documentation
Request Syntax
client.associate_access_grants_identity_center( AccountId='string', IdentityCenterArn='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the Amazon Web Services IAM Identity Center instance that you are associating with your S3 Access Grants instance. An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center. You can use the ListInstances API operation to retrieve a list of your Identity Center instances and their ARNs.
None
Creates an S3 Access Grants instance, which serves as a logical grouping for access grants. You can create one S3 Access Grants instance per Region per account.
Permissions
You must have the s3:CreateAccessGrantsInstance permission to use this operation.
Additional Permissions
To associate an IAM Identity Center instance with your S3 Access Grants instance, you must also have the sso:DescribeInstance, sso:CreateApplication, sso:PutApplicationGrant, and sso:PutApplicationAuthenticationMethod permissions.
See also: AWS API Documentation
Request Syntax
client.create_access_grants_instance( AccountId='string', IdentityCenterArn='string', Tags=[ { 'Key': 'string', 'Value': 'string' }, ] )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
If you would like to associate your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance, use this field to pass the Amazon Resource Name (ARN) of the Amazon Web Services IAM Identity Center instance that you are associating with your S3 Access Grants instance. An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center. You can use the ListInstances API operation to retrieve a list of your Identity Center instances and their ARNs.
list
The Amazon Web Services resource tags that you are adding to the S3 Access Grants instance. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.
(dict) --
An Amazon Web Services resource tag that's associated with your S3 resource. You can add tags to new objects when you upload them, or you can add object tags to existing objects.
Key (string) -- [REQUIRED]
The key of the key-value pair of a tag added to your Amazon Web Services resource. A tag key can be up to 128 Unicode characters in length and is case-sensitive. System created tags that begin with aws: aren’t supported.
Value (string) -- [REQUIRED]
The value of the key-value pair of a tag added to your Amazon Web Services resource. A tag value can be up to 256 Unicode characters in length and is case-sensitive.
dict
Response Syntax
{ 'CreatedAt': datetime(2015, 1, 1), 'AccessGrantsInstanceId': 'string', 'AccessGrantsInstanceArn': 'string', 'IdentityCenterArn': 'string' }
Response Structure
(dict) --
CreatedAt (datetime) --
The date and time when you created the S3 Access Grants instance.
AccessGrantsInstanceId (string) --
The ID of the S3 Access Grants instance. The ID is default. You can have one S3 Access Grants instance per Region per account.
AccessGrantsInstanceArn (string) --
The Amazon Resource Name (ARN) of the S3 Access Grants instance.
IdentityCenterArn (string) --
If you associated your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance, this field returns the Amazon Resource Name (ARN) of the IAM Identity Center instance application; a subresource of the original Identity Center instance passed in the request. S3 Access Grants creates this Identity Center application for this specific S3 Access Grants instance.
Updates the IAM role of a registered location in your S3 Access Grants instance.
Permissions
You must have the s3:UpdateAccessGrantsLocation permission to use this operation.
Additional Permissions
You must also have the following permission: iam:PassRole
See also: AWS API Documentation
Request Syntax
client.update_access_grants_location( AccountId='string', AccessGrantsLocationId='string', IAMRoleArn='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The ID of the registered location that you are updating. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
The ID of the registered location to which you are granting access. S3 Access Grants assigned this ID when you registered the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
If you are passing the default location, you cannot create an access grant for the entire default location. You must also specify a bucket or a bucket and prefix in the Subprefix field.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.
dict
Response Syntax
{ 'CreatedAt': datetime(2015, 1, 1), 'AccessGrantsLocationId': 'string', 'AccessGrantsLocationArn': 'string', 'LocationScope': 'string', 'IAMRoleArn': 'string' }
Response Structure
(dict) --
CreatedAt (datetime) --
The date and time when you registered the location.
AccessGrantsLocationId (string) --
The ID of the registered location to which you are granting access. S3 Access Grants assigned this ID when you registered the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
AccessGrantsLocationArn (string) --
The Amazon Resource Name (ARN) of the registered location that you are updating.
LocationScope (string) --
The S3 URI path of the location that you are updating. You cannot update the scope of the registered location. The location scope can be the default S3 location s3://, the S3 path to a bucket s3://<bucket>, or the S3 path to a bucket and prefix s3://<bucket>/<prefix>.
IAMRoleArn (string) --
The Amazon Resource Name (ARN) of the IAM role of the registered location. S3 Access Grants assumes this role to manage access to the registered location.
Returns the resource policy of the S3 Access Grants instance.
Permissions
You must have the s3:GetAccessGrantsInstanceResourcePolicy permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.get_access_grants_instance_resource_policy( AccountId='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
dict
Response Syntax
{ 'Policy': 'string', 'Organization': 'string', 'CreatedAt': datetime(2015, 1, 1) }
Response Structure
(dict) --
Policy (string) --
The resource policy of the S3 Access Grants instance.
Organization (string) --
The Organization of the resource policy of the S3 Access Grants instance.
CreatedAt (datetime) --
The date and time when you created the S3 Access Grants instance resource policy.
Returns a temporary access credential from S3 Access Grants to the grantee or client application. The temporary credential is an Amazon Web Services STS token that grants them access to the S3 data.
Permissions
You must have the s3:GetDataAccess permission to use this operation.
Additional Permissions
The IAM role that S3 Access Grants assumes must have the following permissions specified in the trust policy when registering the location: sts:AssumeRole, for directory users or groups sts:SetContext, and for IAM users or roles sts:SourceIdentity.
See also: AWS API Documentation
Request Syntax
client.get_data_access( AccountId='string', Target='string', Permission='READ'|'WRITE'|'READWRITE', DurationSeconds=123, Privilege='Minimal'|'Default', TargetType='Object' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The S3 URI path of the data to which you are requesting temporary access credentials. If the requesting account has an access grant for this data, S3 Access Grants vends temporary access credentials in the response.
string
[REQUIRED]
The type of permission granted to your S3 data, which can be set to one of the following values:
READ – Grant read-only access to the S3 data.
WRITE – Grant write-only access to the S3 data.
READWRITE – Grant both read and write access to the S3 data.
integer
The session duration, in seconds, of the temporary access credential that S3 Access Grants vends to the grantee or client application. The default value is 1 hour, but the grantee can specify a range from 900 seconds (15 minutes) up to 43200 seconds (12 hours). If the grantee requests a value higher than this maximum, the operation fails.
string
The scope of the temporary access credential that S3 Access Grants vends to the grantee or client application.
Default – The scope of the returned temporary access token is the scope of the grant that is closest to the target scope.
Minimal – The scope of the returned temporary access token is the same as the requested target scope as long as the requested scope is the same as or a subset of the grant scope.
string
The type of Target. The only possible value is Object. Pass this value if the target data that you would like to access is a path to an object. Do not pass this value if the target data is a bucket or a bucket and a prefix.
dict
Response Syntax
{ 'Credentials': { 'AccessKeyId': 'string', 'SecretAccessKey': 'string', 'SessionToken': 'string', 'Expiration': datetime(2015, 1, 1) }, 'MatchedGrantTarget': 'string' }
Response Structure
(dict) --
Credentials (dict) --
The temporary credential token that S3 Access Grants vends.
AccessKeyId (string) --
The unique access key ID of the Amazon Web Services STS temporary credential that S3 Access Grants vends to grantees and client applications.
SecretAccessKey (string) --
The secret access key of the Amazon Web Services STS temporary credential that S3 Access Grants vends to grantees and client applications.
SessionToken (string) --
The Amazon Web Services STS temporary credential that S3 Access Grants vends to grantees and client applications.
Expiration (datetime) --
The expiration date and time of the temporary credential that S3 Access Grants vends to grantees and client applications.
MatchedGrantTarget (string) --
The S3 URI path of the data to which you are being granted temporary access credentials.
Retrieves the details of a particular location registered in your S3 Access Grants instance.
Permissions
You must have the s3:GetAccessGrantsLocation permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.get_access_grants_location( AccountId='string', AccessGrantsLocationId='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The ID of the registered location that you are retrieving. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
dict
Response Syntax
{ 'CreatedAt': datetime(2015, 1, 1), 'AccessGrantsLocationId': 'string', 'AccessGrantsLocationArn': 'string', 'LocationScope': 'string', 'IAMRoleArn': 'string' }
Response Structure
(dict) --
CreatedAt (datetime) --
The date and time when you registered the location.
AccessGrantsLocationId (string) --
The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
AccessGrantsLocationArn (string) --
The Amazon Resource Name (ARN) of the registered location.
LocationScope (string) --
The S3 URI path to the registered location. The location scope can be the default S3 location s3://, the S3 path to a bucket, or the S3 path to a bucket and prefix. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.
IAMRoleArn (string) --
The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.
Creates an access grant that gives a grantee access to your S3 data. The grantee can be an IAM user or role or a directory user, or group. Before you can create a grant, you must have an S3 Access Grants instance in the same Region as the S3 data. You can create an S3 Access Grants instance using the CreateAccessGrantsInstance. You must also have registered at least one S3 data location in your S3 Access Grants instance using CreateAccessGrantsLocation.
Permissions
You must have the s3:CreateAccessGrant permission to use this operation.
Additional Permissions
For any directory identity - sso:DescribeInstance and sso:DescribeApplication
For directory users - identitystore:DescribeUser
For directory groups - identitystore:DescribeGroup
See also: AWS API Documentation
Request Syntax
client.create_access_grant( AccountId='string', AccessGrantsLocationId='string', AccessGrantsLocationConfiguration={ 'S3SubPrefix': 'string' }, Grantee={ 'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM', 'GranteeIdentifier': 'string' }, Permission='READ'|'WRITE'|'READWRITE', ApplicationArn='string', S3PrefixType='Object', Tags=[ { 'Key': 'string', 'Value': 'string' }, ] )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
If you are passing the default location, you cannot create an access grant for the entire default location. You must also specify a bucket or a bucket and prefix in the Subprefix field.
dict
The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access. It contains the S3SubPrefix field. The grant scope is the result of appending the subprefix to the location scope of the registered location.
S3SubPrefix (string) --
The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3://, the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/*. Or the S3SubPrefx can be <bucket-name>/<prefix-name>*, so the full grant scope path would be or s3://<bucket-name>/<prefix-name>*.
If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.
dict
[REQUIRED]
The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to Amazon Web Services IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.
GranteeType (string) --
The type of the grantee to which access has been granted. It can be one of the following values:
IAM - An IAM user or role.
DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
GranteeIdentifier (string) --
The unique identifier of the Grantee. If the grantee type is IAM, the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.
string
[REQUIRED]
The type of access that you are granting to your S3 data, which can be set to one of the following values:
READ – Grant read-only access to the S3 data.
WRITE – Grant write-only access to the S3 data.
READWRITE – Grant both read and write access to the S3 data.
string
The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If an application ARN is included in the request to create an access grant, the grantee can only access the S3 data through this application.
string
The type of S3SubPrefix. The only possible value is Object. Pass this value if the access grant scope is an object. Do not pass this value if the access grant scope is a bucket or a bucket and a prefix.
list
The Amazon Web Services resource tags that you are adding to the access grant. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.
(dict) --
An Amazon Web Services resource tag that's associated with your S3 resource. You can add tags to new objects when you upload them, or you can add object tags to existing objects.
Key (string) -- [REQUIRED]
The key of the key-value pair of a tag added to your Amazon Web Services resource. A tag key can be up to 128 Unicode characters in length and is case-sensitive. System created tags that begin with aws: aren’t supported.
Value (string) -- [REQUIRED]
The value of the key-value pair of a tag added to your Amazon Web Services resource. A tag value can be up to 256 Unicode characters in length and is case-sensitive.
dict
Response Syntax
{ 'CreatedAt': datetime(2015, 1, 1), 'AccessGrantId': 'string', 'AccessGrantArn': 'string', 'Grantee': { 'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM', 'GranteeIdentifier': 'string' }, 'AccessGrantsLocationId': 'string', 'AccessGrantsLocationConfiguration': { 'S3SubPrefix': 'string' }, 'Permission': 'READ'|'WRITE'|'READWRITE', 'ApplicationArn': 'string', 'GrantScope': 'string' }
Response Structure
(dict) --
CreatedAt (datetime) --
The date and time when you created the access grant.
AccessGrantId (string) --
The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.
AccessGrantArn (string) --
The Amazon Resource Name (ARN) of the access grant.
Grantee (dict) --
The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to Amazon Web Services IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.
GranteeType (string) --
The type of the grantee to which access has been granted. It can be one of the following values:
IAM - An IAM user or role.
DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
GranteeIdentifier (string) --
The unique identifier of the Grantee. If the grantee type is IAM, the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.
AccessGrantsLocationId (string) --
The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
AccessGrantsLocationConfiguration (dict) --
The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access.
S3SubPrefix (string) --
The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3://, the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/*. Or the S3SubPrefx can be <bucket-name>/<prefix-name>*, so the full grant scope path would be or s3://<bucket-name>/<prefix-name>*.
If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.
Permission (string) --
The type of access that you are granting to your S3 data, which can be set to one of the following values:
READ – Grant read-only access to the S3 data.
WRITE – Grant write-only access to the S3 data.
READWRITE – Grant both read and write access to the S3 data.
ApplicationArn (string) --
The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.
GrantScope (string) --
The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.
Returns a list of the locations registered in your S3 Access Grants instance.
Permissions
You must have the s3:ListAccessGrantsLocations permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.list_access_grants_locations( AccountId='string', NextToken='string', MaxResults=123, LocationScope='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants Locations request in order to retrieve the next page of results.
integer
The maximum number of access grants that you would like returned in the List Access Grants response. If the results include the pagination token NextToken, make another call using the NextToken to determine if there are more results.
string
The S3 path to the location that you are registering. The location scope can be the default S3 location s3://, the S3 path to a bucket s3://<bucket>, or the S3 path to a bucket and prefix s3://<bucket>/<prefix>. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.
dict
Response Syntax
{ 'NextToken': 'string', 'AccessGrantsLocationsList': [ { 'CreatedAt': datetime(2015, 1, 1), 'AccessGrantsLocationId': 'string', 'AccessGrantsLocationArn': 'string', 'LocationScope': 'string', 'IAMRoleArn': 'string' }, ] }
Response Structure
(dict) --
NextToken (string) --
A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants Locations request in order to retrieve the next page of results.
AccessGrantsLocationsList (list) --
A container for a list of registered locations in an S3 Access Grants instance.
(dict) --
A container for information about the registered location.
CreatedAt (datetime) --
The date and time when you registered the location.
AccessGrantsLocationId (string) --
The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
AccessGrantsLocationArn (string) --
The Amazon Resource Name (ARN) of the registered location.
LocationScope (string) --
The S3 path to the location that you are registering. The location scope can be the default S3 location s3://, the S3 path to a bucket s3://<bucket>, or the S3 path to a bucket and prefix s3://<bucket>/<prefix>. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.
IAMRoleArn (string) --
The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.
Returns a list of S3 Access Grants instances. An S3 Access Grants instance serves as a logical grouping for your individual access grants. You can only have one S3 Access Grants instance per Region per account.
Permissions
You must have the s3:ListAccessGrantsInstances permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.list_access_grants_instances( AccountId='string', NextToken='string', MaxResults=123 )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants Instances request in order to retrieve the next page of results.
integer
The maximum number of access grants that you would like returned in the List Access Grants response. If the results include the pagination token NextToken, make another call using the NextToken to determine if there are more results.
dict
Response Syntax
{ 'NextToken': 'string', 'AccessGrantsInstancesList': [ { 'AccessGrantsInstanceId': 'string', 'AccessGrantsInstanceArn': 'string', 'CreatedAt': datetime(2015, 1, 1), 'IdentityCenterArn': 'string' }, ] }
Response Structure
(dict) --
NextToken (string) --
A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants Instances request in order to retrieve the next page of results.
AccessGrantsInstancesList (list) --
A container for a list of S3 Access Grants instances.
(dict) --
Information about the S3 Access Grants instance.
AccessGrantsInstanceId (string) --
The ID of the S3 Access Grants instance. The ID is default. You can have one S3 Access Grants instance per Region per account.
AccessGrantsInstanceArn (string) --
The Amazon Resource Name (ARN) of the S3 Access Grants instance.
CreatedAt (datetime) --
The date and time when you created the S3 Access Grants instance.
IdentityCenterArn (string) --
If you associated your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance, this field returns the Amazon Resource Name (ARN) of the IAM Identity Center instance application; a subresource of the original Identity Center instance. S3 Access Grants creates this Identity Center application for the specific S3 Access Grants instance.
Deletes the access grant from the S3 Access Grants instance. You cannot undo an access grant deletion and the grantee will no longer have access to the S3 data.
Permissions
You must have the s3:DeleteAccessGrant permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.delete_access_grant( AccountId='string', AccessGrantId='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.
None
Deletes your S3 Access Grants instance. You must first delete the access grants and locations before S3 Access Grants can delete the instance. See DeleteAccessGrant and DeleteAccessGrantsLocation. If you have associated an IAM Identity Center instance with your S3 Access Grants instance, you must first dissassociate the Identity Center instance from the S3 Access Grants instance before you can delete the S3 Access Grants instance. See AssociateAccessGrantsIdentityCenter and DissociateAccessGrantsIdentityCenter.
Permissions
You must have the s3:DeleteAccessGrantsInstance permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.delete_access_grants_instance( AccountId='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
None
The S3 data location that you would like to register in your S3 Access Grants instance. Your S3 data must be in the same Region as your S3 Access Grants instance. The location can be one of the following:
The default S3 location s3://
A bucket - S3://<bucket-name>
A bucket and prefix - S3://<bucket-name>/<prefix>
When you register a location, you must include the IAM role that has permission to manage the S3 location that you are registering. Give S3 Access Grants permission to assume this role using a policy. S3 Access Grants assumes this role to manage access to the location and to vend temporary credentials to grantees or client applications.
Permissions
You must have the s3:CreateAccessGrantsLocation permission to use this operation.
Additional Permissions
You must also have the following permission for the specified IAM role: iam:PassRole
See also: AWS API Documentation
Request Syntax
client.create_access_grants_location( AccountId='string', LocationScope='string', IAMRoleArn='string', Tags=[ { 'Key': 'string', 'Value': 'string' }, ] )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The S3 path to the location that you are registering. The location scope can be the default S3 location s3://, the S3 path to a bucket s3://<bucket>, or the S3 path to a bucket and prefix s3://<bucket>/<prefix>. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.
list
The Amazon Web Services resource tags that you are adding to the S3 Access Grants location. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.
(dict) --
An Amazon Web Services resource tag that's associated with your S3 resource. You can add tags to new objects when you upload them, or you can add object tags to existing objects.
Key (string) -- [REQUIRED]
The key of the key-value pair of a tag added to your Amazon Web Services resource. A tag key can be up to 128 Unicode characters in length and is case-sensitive. System created tags that begin with aws: aren’t supported.
Value (string) -- [REQUIRED]
The value of the key-value pair of a tag added to your Amazon Web Services resource. A tag value can be up to 256 Unicode characters in length and is case-sensitive.
dict
Response Syntax
{ 'CreatedAt': datetime(2015, 1, 1), 'AccessGrantsLocationId': 'string', 'AccessGrantsLocationArn': 'string', 'LocationScope': 'string', 'IAMRoleArn': 'string' }
Response Structure
(dict) --
CreatedAt (datetime) --
The date and time when you registered the location.
AccessGrantsLocationId (string) --
The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
AccessGrantsLocationArn (string) --
The Amazon Resource Name (ARN) of the location you are registering.
LocationScope (string) --
The S3 URI path to the location that you are registering. The location scope can be the default S3 location s3://, the S3 path to a bucket, or the S3 path to a bucket and prefix. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.
IAMRoleArn (string) --
The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.
Get the details of an access grant from your S3 Access Grants instance.
Permissions
You must have the s3:GetAccessGrant permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.get_access_grant( AccountId='string', AccessGrantId='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.
dict
Response Syntax
{ 'CreatedAt': datetime(2015, 1, 1), 'AccessGrantId': 'string', 'AccessGrantArn': 'string', 'Grantee': { 'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM', 'GranteeIdentifier': 'string' }, 'Permission': 'READ'|'WRITE'|'READWRITE', 'AccessGrantsLocationId': 'string', 'AccessGrantsLocationConfiguration': { 'S3SubPrefix': 'string' }, 'GrantScope': 'string', 'ApplicationArn': 'string' }
Response Structure
(dict) --
CreatedAt (datetime) --
The date and time when you created the access grant.
AccessGrantId (string) --
The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.
AccessGrantArn (string) --
The Amazon Resource Name (ARN) of the access grant.
Grantee (dict) --
The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added a corporate directory to Amazon Web Services IAM Identity Center and associated this Identity Center instance with the S3 Access Grants instance, the grantee can also be a corporate directory user or group.
GranteeType (string) --
The type of the grantee to which access has been granted. It can be one of the following values:
IAM - An IAM user or role.
DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.
GranteeIdentifier (string) --
The unique identifier of the Grantee. If the grantee type is IAM, the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.
Permission (string) --
The type of permission that was granted in the access grant. Can be one of the following values:
READ – Grant read-only access to the S3 data.
WRITE – Grant write-only access to the S3 data.
READWRITE – Grant both read and write access to the S3 data.
AccessGrantsLocationId (string) --
The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
AccessGrantsLocationConfiguration (dict) --
The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access.
S3SubPrefix (string) --
The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3://, the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/*. Or the S3SubPrefx can be <bucket-name>/<prefix-name>*, so the full grant scope path would be or s3://<bucket-name>/<prefix-name>*.
If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.
GrantScope (string) --
The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.
ApplicationArn (string) --
The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.
Retrieves the S3 Access Grants instance for a Region in your account.
Permissions
You must have the s3:GetAccessGrantsInstance permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.get_access_grants_instance( AccountId='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
dict
Response Syntax
{ 'AccessGrantsInstanceArn': 'string', 'AccessGrantsInstanceId': 'string', 'IdentityCenterArn': 'string', 'CreatedAt': datetime(2015, 1, 1) }
Response Structure
(dict) --
AccessGrantsInstanceArn (string) --
The Amazon Resource Name (ARN) of the S3 Access Grants instance.
AccessGrantsInstanceId (string) --
The ID of the S3 Access Grants instance. The ID is default. You can have one S3 Access Grants instance per Region per account.
IdentityCenterArn (string) --
If you associated your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance, this field returns the Amazon Resource Name (ARN) of the Amazon Web Services IAM Identity Center instance application; a subresource of the original Identity Center instance. S3 Access Grants creates this Identity Center application for the specific S3 Access Grants instance.
CreatedAt (datetime) --
The date and time when you created the S3 Access Grants instance.
Updates the resource policy of the S3 Access Grants instance.
Permissions
You must have the s3:PutAccessGrantsInstanceResourcePolicy permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.put_access_grants_instance_resource_policy( AccountId='string', Policy='string', Organization='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The resource policy of the S3 Access Grants instance that you are updating.
string
The Organization of the resource policy of the S3 Access Grants instance.
dict
Response Syntax
{ 'Policy': 'string', 'Organization': 'string', 'CreatedAt': datetime(2015, 1, 1) }
Response Structure
(dict) --
Policy (string) --
The updated resource policy of the S3 Access Grants instance.
Organization (string) --
The Organization of the resource policy of the S3 Access Grants instance.
CreatedAt (datetime) --
The date and time when you created the S3 Access Grants instance resource policy.
Retrieve the S3 Access Grants instance that contains a particular prefix.
Permissions
You must have the s3:GetAccessGrantsInstanceForPrefix permission for the caller account to use this operation.
Additional Permissions
The prefix owner account must grant you the following permissions to their S3 Access Grants instance: s3:GetAccessGrantsInstanceForPrefix.
See also: AWS API Documentation
Request Syntax
client.get_access_grants_instance_for_prefix( AccountId='string', S3Prefix='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The S3 prefix of the access grants that you would like to retrieve.
dict
Response Syntax
{ 'AccessGrantsInstanceArn': 'string', 'AccessGrantsInstanceId': 'string' }
Response Structure
(dict) --
AccessGrantsInstanceArn (string) --
The Amazon Resource Name (ARN) of the S3 Access Grants instance.
AccessGrantsInstanceId (string) --
The ID of the S3 Access Grants instance. The ID is default. You can have one S3 Access Grants instance per Region per account.
Deregisters a location from your S3 Access Grants instance. You can only delete a location registration from an S3 Access Grants instance if there are no grants associated with this location. See Delete a grant for information on how to delete grants. You need to have at least one registered location in your S3 Access Grants instance in order to create access grants.
Permissions
You must have the s3:DeleteAccessGrantsLocation permission to use this operation.
See also: AWS API Documentation
Request Syntax
client.delete_access_grants_location( AccountId='string', AccessGrantsLocationId='string' )
string
[REQUIRED]
The ID of the Amazon Web Services account that is making this request.
string
[REQUIRED]
The ID of the registered location that you are deregistering from your S3 Access Grants instance. S3 Access Grants assigned this ID when you registered the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.
None