AWS S3 Control

Deletes your S3 Access Grants instance. You must first delete the access grants and locations before S3 Access Grants can delete the instance. See DeleteAccessGrant and DeleteAccessGrantsLocation. If you have associated an IAM Identity Center instance with your S3 Access Grants instance, you must first dissassociate the Identity Center instance from the S3 Access Grants instance before you can delete the S3 Access Grants instance. See AssociateAccessGrantsIdentityCenter and DissociateAccessGrantsIdentityCenter.

Permissions

You must have the s3:DeleteAccessGrantsInstance permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.delete_access_grants_instance(
    AccountId='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

returns

None

Returns a list of the locations registered in your S3 Access Grants instance.

Permissions

You must have the s3:ListAccessGrantsLocations permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.list_access_grants_locations(
    AccountId='string',
    NextToken='string',
    MaxResults=123,
    LocationScope='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type NextToken

string

param NextToken

A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants Locations request in order to retrieve the next page of results.

type MaxResults

integer

param MaxResults

The maximum number of access grants that you would like returned in the List Access Grants response. If the results include the pagination token NextToken , make another call using the NextToken to determine if there are more results.

type LocationScope

string

param LocationScope

The S3 path to the location that you are registering. The location scope can be the default S3 location s3:// , the S3 path to a bucket s3://<bucket> , or the S3 path to a bucket and prefix s3://<bucket>/<prefix> . A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'AccessGrantsLocationsList': [
        {
            'CreatedAt': datetime(2015, 1, 1),
            'AccessGrantsLocationId': 'string',
            'AccessGrantsLocationArn': 'string',
            'LocationScope': 'string',
            'IAMRoleArn': 'string'
        },
    ]
}

Response Structure

• (dict) --

  • NextToken (string) --

    A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants Locations request in order to retrieve the next page of results.

  • AccessGrantsLocationsList (list) --

    A container for a list of registered locations in an S3 Access Grants instance.

    • (dict) --

      A container for information about the registered location.

      • CreatedAt (datetime) --

        The date and time when you registered the location.

      • AccessGrantsLocationId (string) --

        The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

      • AccessGrantsLocationArn (string) --

        The Amazon Resource Name (ARN) of the registered location.

      • LocationScope (string) --

        The S3 path to the location that you are registering. The location scope can be the default S3 location s3:// , the S3 path to a bucket s3://<bucket> , or the S3 path to a bucket and prefix s3://<bucket>/<prefix> . A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.

      • IAMRoleArn (string) --

        The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.

Updates the resource policy of the S3 Access Grants instance.

Permissions

You must have the s3:PutAccessGrantsInstanceResourcePolicy permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.put_access_grants_instance_resource_policy(
    AccountId='string',
    Policy='string',
    Organization='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type Policy

string

param Policy

[REQUIRED]

The resource policy of the S3 Access Grants instance that you are updating.

type Organization

string

param Organization

The Organization of the resource policy of the S3 Access Grants instance.

rtype

dict

returns

Response Syntax

{
    'Policy': 'string',
    'Organization': 'string',
    'CreatedAt': datetime(2015, 1, 1)
}

Response Structure

• (dict) --

  • Policy (string) --

    The updated resource policy of the S3 Access Grants instance.

  • Organization (string) --

    The Organization of the resource policy of the S3 Access Grants instance.

  • CreatedAt (datetime) --

    The date and time when you created the S3 Access Grants instance resource policy.

Creates an access grant that gives a grantee access to your S3 data. The grantee can be an IAM user or role or a directory user, or group. Before you can create a grant, you must have an S3 Access Grants instance in the same Region as the S3 data. You can create an S3 Access Grants instance using the CreateAccessGrantsInstance. You must also have registered at least one S3 data location in your S3 Access Grants instance using CreateAccessGrantsLocation.

Permissions

You must have the s3:CreateAccessGrant permission to use this operation.

Additional Permissions

For any directory identity - sso:DescribeInstance and sso:DescribeApplication

For directory users - identitystore:DescribeUser

For directory groups - identitystore:DescribeGroup

See also: AWS API Documentation

Request Syntax

client.create_access_grant(
    AccountId='string',
    AccessGrantsLocationId='string',
    AccessGrantsLocationConfiguration={
        'S3SubPrefix': 'string'
    },
    Grantee={
        'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM',
        'GranteeIdentifier': 'string'
    },
    Permission='READ'|'WRITE'|'READWRITE',
    ApplicationArn='string',
    S3PrefixType='Object',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type AccessGrantsLocationId

string

param AccessGrantsLocationId

[REQUIRED]

The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

If you are passing the default location, you cannot create an access grant for the entire default location. You must also specify a bucket or a bucket and prefix in the Subprefix field.

type AccessGrantsLocationConfiguration

dict

param AccessGrantsLocationConfiguration

The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access. It contains the S3SubPrefix field. The grant scope is the result of appending the subprefix to the location scope of the registered location.

• S3SubPrefix (string) --

  The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3:// , the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/* . Or the S3SubPrefx can be <bucket-name>/<prefix-name>* , so the full grant scope path would be or s3://<bucket-name>/<prefix-name>* .

  If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.

type Grantee

dict

param Grantee

[REQUIRED]

The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to Amazon Web Services IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.

• GranteeType (string) --

  The type of the grantee to which access has been granted. It can be one of the following values:

  • IAM - An IAM user or role.

  • DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

  • DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

• GranteeIdentifier (string) --

  The unique identifier of the Grantee . If the grantee type is IAM , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 . You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.

type Permission

string

param Permission

[REQUIRED]

The type of access that you are granting to your S3 data, which can be set to one of the following values:

• READ – Grant read-only access to the S3 data.

• WRITE – Grant write-only access to the S3 data.

• READWRITE – Grant both read and write access to the S3 data.

type ApplicationArn

string

param ApplicationArn

The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If an application ARN is included in the request to create an access grant, the grantee can only access the S3 data through this application.

type S3PrefixType

string

param S3PrefixType

The type of S3SubPrefix . The only possible value is Object . Pass this value if the access grant scope is an object. Do not pass this value if the access grant scope is a bucket or a bucket and a prefix.

type Tags

list

param Tags

The Amazon Web Services resource tags that you are adding to the access grant. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.

• (dict) --

  An Amazon Web Services resource tag that's associated with your S3 resource. You can add tags to new objects when you upload them, or you can add object tags to existing objects.

  Note

  This operation is only supported for S3 Storage Lens groups and for S3 Access Grants. The tagged resource can be an S3 Storage Lens group or S3 Access Grants instance, registered location, or grant.

  • Key (string) -- [REQUIRED]

    The key of the key-value pair of a tag added to your Amazon Web Services resource. A tag key can be up to 128 Unicode characters in length and is case-sensitive. System created tags that begin with aws: aren’t supported.

  • Value (string) -- [REQUIRED]

    The value of the key-value pair of a tag added to your Amazon Web Services resource. A tag value can be up to 256 Unicode characters in length and is case-sensitive.

rtype

dict

returns

Response Syntax

{
    'CreatedAt': datetime(2015, 1, 1),
    'AccessGrantId': 'string',
    'AccessGrantArn': 'string',
    'Grantee': {
        'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM',
        'GranteeIdentifier': 'string'
    },
    'AccessGrantsLocationId': 'string',
    'AccessGrantsLocationConfiguration': {
        'S3SubPrefix': 'string'
    },
    'Permission': 'READ'|'WRITE'|'READWRITE',
    'ApplicationArn': 'string',
    'GrantScope': 'string'
}

Response Structure

• (dict) --

  • CreatedAt (datetime) --

    The date and time when you created the access grant.

  • AccessGrantId (string) --

    The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.

  • AccessGrantArn (string) --

    The Amazon Resource Name (ARN) of the access grant.

  • Grantee (dict) --

    The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to Amazon Web Services IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.

    • GranteeType (string) --

      The type of the grantee to which access has been granted. It can be one of the following values:

      • IAM - An IAM user or role.

      • DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

      • DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

    • GranteeIdentifier (string) --

      The unique identifier of the Grantee . If the grantee type is IAM , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 . You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.

  • AccessGrantsLocationId (string) --

    The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

  • AccessGrantsLocationConfiguration (dict) --

    The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access.

    • S3SubPrefix (string) --

      The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3:// , the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/* . Or the S3SubPrefx can be <bucket-name>/<prefix-name>* , so the full grant scope path would be or s3://<bucket-name>/<prefix-name>* .

      If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.

  • Permission (string) --

    The type of access that you are granting to your S3 data, which can be set to one of the following values:

    • READ – Grant read-only access to the S3 data.

    • WRITE – Grant write-only access to the S3 data.

    • READWRITE – Grant both read and write access to the S3 data.

  • ApplicationArn (string) --

    The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.

  • GrantScope (string) --

    The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.

Returns a temporary access credential from S3 Access Grants to the grantee or client application. The temporary credential is an Amazon Web Services STS token that grants them access to the S3 data.

Permissions

You must have the s3:GetDataAccess permission to use this operation.

Additional Permissions

The IAM role that S3 Access Grants assumes must have the following permissions specified in the trust policy when registering the location: sts:AssumeRole , for directory users or groups sts:SetContext , and for IAM users or roles sts:SourceIdentity .

See also: AWS API Documentation

Request Syntax

client.get_data_access(
    AccountId='string',
    Target='string',
    Permission='READ'|'WRITE'|'READWRITE',
    DurationSeconds=123,
    Privilege='Minimal'|'Default',
    TargetType='Object'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type Target

string

param Target

[REQUIRED]

The S3 URI path of the data to which you are requesting temporary access credentials. If the requesting account has an access grant for this data, S3 Access Grants vends temporary access credentials in the response.

type Permission

string

param Permission

[REQUIRED]

The type of permission granted to your S3 data, which can be set to one of the following values:

• READ – Grant read-only access to the S3 data.

• WRITE – Grant write-only access to the S3 data.

• READWRITE – Grant both read and write access to the S3 data.

type DurationSeconds

integer

param DurationSeconds

The session duration, in seconds, of the temporary access credential that S3 Access Grants vends to the grantee or client application. The default value is 1 hour, but the grantee can specify a range from 900 seconds (15 minutes) up to 43200 seconds (12 hours). If the grantee requests a value higher than this maximum, the operation fails.

type Privilege

string

param Privilege

The scope of the temporary access credential that S3 Access Grants vends to the grantee or client application.

• Default – The scope of the returned temporary access token is the scope of the grant that is closest to the target scope.

• Minimal – The scope of the returned temporary access token is the same as the requested target scope as long as the requested scope is the same as or a subset of the grant scope.

type TargetType

string

param TargetType

The type of Target . The only possible value is Object . Pass this value if the target data that you would like to access is a path to an object. Do not pass this value if the target data is a bucket or a bucket and a prefix.

rtype

dict

returns

Response Syntax

{
    'Credentials': {
        'AccessKeyId': 'string',
        'SecretAccessKey': 'string',
        'SessionToken': 'string',
        'Expiration': datetime(2015, 1, 1)
    },
    'MatchedGrantTarget': 'string'
}

Response Structure

• (dict) --

  • Credentials (dict) --

    The temporary credential token that S3 Access Grants vends.

    • AccessKeyId (string) --

      The unique access key ID of the Amazon Web Services STS temporary credential that S3 Access Grants vends to grantees and client applications.

    • SecretAccessKey (string) --

      The secret access key of the Amazon Web Services STS temporary credential that S3 Access Grants vends to grantees and client applications.

    • SessionToken (string) --

      The Amazon Web Services STS temporary credential that S3 Access Grants vends to grantees and client applications.

    • Expiration (datetime) --

      The expiration date and time of the temporary credential that S3 Access Grants vends to grantees and client applications.

  • MatchedGrantTarget (string) --

    The S3 URI path of the data to which you are being granted temporary access credentials.

Returns the resource policy of the S3 Access Grants instance.

Permissions

You must have the s3:GetAccessGrantsInstanceResourcePolicy permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.get_access_grants_instance_resource_policy(
    AccountId='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

rtype

dict

returns

Response Syntax

{
    'Policy': 'string',
    'Organization': 'string',
    'CreatedAt': datetime(2015, 1, 1)
}

Response Structure

• (dict) --

  • Policy (string) --

    The resource policy of the S3 Access Grants instance.

  • Organization (string) --

    The Organization of the resource policy of the S3 Access Grants instance.

  • CreatedAt (datetime) --

    The date and time when you created the S3 Access Grants instance resource policy.

Deregisters a location from your S3 Access Grants instance. You can only delete a location registration from an S3 Access Grants instance if there are no grants associated with this location. See Delete a grant for information on how to delete grants. You need to have at least one registered location in your S3 Access Grants instance in order to create access grants.

Permissions

You must have the s3:DeleteAccessGrantsLocation permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.delete_access_grants_location(
    AccountId='string',
    AccessGrantsLocationId='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type AccessGrantsLocationId

string

param AccessGrantsLocationId

[REQUIRED]

The ID of the registered location that you are deregistering from your S3 Access Grants instance. S3 Access Grants assigned this ID when you registered the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

returns

None

Retrieves the details of a particular location registered in your S3 Access Grants instance.

Permissions

You must have the s3:GetAccessGrantsLocation permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.get_access_grants_location(
    AccountId='string',
    AccessGrantsLocationId='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type AccessGrantsLocationId

string

param AccessGrantsLocationId

[REQUIRED]

The ID of the registered location that you are retrieving. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

rtype

dict

returns

Response Syntax

{
    'CreatedAt': datetime(2015, 1, 1),
    'AccessGrantsLocationId': 'string',
    'AccessGrantsLocationArn': 'string',
    'LocationScope': 'string',
    'IAMRoleArn': 'string'
}

Response Structure

• (dict) --

  • CreatedAt (datetime) --

    The date and time when you registered the location.

  • AccessGrantsLocationId (string) --

    The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

  • AccessGrantsLocationArn (string) --

    The Amazon Resource Name (ARN) of the registered location.

  • LocationScope (string) --

    The S3 URI path to the registered location. The location scope can be the default S3 location s3:// , the S3 path to a bucket, or the S3 path to a bucket and prefix. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.

  • IAMRoleArn (string) --

    The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.

Deletes the access grant from the S3 Access Grants instance. You cannot undo an access grant deletion and the grantee will no longer have access to the S3 data.

Permissions

You must have the s3:DeleteAccessGrant permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.delete_access_grant(
    AccountId='string',
    AccessGrantId='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type AccessGrantId

string

param AccessGrantId

[REQUIRED]

The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.

returns

None

Deletes the resource policy of the S3 Access Grants instance. The resource policy is used to manage cross-account access to your S3 Access Grants instance. By deleting the resource policy, you delete any cross-account permissions to your S3 Access Grants instance.

Permissions

You must have the s3:DeleteAccessGrantsInstanceResourcePolicy permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.delete_access_grants_instance_resource_policy(
    AccountId='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

returns

None

The S3 data location that you would like to register in your S3 Access Grants instance. Your S3 data must be in the same Region as your S3 Access Grants instance. The location can be one of the following:

• The default S3 location s3://

• A bucket - S3://<bucket-name>

• A bucket and prefix - S3://<bucket-name>/<prefix>

When you register a location, you must include the IAM role that has permission to manage the S3 location that you are registering. Give S3 Access Grants permission to assume this role using a policy. S3 Access Grants assumes this role to manage access to the location and to vend temporary credentials to grantees or client applications.

Permissions

You must have the s3:CreateAccessGrantsLocation permission to use this operation.

Additional Permissions

You must also have the following permission for the specified IAM role: iam:PassRole

See also: AWS API Documentation

Request Syntax

client.create_access_grants_location(
    AccountId='string',
    LocationScope='string',
    IAMRoleArn='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type LocationScope

string

param LocationScope

[REQUIRED]

The S3 path to the location that you are registering. The location scope can be the default S3 location s3:// , the S3 path to a bucket s3://<bucket> , or the S3 path to a bucket and prefix s3://<bucket>/<prefix> . A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.

type IAMRoleArn

string

param IAMRoleArn

[REQUIRED]

The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.

type Tags

list

param Tags

The Amazon Web Services resource tags that you are adding to the S3 Access Grants location. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.

• (dict) --

  An Amazon Web Services resource tag that's associated with your S3 resource. You can add tags to new objects when you upload them, or you can add object tags to existing objects.

  Note

  This operation is only supported for S3 Storage Lens groups and for S3 Access Grants. The tagged resource can be an S3 Storage Lens group or S3 Access Grants instance, registered location, or grant.

  • Key (string) -- [REQUIRED]

    The key of the key-value pair of a tag added to your Amazon Web Services resource. A tag key can be up to 128 Unicode characters in length and is case-sensitive. System created tags that begin with aws: aren’t supported.

  • Value (string) -- [REQUIRED]

    The value of the key-value pair of a tag added to your Amazon Web Services resource. A tag value can be up to 256 Unicode characters in length and is case-sensitive.

rtype

dict

returns

Response Syntax

{
    'CreatedAt': datetime(2015, 1, 1),
    'AccessGrantsLocationId': 'string',
    'AccessGrantsLocationArn': 'string',
    'LocationScope': 'string',
    'IAMRoleArn': 'string'
}

Response Structure

• (dict) --

  • CreatedAt (datetime) --

    The date and time when you registered the location.

  • AccessGrantsLocationId (string) --

    The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

  • AccessGrantsLocationArn (string) --

    The Amazon Resource Name (ARN) of the location you are registering.

  • LocationScope (string) --

    The S3 URI path to the location that you are registering. The location scope can be the default S3 location s3:// , the S3 path to a bucket, or the S3 path to a bucket and prefix. A prefix in S3 is a string of characters at the beginning of an object key name used to organize the objects that you store in your S3 buckets. For example, object key names that start with the engineering/ prefix or object key names that start with the marketing/campaigns/ prefix.

  • IAMRoleArn (string) --

    The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.

Retrieve the S3 Access Grants instance that contains a particular prefix.

Permissions

You must have the s3:GetAccessGrantsInstanceForPrefix permission for the caller account to use this operation.

Additional Permissions

The prefix owner account must grant you the following permissions to their S3 Access Grants instance: s3:GetAccessGrantsInstanceForPrefix .

See also: AWS API Documentation

Request Syntax

client.get_access_grants_instance_for_prefix(
    AccountId='string',
    S3Prefix='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type S3Prefix

string

param S3Prefix

[REQUIRED]

The S3 prefix of the access grants that you would like to retrieve.

rtype

dict

returns

Response Syntax

{
    'AccessGrantsInstanceArn': 'string',
    'AccessGrantsInstanceId': 'string'
}

Response Structure

• (dict) --

  • AccessGrantsInstanceArn (string) --

    The Amazon Resource Name (ARN) of the S3 Access Grants instance.

  • AccessGrantsInstanceId (string) --

    The ID of the S3 Access Grants instance. The ID is default . You can have one S3 Access Grants instance per Region per account.

Creates an S3 Access Grants instance, which serves as a logical grouping for access grants. You can create one S3 Access Grants instance per Region per account.

Permissions

You must have the s3:CreateAccessGrantsInstance permission to use this operation.

Additional Permissions

To associate an IAM Identity Center instance with your S3 Access Grants instance, you must also have the sso:DescribeInstance , sso:CreateApplication , sso:PutApplicationGrant , and sso:PutApplicationAuthenticationMethod permissions.

See also: AWS API Documentation

Request Syntax

client.create_access_grants_instance(
    AccountId='string',
    IdentityCenterArn='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type IdentityCenterArn

string

param IdentityCenterArn

If you would like to associate your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance, use this field to pass the Amazon Resource Name (ARN) of the Amazon Web Services IAM Identity Center instance that you are associating with your S3 Access Grants instance. An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center. You can use the ListInstances API operation to retrieve a list of your Identity Center instances and their ARNs.

type Tags

list

param Tags

The Amazon Web Services resource tags that you are adding to the S3 Access Grants instance. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.

• (dict) --

  An Amazon Web Services resource tag that's associated with your S3 resource. You can add tags to new objects when you upload them, or you can add object tags to existing objects.

  Note

  This operation is only supported for S3 Storage Lens groups and for S3 Access Grants. The tagged resource can be an S3 Storage Lens group or S3 Access Grants instance, registered location, or grant.

  • Key (string) -- [REQUIRED]

    The key of the key-value pair of a tag added to your Amazon Web Services resource. A tag key can be up to 128 Unicode characters in length and is case-sensitive. System created tags that begin with aws: aren’t supported.

  • Value (string) -- [REQUIRED]

    The value of the key-value pair of a tag added to your Amazon Web Services resource. A tag value can be up to 256 Unicode characters in length and is case-sensitive.

rtype

dict

returns

Response Syntax

{
    'CreatedAt': datetime(2015, 1, 1),
    'AccessGrantsInstanceId': 'string',
    'AccessGrantsInstanceArn': 'string',
    'IdentityCenterArn': 'string'
}

Response Structure

• (dict) --

  • CreatedAt (datetime) --

    The date and time when you created the S3 Access Grants instance.

  • AccessGrantsInstanceId (string) --

    The ID of the S3 Access Grants instance. The ID is default . You can have one S3 Access Grants instance per Region per account.

  • AccessGrantsInstanceArn (string) --

    The Amazon Resource Name (ARN) of the S3 Access Grants instance.

  • IdentityCenterArn (string) --

    If you associated your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance, this field returns the Amazon Resource Name (ARN) of the IAM Identity Center instance application; a subresource of the original Identity Center instance passed in the request. S3 Access Grants creates this Identity Center application for this specific S3 Access Grants instance.

Get the details of an access grant from your S3 Access Grants instance.

Permissions

You must have the s3:GetAccessGrant permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.get_access_grant(
    AccountId='string',
    AccessGrantId='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type AccessGrantId

string

param AccessGrantId

[REQUIRED]

The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.

rtype

dict

returns

Response Syntax

{
    'CreatedAt': datetime(2015, 1, 1),
    'AccessGrantId': 'string',
    'AccessGrantArn': 'string',
    'Grantee': {
        'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM',
        'GranteeIdentifier': 'string'
    },
    'Permission': 'READ'|'WRITE'|'READWRITE',
    'AccessGrantsLocationId': 'string',
    'AccessGrantsLocationConfiguration': {
        'S3SubPrefix': 'string'
    },
    'GrantScope': 'string',
    'ApplicationArn': 'string'
}

Response Structure

• (dict) --

  • CreatedAt (datetime) --

    The date and time when you created the access grant.

  • AccessGrantId (string) --

    The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.

  • AccessGrantArn (string) --

    The Amazon Resource Name (ARN) of the access grant.

  • Grantee (dict) --

    The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added a corporate directory to Amazon Web Services IAM Identity Center and associated this Identity Center instance with the S3 Access Grants instance, the grantee can also be a corporate directory user or group.

    • GranteeType (string) --

      The type of the grantee to which access has been granted. It can be one of the following values:

      • IAM - An IAM user or role.

      • DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

      • DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

    • GranteeIdentifier (string) --

      The unique identifier of the Grantee . If the grantee type is IAM , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 . You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.

  • Permission (string) --

    The type of permission that was granted in the access grant. Can be one of the following values:

    • READ – Grant read-only access to the S3 data.

    • WRITE – Grant write-only access to the S3 data.

    • READWRITE – Grant both read and write access to the S3 data.

  • AccessGrantsLocationId (string) --

    The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

  • AccessGrantsLocationConfiguration (dict) --

    The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access.

    • S3SubPrefix (string) --

      The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3:// , the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/* . Or the S3SubPrefx can be <bucket-name>/<prefix-name>* , so the full grant scope path would be or s3://<bucket-name>/<prefix-name>* .

      If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.

  • GrantScope (string) --

    The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.

  • ApplicationArn (string) --

    The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.

Dissociates the Amazon Web Services IAM Identity Center instance from the S3 Access Grants instance.

Permissions

You must have the s3:DissociateAccessGrantsIdentityCenter permission to use this operation.

Additional Permissions

You must have the sso:DeleteApplication permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.dissociate_access_grants_identity_center(
    AccountId='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

returns

None

Returns a list of S3 Access Grants instances. An S3 Access Grants instance serves as a logical grouping for your individual access grants. You can only have one S3 Access Grants instance per Region per account.

Permissions

You must have the s3:ListAccessGrantsInstances permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.list_access_grants_instances(
    AccountId='string',
    NextToken='string',
    MaxResults=123
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type NextToken

string

param NextToken

A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants Instances request in order to retrieve the next page of results.

type MaxResults

integer

param MaxResults

The maximum number of access grants that you would like returned in the List Access Grants response. If the results include the pagination token NextToken , make another call using the NextToken to determine if there are more results.

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'AccessGrantsInstancesList': [
        {
            'AccessGrantsInstanceId': 'string',
            'AccessGrantsInstanceArn': 'string',
            'CreatedAt': datetime(2015, 1, 1),
            'IdentityCenterArn': 'string'
        },
    ]
}

Response Structure

• (dict) --

  • NextToken (string) --

    A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants Instances request in order to retrieve the next page of results.

  • AccessGrantsInstancesList (list) --

    A container for a list of S3 Access Grants instances.

    • (dict) --

      Information about the S3 Access Grants instance.

      • AccessGrantsInstanceId (string) --

        The ID of the S3 Access Grants instance. The ID is default . You can have one S3 Access Grants instance per Region per account.

      • AccessGrantsInstanceArn (string) --

        The Amazon Resource Name (ARN) of the S3 Access Grants instance.

      • CreatedAt (datetime) --

        The date and time when you created the S3 Access Grants instance.

      • IdentityCenterArn (string) --

        If you associated your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance, this field returns the Amazon Resource Name (ARN) of the IAM Identity Center instance application; a subresource of the original Identity Center instance. S3 Access Grants creates this Identity Center application for the specific S3 Access Grants instance.

Returns the list of access grants in your S3 Access Grants instance.

Permissions

You must have the s3:ListAccessGrants permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.list_access_grants(
    AccountId='string',
    NextToken='string',
    MaxResults=123,
    GranteeType='DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM',
    GranteeIdentifier='string',
    Permission='READ'|'WRITE'|'READWRITE',
    GrantScope='string',
    ApplicationArn='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type NextToken

string

param NextToken

A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants request in order to retrieve the next page of results.

type MaxResults

integer

param MaxResults

The maximum number of access grants that you would like returned in the List Access Grants response. If the results include the pagination token NextToken , make another call using the NextToken to determine if there are more results.

type GranteeType

string

param GranteeType

The type of the grantee to which access has been granted. It can be one of the following values:

• IAM - An IAM user or role.

• DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

• DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

type GranteeIdentifier

string

param GranteeIdentifier

The unique identifer of the Grantee . If the grantee type is IAM , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 . You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.

type Permission

string

param Permission

The type of permission granted to your S3 data, which can be set to one of the following values:

• READ – Grant read-only access to the S3 data.

• WRITE – Grant write-only access to the S3 data.

• READWRITE – Grant both read and write access to the S3 data.

type GrantScope

string

param GrantScope

The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.

type ApplicationArn

string

param ApplicationArn

The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'AccessGrantsList': [
        {
            'CreatedAt': datetime(2015, 1, 1),
            'AccessGrantId': 'string',
            'AccessGrantArn': 'string',
            'Grantee': {
                'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM',
                'GranteeIdentifier': 'string'
            },
            'Permission': 'READ'|'WRITE'|'READWRITE',
            'AccessGrantsLocationId': 'string',
            'AccessGrantsLocationConfiguration': {
                'S3SubPrefix': 'string'
            },
            'GrantScope': 'string',
            'ApplicationArn': 'string'
        },
    ]
}

Response Structure

• (dict) --

  • NextToken (string) --

    A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants request in order to retrieve the next page of results.

  • AccessGrantsList (list) --

    A container for a list of grants in an S3 Access Grants instance.

    • (dict) --

      Information about the access grant.

      • CreatedAt (datetime) --

        The date and time when you created the S3 Access Grants instance.

      • AccessGrantId (string) --

        The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.

      • AccessGrantArn (string) --

        The Amazon Resource Name (ARN) of the access grant.

      • Grantee (dict) --

        The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to Amazon Web Services IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.

        • GranteeType (string) --

          The type of the grantee to which access has been granted. It can be one of the following values:

          • IAM - An IAM user or role.

          • DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

          • DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

        • GranteeIdentifier (string) --

          The unique identifier of the Grantee . If the grantee type is IAM , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 . You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.

      • Permission (string) --

        The type of access granted to your S3 data, which can be set to one of the following values:

        • READ – Grant read-only access to the S3 data.

        • WRITE – Grant write-only access to the S3 data.

        • READWRITE – Grant both read and write access to the S3 data.

      • AccessGrantsLocationId (string) --

        The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

      • AccessGrantsLocationConfiguration (dict) --

        The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access.

        • S3SubPrefix (string) --

          The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3:// , the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/* . Or the S3SubPrefx can be <bucket-name>/<prefix-name>* , so the full grant scope path would be or s3://<bucket-name>/<prefix-name>* .

          If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.

      • GrantScope (string) --

        The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.

      • ApplicationArn (string) --

        The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.

Retrieves the S3 Access Grants instance for a Region in your account.

Permissions

You must have the s3:GetAccessGrantsInstance permission to use this operation.

See also: AWS API Documentation

Request Syntax

client.get_access_grants_instance(
    AccountId='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

rtype

dict

returns

Response Syntax

{
    'AccessGrantsInstanceArn': 'string',
    'AccessGrantsInstanceId': 'string',
    'IdentityCenterArn': 'string',
    'CreatedAt': datetime(2015, 1, 1)
}

Response Structure

• (dict) --

  • AccessGrantsInstanceArn (string) --

    The Amazon Resource Name (ARN) of the S3 Access Grants instance.

  • AccessGrantsInstanceId (string) --

    The ID of the S3 Access Grants instance. The ID is default . You can have one S3 Access Grants instance per Region per account.

  • IdentityCenterArn (string) --

    If you associated your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance, this field returns the Amazon Resource Name (ARN) of the Amazon Web Services IAM Identity Center instance application; a subresource of the original Identity Center instance. S3 Access Grants creates this Identity Center application for the specific S3 Access Grants instance.

  • CreatedAt (datetime) --

    The date and time when you created the S3 Access Grants instance.

Updates the IAM role of a registered location in your S3 Access Grants instance.

Permissions

You must have the s3:UpdateAccessGrantsLocation permission to use this operation.

Additional Permissions

You must also have the following permission: iam:PassRole

See also: AWS API Documentation

Request Syntax

client.update_access_grants_location(
    AccountId='string',
    AccessGrantsLocationId='string',
    IAMRoleArn='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type AccessGrantsLocationId

string

param AccessGrantsLocationId

[REQUIRED]

The ID of the registered location that you are updating. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

The ID of the registered location to which you are granting access. S3 Access Grants assigned this ID when you registered the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

If you are passing the default location, you cannot create an access grant for the entire default location. You must also specify a bucket or a bucket and prefix in the Subprefix field.

type IAMRoleArn

string

param IAMRoleArn

[REQUIRED]

The Amazon Resource Name (ARN) of the IAM role for the registered location. S3 Access Grants assumes this role to manage access to the registered location.

rtype

dict

returns

Response Syntax

{
    'CreatedAt': datetime(2015, 1, 1),
    'AccessGrantsLocationId': 'string',
    'AccessGrantsLocationArn': 'string',
    'LocationScope': 'string',
    'IAMRoleArn': 'string'
}

Response Structure

• (dict) --

  • CreatedAt (datetime) --

    The date and time when you registered the location.

  • AccessGrantsLocationId (string) --

    The ID of the registered location to which you are granting access. S3 Access Grants assigned this ID when you registered the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

  • AccessGrantsLocationArn (string) --

    The Amazon Resource Name (ARN) of the registered location that you are updating.

  • LocationScope (string) --

    The S3 URI path of the location that you are updating. You cannot update the scope of the registered location. The location scope can be the default S3 location s3:// , the S3 path to a bucket s3://<bucket> , or the S3 path to a bucket and prefix s3://<bucket>/<prefix> .

  • IAMRoleArn (string) --

    The Amazon Resource Name (ARN) of the IAM role of the registered location. S3 Access Grants assumes this role to manage access to the registered location.

Associate your S3 Access Grants instance with an Amazon Web Services IAM Identity Center instance. Use this action if you want to create access grants for users or groups from your corporate identity directory. First, you must add your corporate identity directory to Amazon Web Services IAM Identity Center. Then, you can associate this IAM Identity Center instance with your S3 Access Grants instance.

Permissions

You must have the s3:AssociateAccessGrantsIdentityCenter permission to use this operation.

Additional Permissions

You must also have the following permissions: sso:CreateApplication , sso:PutApplicationGrant , and sso:PutApplicationAuthenticationMethod .

See also: AWS API Documentation

Request Syntax

client.associate_access_grants_identity_center(
    AccountId='string',
    IdentityCenterArn='string'
)

type AccountId

string

param AccountId

[REQUIRED]

The ID of the Amazon Web Services account that is making this request.

type IdentityCenterArn

string

param IdentityCenterArn

[REQUIRED]

The Amazon Resource Name (ARN) of the Amazon Web Services IAM Identity Center instance that you are associating with your S3 Access Grants instance. An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center. You can use the ListInstances API operation to retrieve a list of your Identity Center instances and their ARNs.

returns

None