Accessing S3 data using credentials vended by S3 Access Grants - Amazon Simple Storage Service
Supported S3 actions in S3 Access Grants

Accessing S3 data using credentials vended by S3 Access Grants

After a grantee obtains temporary credentials through their access grant, they can use these temporary credentials to call Amazon S3 API operations to access your data.

Grantees can access S3 data by using the AWS Command Line Interface (AWS CLI), the AWS SDKs, and the Amazon S3 REST API. Additionally, you can use the AWS Python and Java plugins to call S3 Access Grants

After the grantee obtains their temporary credentials from S3 Access Grants, they can set up a profile with these credentials to retrieve the data.

To install the AWS CLI, see Installing the AWS CLI in the AWS Command Line Interface User Guide.

To use the following example commands, replace the user input placeholders with your own information.

Example – Set up a profile
aws configure set aws_access_key_id "$accessKey" --profile access-grants-consumer-access-profile
aws configure set aws_secret_access_key "$secretKey" --profile access-grants-consumer-access-profile
aws configure set aws_session_token "$sessionToken" --profile access-grants-consumer-access-profile

To use the following example command, replace the user input placeholders with your own information.

Example – Get the S3 data

The grantee can use the get-object AWS CLI command to access the data. The grantee can also use put-object, ls, and other S3 AWS CLI commands. 

aws s3api get-object \
--bucket amzn-s3-demo-bucket1 \
--key myprefix \
--region us-east-2 \
--profile access-grants-consumer-access-profile

This section provides examples of how grantees can access your S3 data by using the AWS SDKs.

Java

For examples of how to get S3 data by using temporary credentials, see how to get an object by using the AWS SDKs and Amazon S3 code examples for the AWS SDK for Java 2.x.

Supported S3 actions in S3 Access Grants

A grantee can use the temporary credential vended by S3 Access Grants to perform S3 actions on the S3 data they have access to. The following is a list of allowable S3 actions that a grantee can perform. Which actions are allowable depends on the level of permission granted in the access grant, either READ, WRITE, or READWRITE.

Note

In addition to the Amazon S3 permissions listed below, Amazon S3 can call the AWS Key Management Service (AWS KMS) Decrypt (kms:decrypt) READ permission or the AWS KMS GenerateDataKey (kms:generateDataKey) WRITE permission. These permissions don't allow direct access to the AWS KMS key.

S3 IAM action API action & doc S3 Access Grants Permission S3 resource
s3:GetObject GetObject READ Object
s3:GetObjectVersion GetObject READ Object
s3:GetObjectAcl GetObjectAcl READ Object
s3:GetObjectVersionAcl GetObjectAcl READ Object
s3:ListMultipartUploads ListParts READ Object
s3:PutObject PutObject, CreateMultipartUpload, UploadPart, UploadPartCopy, CompleteMultipartUpload WRITE Object
s3:PutObjectAcl PutObjectAcl WRITE Object
s3:PutObjectVersionAcl PutObjectAcl WRITE Object
s3:DeleteObject DeleteObject WRITE Object
s3:DeleteObjectVersion DeleteObject WRITE Object
s3:AbortMultipartUpload AbortMultipartUpload WRITE Object
s3:ListBucket HeadBucket, ListObjectsV2, ListObjects READ Bucket
s3:ListBucketVersions ListObjectVersions READ Bucket
s3:ListBucketMultipartUploads ListMultipartUploads READ Bucket