There are more AWS SDK examples available in the [AWS Doc SDK Examples](https://github.com/awsdocs/aws-doc-sdk-examples) GitHub repo. # Use `PutBucketPolicy` with an AWS SDK or CLI The following code examples show how to use `PutBucketPolicy`. ------ #### [ C\$1\$1 ] **SDK for C\$1\$1** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/s3#code-examples). ``` bool AwsDoc::S3::putBucketPolicy(const Aws::String &bucketName, const Aws::String &policyBody, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); std::shared_ptr request_body = Aws::MakeShared(""); *request_body << policyBody; Aws::S3::Model::PutBucketPolicyRequest request; request.SetBucket(bucketName); request.SetBody(request_body); Aws::S3::Model::PutBucketPolicyOutcome outcome = s3Client.PutBucketPolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Error: putBucketPolicy: " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Set the following policy body for the bucket '" << bucketName << "':" << std::endl << std::endl; std::cout << policyBody << std::endl; } return outcome.IsSuccess(); } //! Build a policy JSON string. /*! \param userArn: Aws user Amazon Resource Name (ARN). For more information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns. \param bucketName: Name of a bucket. \return String: Policy as JSON string. */ Aws::String getPolicyString(const Aws::String &userArn, const Aws::String &bucketName) { return "{\n" " \"Version\":\"2012-10-17\",\n" " \"Statement\":[\n" " {\n" " \"Sid\": \"1\",\n" " \"Effect\": \"Allow\",\n" " \"Principal\": {\n" " \"AWS\": \"" + userArn + "\"\n"" },\n" " \"Action\": [ \"s3:getObject\" ],\n" " \"Resource\": [ \"arn:aws:s3:::" + bucketName + "/*\" ]\n" " }\n" " ]\n" "}"; } ``` + For API details, see [PutBucketPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/s3-2006-03-01/PutBucketPolicy) in *AWS SDK for C\$1\$1 API Reference*. ------ #### [ CLI ] **AWS CLI** This example allows all users to retrieve any object in *amzn-s3-demo-bucket* except those in the *MySecretFolder*. It also grants `put` and `delete` permission to the root user of the AWS account `1234-5678-9012`: ``` aws s3api put-bucket-policy --bucket amzn-s3-demo-bucket --policy file://policy.json policy.json: { "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" }, { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/MySecretFolder/*" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": [ "s3:DeleteObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" } ] } ``` + For API details, see [PutBucketPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html) in *AWS CLI Command Reference*. ------ #### [ Java ] **SDK for Java 2.x** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/s3#code-examples). ``` import software.amazon.awssdk.services.s3.S3Client; import software.amazon.awssdk.services.s3.model.PutBucketPolicyRequest; import software.amazon.awssdk.services.s3.model.S3Exception; import software.amazon.awssdk.regions.Region; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Paths; import java.util.List; import com.fasterxml.jackson.core.JsonParser; import com.fasterxml.jackson.databind.ObjectMapper; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. *

* For more information, see the following documentation topic: *

* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class SetBucketPolicy { public static void main(String[] args) { final String usage = """ Usage: Where: bucketName - The Amazon S3 bucket to set the policy on. polFile - A JSON file containing the policy (see the Amazon S3 Readme for an example).\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String bucketName = args[0]; String polFile = args[1]; String policyText = getBucketPolicyFromFile(polFile); Region region = Region.US_EAST_1; S3Client s3 = S3Client.builder() .region(region) .build(); setPolicy(s3, bucketName, policyText); s3.close(); } /** * Sets the policy for an Amazon S3 bucket. * * @param s3 the {@link S3Client} object used to interact with the Amazon S3 service * @param bucketName the name of the Amazon S3 bucket * @param policyText the text of the policy to be set on the bucket * @throws S3Exception if there is an error setting the bucket policy */ public static void setPolicy(S3Client s3, String bucketName, String policyText) { System.out.println("Setting policy:"); System.out.println("----"); System.out.println(policyText); System.out.println("----"); System.out.format("On Amazon S3 bucket: \"%s\"\n", bucketName); try { PutBucketPolicyRequest policyReq = PutBucketPolicyRequest.builder() .bucket(bucketName) .policy(policyText) .build(); s3.putBucketPolicy(policyReq); } catch (S3Exception e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done!"); } /** * Retrieves the bucket policy from a specified file. * * @param policyFile the path to the file containing the bucket policy * @return the content of the bucket policy file as a string */ public static String getBucketPolicyFromFile(String policyFile) { StringBuilder fileText = new StringBuilder(); try { List lines = Files.readAllLines(Paths.get(policyFile), StandardCharsets.UTF_8); for (String line : lines) { fileText.append(line); } } catch (IOException e) { System.out.format("Problem reading file: \"%s\"", policyFile); System.out.println(e.getMessage()); } try { final JsonParser parser = new ObjectMapper().getFactory().createParser(fileText.toString()); while (parser.nextToken() != null) { } } catch (IOException jpe) { jpe.printStackTrace(); } return fileText.toString(); } } ``` + For API details, see [PutBucketPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/s3-2006-03-01/PutBucketPolicy) in *AWS SDK for Java 2.x API Reference*. ------ #### [ JavaScript ] **SDK for JavaScript (v3)** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/s3#code-examples). Add the policy. ``` import { PutBucketPolicyCommand, S3Client, S3ServiceException, } from "@aws-sdk/client-s3"; /** * Grant an IAM role GetObject access to all of the objects * in the provided bucket. * @param {{ bucketName: string, iamRoleArn: string }} */ export const main = async ({ bucketName, iamRoleArn }) => { const client = new S3Client({}); const command = new PutBucketPolicyCommand({ // This is a resource-based policy. For more information on resource-based policies, // see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based. Policy: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { AWS: iamRoleArn, }, Action: "s3:GetObject", Resource: `arn:aws:s3:::${bucketName}/*`, }, ], }), // Apply the preceding policy to this bucket. Bucket: bucketName, }); try { await client.send(command); console.log( `GetObject access to the bucket "${bucketName}" was granted to the provided IAM role.`, ); } catch (caught) { if ( caught instanceof S3ServiceException && caught.name === "MalformedPolicy" ) { console.error( `Error from S3 while setting the bucket policy for the bucket "${bucketName}". The policy was malformed.`, ); } else if (caught instanceof S3ServiceException) { console.error( `Error from S3 while setting the bucket policy for the bucket "${bucketName}". ${caught.name}: ${caught.message}`, ); } else { throw caught; } } }; ``` + For more information, see [AWS SDK for JavaScript Developer Guide](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/s3-example-bucket-policies.html#s3-example-bucket-policies-set-policy). + For API details, see [PutBucketPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/s3/command/PutBucketPolicyCommand) in *AWS SDK for JavaScript API Reference*. ------ #### [ Python ] **SDK for Python (Boto3)** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/s3/s3_basics#code-examples). ``` class BucketWrapper: """Encapsulates S3 bucket actions.""" def __init__(self, bucket): """ :param bucket: A Boto3 Bucket resource. This is a high-level resource in Boto3 that wraps bucket actions in a class-like structure. """ self.bucket = bucket self.name = bucket.name def put_policy(self, policy): """ Apply a security policy to the bucket. Policies control users' ability to perform specific actions, such as listing the objects in the bucket. :param policy: The policy to apply to the bucket. """ try: self.bucket.Policy().put(Policy=json.dumps(policy)) logger.info("Put policy %s for bucket '%s'.", policy, self.bucket.name) except ClientError: logger.exception("Couldn't apply policy to bucket '%s'.", self.bucket.name) raise ``` + For API details, see [PutBucketPolicy](https://docs.aws.amazon.com/goto/boto3/s3-2006-03-01/PutBucketPolicy) in *AWS SDK for Python (Boto3) API Reference*. ------ #### [ Ruby ] **SDK for Ruby** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/s3#code-examples). ``` # Wraps an Amazon S3 bucket policy. class BucketPolicyWrapper attr_reader :bucket_policy # @param bucket_policy [Aws::S3::BucketPolicy] A bucket policy object configured with an existing bucket. def initialize(bucket_policy) @bucket_policy = bucket_policy end # Sets a policy on a bucket. # def policy(policy) @bucket_policy.put(policy: policy) true rescue Aws::Errors::ServiceError => e puts "Couldn't set the policy for #{@bucket_policy.bucket.name}. Here's why: #{e.message}" false end end ``` + For API details, see [PutBucketPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/s3-2006-03-01/PutBucketPolicy) in *AWS SDK for Ruby API Reference*. ------ #### [ SAP ABAP ] **SDK for SAP ABAP** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/s3#code-examples). ``` TRY. " Example policy JSON string " iv_policy = '{"Version":"2012-10-17", "Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:user/user"},"Action":["s3:GetObject"],"Resource":["arn:aws:s3:::bucketname/*"]}]}' lo_s3->putbucketpolicy( iv_bucket = iv_bucket_name iv_policy = iv_policy ). MESSAGE 'Bucket policy set.' TYPE 'I'. CATCH /aws1/cx_s3_nosuchbucket. MESSAGE 'Bucket does not exist.' TYPE 'E'. ENDTRY. ``` + For API details, see [PutBucketPolicy](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*. ------