Use PutBucketPolicy with an AWS SDK or CLI
The following code examples show how to use PutBucketPolicy.
- C++
-
- SDK for C++
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository
. bool AwsDoc::S3::putBucketPolicy(const Aws::String &bucketName, const Aws::String &policyBody, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); std::shared_ptr<Aws::StringStream> request_body = Aws::MakeShared<Aws::StringStream>(""); *request_body << policyBody; Aws::S3::Model::PutBucketPolicyRequest request; request.SetBucket(bucketName); request.SetBody(request_body); Aws::S3::Model::PutBucketPolicyOutcome outcome = s3Client.PutBucketPolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Error: putBucketPolicy: " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Set the following policy body for the bucket '" << bucketName << "':" << std::endl << std::endl; std::cout << policyBody << std::endl; } return outcome.IsSuccess(); } //! Build a policy JSON string. /*! \param userArn: Aws user Amazon Resource Name (ARN). For more information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns. \param bucketName: Name of a bucket. \return String: Policy as JSON string. */ Aws::String getPolicyString(const Aws::String &userArn, const Aws::String &bucketName) { return "{\n" " \"Version\":\"2012-10-17\",\n" " \"Statement\":[\n" " {\n" " \"Sid\": \"1\",\n" " \"Effect\": \"Allow\",\n" " \"Principal\": {\n" " \"AWS\": \"" + userArn + "\"\n"" },\n" " \"Action\": [ \"s3:getObject\" ],\n" " \"Resource\": [ \"arn:aws:s3:::" + bucketName + "/*\" ]\n" " }\n" " ]\n" "}"; }-
For API details, see PutBucketPolicy in AWS SDK for C++ API Reference.
-
- CLI
-
- AWS CLI
-
This example allows all users to retrieve any object in MyBucket except those in the MySecretFolder. It also grants
putanddeletepermission to the root user of the AWS account1234-5678-9012:aws s3api put-bucket-policy --bucketMyBucket--policyfile://policy.jsonpolicy.json:{"Statement":[{"Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource":"arn:aws:s3:::MyBucket/*"},{"Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource":"arn:aws:s3:::MyBucket/MySecretFolder/*"},{"Effect": "Allow", "Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":["s3:DeleteObject","s3:PutObject"],"Resource":"arn:aws:s3:::MyBucket/*"}]}-
For API details, see PutBucketPolicy
in AWS CLI Command Reference.
-
- Java
-
- SDK for Java 2.x
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository
. import software.amazon.awssdk.services.s3.S3Client; import software.amazon.awssdk.services.s3.model.PutBucketPolicyRequest; import software.amazon.awssdk.services.s3.model.S3Exception; import software.amazon.awssdk.regions.Region; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Paths; import java.util.List; import com.fasterxml.jackson.core.JsonParser; import com.fasterxml.jackson.databind.ObjectMapper; /** * Before running this Java V2 code example, set up your development * environment, including your credentials. * <p> * For more information, see the following documentation topic: * <p> * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class SetBucketPolicy { public static void main(String[] args) { final String usage = """ Usage: <bucketName> <polFile> Where: bucketName - The Amazon S3 bucket to set the policy on. polFile - A JSON file containing the policy (see the Amazon S3 Readme for an example).\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String bucketName = args[0]; String polFile = args[1]; String policyText = getBucketPolicyFromFile(polFile); Region region = Region.US_EAST_1; S3Client s3 = S3Client.builder() .region(region) .build(); setPolicy(s3, bucketName, policyText); s3.close(); } /** * Sets the policy for an Amazon S3 bucket. * * @param s3 the {@link S3Client} object used to interact with the Amazon S3 service * @param bucketName the name of the Amazon S3 bucket * @param policyText the text of the policy to be set on the bucket * @throws S3Exception if there is an error setting the bucket policy */ public static void setPolicy(S3Client s3, String bucketName, String policyText) { System.out.println("Setting policy:"); System.out.println("----"); System.out.println(policyText); System.out.println("----"); System.out.format("On Amazon S3 bucket: \"%s\"\n", bucketName); try { PutBucketPolicyRequest policyReq = PutBucketPolicyRequest.builder() .bucket(bucketName) .policy(policyText) .build(); s3.putBucketPolicy(policyReq); } catch (S3Exception e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done!"); } /** * Retrieves the bucket policy from a specified file. * * @param policyFile the path to the file containing the bucket policy * @return the content of the bucket policy file as a string */ public static String getBucketPolicyFromFile(String policyFile) { StringBuilder fileText = new StringBuilder(); try { List<String> lines = Files.readAllLines(Paths.get(policyFile), StandardCharsets.UTF_8); for (String line : lines) { fileText.append(line); } } catch (IOException e) { System.out.format("Problem reading file: \"%s\"", policyFile); System.out.println(e.getMessage()); } try { final JsonParser parser = new ObjectMapper().getFactory().createParser(fileText.toString()); while (parser.nextToken() != null) { } } catch (IOException jpe) { jpe.printStackTrace(); } return fileText.toString(); } }-
For API details, see PutBucketPolicy in AWS SDK for Java 2.x API Reference.
-
- JavaScript
-
- SDK for JavaScript (v3)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository
. Add the policy.
import { PutBucketPolicyCommand, S3Client, S3ServiceException, } from "@aws-sdk/client-s3"; /** * Grant an IAM role GetObject access to all of the objects * in the provided bucket. * @param {{ bucketName: string, iamRoleArn: string }} */ export const main = async ({ bucketName, iamRoleArn }) => { const client = new S3Client({}); const command = new PutBucketPolicyCommand({ // This is a resource-based policy. For more information on resource-based policies, // see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based. Policy: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { AWS: iamRoleArn, }, Action: "s3:GetObject", Resource: `arn:aws:s3:::${bucketName}/*`, }, ], }), // Apply the preceding policy to this bucket. Bucket: bucketName, }); try { await client.send(command); console.log( `GetObject access to the bucket "${bucketName}" was granted to the provided IAM role.`, ); } catch (caught) { if ( caught instanceof S3ServiceException && caught.name === "MalformedPolicy" ) { console.error( `Error from S3 while setting the bucket policy for the bucket "${bucketName}". The policy was malformed.`, ); } else if (caught instanceof S3ServiceException) { console.error( `Error from S3 while setting the bucket policy for the bucket "${bucketName}". ${caught.name}: ${caught.message}`, ); } else { throw caught; } } };-
For more information, see AWS SDK for JavaScript Developer Guide.
-
For API details, see PutBucketPolicy in AWS SDK for JavaScript API Reference.
-
- Python
-
- SDK for Python (Boto3)
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository
. class BucketWrapper: """Encapsulates S3 bucket actions.""" def __init__(self, bucket): """ :param bucket: A Boto3 Bucket resource. This is a high-level resource in Boto3 that wraps bucket actions in a class-like structure. """ self.bucket = bucket self.name = bucket.name def put_policy(self, policy): """ Apply a security policy to the bucket. Policies control users' ability to perform specific actions, such as listing the objects in the bucket. :param policy: The policy to apply to the bucket. """ try: self.bucket.Policy().put(Policy=json.dumps(policy)) logger.info("Put policy %s for bucket '%s'.", policy, self.bucket.name) except ClientError: logger.exception("Couldn't apply policy to bucket '%s'.", self.bucket.name) raise-
For API details, see PutBucketPolicy in AWS SDK for Python (Boto3) API Reference.
-
- Ruby
-
- SDK for Ruby
-
Note
There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository
. # Wraps an Amazon S3 bucket policy. class BucketPolicyWrapper attr_reader :bucket_policy # @param bucket_policy [Aws::S3::BucketPolicy] A bucket policy object configured with an existing bucket. def initialize(bucket_policy) @bucket_policy = bucket_policy end # Sets a policy on a bucket. # def policy(policy) @bucket_policy.put(policy: policy) true rescue Aws::Errors::ServiceError => e puts "Couldn't set the policy for #{@bucket_policy.bucket.name}. Here's why: #{e.message}" false end end-
For API details, see PutBucketPolicy in AWS SDK for Ruby API Reference.
-
For a complete list of AWS SDK developer guides and code examples, see Developing with Amazon S3 using the AWS SDKs. This topic also includes information about getting started and details about previous SDK versions.
