This page is only for existing customers of the Amazon Glacier service using Vaults and the original REST API from 2012.
If you're looking for archival storage solutions, we recommend using the Amazon Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. To learn more about these storage options, see Amazon Glacier storage classes
Amazon Glacier (original standalone vault-based service) will no longer accept new customers starting December 15, 2025, with no impact to existing customers. Amazon Glacier is a standalone service with its own APIs that stores data in vaults and is distinct from Amazon S3 and the Amazon S3 Glacier storage classes. Your existing data will remain secure and accessible in Amazon Glacier indefinitely. No migration is required. For low-cost, long-term archival storage, AWS recommends the Amazon S3 Glacier storage classes
Get Vault Lock (GET lock-policy)
Description
This operation retrieves the following attributes from the lock-policy
subresource set on the specified vault:
-
The vault lock policy set on the vault.
-
The state of the vault lock, which is either
InProgessorLocked. -
When the lock ID expires. The lock ID is used to complete the vault locking process.
-
When the vault lock was initiated and put into the
InProgressstate.
A vault lock is put into the InProgress state by calling Initiate Vault Lock (POST lock-policy). A vault
lock is put into the Locked state by calling Complete Vault Lock (POST lockId). You can
stop the vault locking process by calling Abort Vault Lock (DELETE lock-policy). For more information about the vault locking
process, see Amazon Glacier Vault Lock.
If there is no vault lock policy set on the vault, the operation returns a 404
Not found error. For more information about vault lock policies, see Vault Lock Policies.
Requests
To return the current vault lock policy and other attributes, send an HTTP GET
request to the URI of the vault's lock-policy subresource as shown in the
following syntax example.
Syntax
GET /AccountId/vaults/vaultName/lock-policy HTTP/1.1 Host: glacier.Region.amazonaws.com Date:DateAuthorization:SignatureValuex-amz-glacier-version: 2012-06-01
Note
The AccountId value is the AWS account ID of the account that owns the vault. You can either specify an AWS account ID or optionally a single '-' (hyphen), in which case Amazon Glacier uses the AWS account ID associated with the credentials used to sign the request. If you use an account ID, do not include any hyphens ('-') in the ID.
Request Parameters
This operation does not use request parameters.
Request Headers
This operation uses only request headers that are common to all operations. For information about common request headers, see Common Request Headers.
Request Body
This operation does not have a request body.
Responses
In response, Amazon Glacier (Amazon Glacier) returns the vault access policy in JSON format in the body of the response.
Syntax
HTTP/1.1 200 OK x-amzn-RequestId: x-amzn-RequestId Date: Date Content-Type: application/json Content-Length: length { "Policy": "string", "State": "string", "ExpirationDate": "string", "CreationDate":"string" }
Response Headers
This operation uses only response headers that are common to most responses. For information about common response headers, see Common Response Headers.
Response Body
The response body contains the following JSON fields.
- Policy
-
The vault lock policy as a JSON string, which uses "\" as an escape character.
Type: String
- State
-
The state of the vault lock.
Type: String
Valid values:
InProgress|Locked - ExpirationDate
-
The UTC date and time at which the lock ID expires. This value can be
nullif the vault lock is in aLockedstate.Type: A string representation in the ISO 8601 date format, for example
2013-03-20T17:03:43.221Z. - CreationDate
-
The UTC date and time at which the vault lock was put into the
InProgressstate.Type: A string representation in the ISO 8601 date format, for example
2013-03-20T17:03:43.221Z.
Errors
For information about Amazon Glacier exceptions and error messages, see Error Responses.
Examples
The following example demonstrates how to get a vault lock policy.
Example Request
In this example, a GET request is sent to the URI of a vault's lock-policy subresource.
GET /-/vaults/examplevault/lock-policy HTTP/1.1 Host: glacier.us-west-2.amazonaws.com x-amz-Date: 20170210T120000Z x-amz-glacier-version: 2012-06-01 Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20141123/us-west-2/glacier/aws4_request,SignedHeaders=host;x-amz-date;x-amz-glacier-version,Signature=9257c16da6b25a715ce900a5b45b03da0447acf430195dcb540091b12966f2a2
Example Response
If the request was successful, Amazon Glacier returns the vault access policy as a JSON string in the body of the response. The returned JSON string uses "\" as an escape character, as shown in the Initiate Vault Lock (POST lock-policy) example request. However, the following example shows the returned JSON string without escape characters for readability.
HTTP/1.1 200 OK x-amzn-RequestId: AAABZpJrTyioDC_HsOmHae8EZp_uBSJr6cnGOLKp_XJCl-Q Date: Wed, 10 Feb 2017 12:00:00 GMT Content-Type: application/json Content-Length: length { "Policy": " { "Version": "2012-10-17", "Statement": [ { "Sid": "Define-vault-lock", "Principal": { "AWS": "arn:aws:iam::999999999999:root" }, "Effect": "Deny", "Action": "glacier:DeleteArchive", "Resource": [ "arn:aws:glacier:us-west-2:999999999999:vaults/examplevault" ], "Condition": { "NumericLessThanEquals": { "glacier:ArchiveAgeInDays": "365" } } } ] } ", "State": "InProgress", "ExpirationDate": "exampledate", "CreationDate": "exampledate" }
Related Sections
See Also
For more information about using this API in one of the language-specific Amazon SDKs, see the following:
