class BucketGrants
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.S3.BucketGrants |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awss3#BucketGrants |
 Java | software.amazon.awscdk.services.s3.BucketGrants |
 Python | aws_cdk.aws_s3.BucketGrants |
 TypeScript (source) | aws-cdk-lib » aws_s3 » BucketGrants |
Collection of grant methods for a Bucket.
Methods
| Name | Description |
|---|---|
| delete(grantee, objectsKeyPattern?) | Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket. |
| public | Allows unrestricted access to objects from this bucket. |
| put(identity, objectsKeyPattern?) | Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal. |
| put | Grants s3:PutObjectAcl and s3:PutObjectVersionAcl permissions for this bucket to an IAM principal. |
| read(identity, objectsKeyPattern?) | Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User). |
| read | Grant read and write permissions for this bucket and it's contents to an IAM principal (Role/Group/User). |
| replication | Grant replication permission to a principal. This method allows the principal to perform replication operations on this bucket. |
| write(identity, objectsKeyPattern?, allowedActionPatterns?) | Grant write permissions for this bucket and it's contents to an IAM principal (Role/Group/User). |
delete(grantee, objectsKeyPattern?)
public delete(grantee: IGrantable, objectsKeyPattern?: any): Grant
Parameters
- grantee
IGrantable— The principal. - objectsKeyPattern
any— Restrict the permission to a certain key pattern (default '*').
Returns
Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
publicAccess(keyPrefix?, ...allowedActions)
public publicAccess(keyPrefix?: string, ...allowedActions: string[]): Grant
Parameters
- keyPrefix
string— the prefix of S3 object keys (e.g.home/*). Default is "*". - allowedActions
string— the set of S3 actions to allow.
Returns
Allows unrestricted access to objects from this bucket.
IMPORTANT: This permission allows anyone to perform actions on S3 objects in this bucket, which is useful for when you configure your bucket as a website and want everyone to be able to read objects in the bucket without needing to authenticate.
Without arguments, this method will grant read ("s3:GetObject") access to all objects ("*") in the bucket.
The method returns the iam.Grant object, which can then be modified
as needed. For example, you can add a condition that will restrict access only
to an IPv4 range like this:
const grant = bucket.grantPublicAccess();
grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
Note that if this IBucket refers to an existing bucket, possibly not
managed by CloudFormation, this method will have no effect, since it's
impossible to modify the policy of an existing bucket.
put(identity, objectsKeyPattern?)
public put(identity: IGrantable, objectsKeyPattern?: any): Grant
Parameters
- identity
IGrantable— The principal. - objectsKeyPattern
any— Restrict the permission to a certain key pattern (default '*').
Returns
Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.
putAcl(identity, objectsKeyPattern?)
public putAcl(identity: IGrantable, objectsKeyPattern?: string): Grant
Parameters
- identity
IGrantable— The principal. - objectsKeyPattern
string— Restrict the permission to a certain key pattern (default '*').
Returns
Grants s3:PutObjectAcl and s3:PutObjectVersionAcl permissions for this bucket to an IAM principal.
If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.
read(identity, objectsKeyPattern?)
public read(identity: IGrantable, objectsKeyPattern?: any): Grant
Parameters
- identity
IGrantable— The principal. - objectsKeyPattern
any— Restrict the permission to a certain key pattern (default '*').
Returns
Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.
readWrite(identity, objectsKeyPattern?)
public readWrite(identity: IGrantable, objectsKeyPattern?: any): Grant
Parameters
- identity
IGrantable— The principal. - objectsKeyPattern
any— Restrict the permission to a certain key pattern (default '*').
Returns
Grant read and write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.
replicationPermission(identity, props)
public replicationPermission(identity: IGrantable, props: GrantReplicationPermissionProps): Grant
Parameters
- identity
IGrantable— The principal to grant replication permission to. - props
Grant— The properties of the replication source and destination buckets.Replication Permission Props
Returns
Grant replication permission to a principal. This method allows the principal to perform replication operations on this bucket.
Note that when calling this function for source or destination buckets that support KMS encryption, you need to specify the KMS key for encryption and the KMS key for decryption, respectively.
write(identity, objectsKeyPattern?, allowedActionPatterns?)
public write(identity: IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): Grant
Parameters
- identity
IGrantable— The principal. - objectsKeyPattern
any— Restrict the permission to a certain key pattern (default '*'). - allowedActionPatterns
string[]
Returns
Grant write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.