CfnAccessGrantPropsMixin

class aws_cdk.mixins_preview.aws_s3.mixins.CfnAccessGrantPropsMixin(props, *, strategy=None)

Bases: Mixin

The AWS::S3::AccessGrant resource creates an access grant that gives a grantee access to your S3 data.

The grantee can be an IAM user or role or a directory user, or group. Before you can create a grant, you must have an S3 Access Grants instance in the same Region as the S3 data. You can create an S3 Access Grants instance using the AWS::S3::AccessGrantsInstance . You must also have registered at least one S3 data location in your S3 Access Grants instance using AWS::S3::AccessGrantsLocation .

  • Permissions - You must have the s3:CreateAccessGrant permission to use this resource.

  • Additional Permissions - For any directory identity - sso:DescribeInstance and sso:DescribeApplication

For directory users - identitystore:DescribeUser

For directory groups - identitystore:DescribeGroup

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-accessgrant.html

CloudformationResource:

AWS::S3::AccessGrant

Mixin:

true

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview import mixins
from aws_cdk.mixins_preview.aws_s3 import mixins as s3_mixins

cfn_access_grant_props_mixin = s3_mixins.CfnAccessGrantPropsMixin(s3_mixins.CfnAccessGrantMixinProps(
    access_grants_location_configuration=s3_mixins.CfnAccessGrantPropsMixin.AccessGrantsLocationConfigurationProperty(
        s3_sub_prefix="s3SubPrefix"
    ),
    access_grants_location_id="accessGrantsLocationId",
    application_arn="applicationArn",
    grantee=s3_mixins.CfnAccessGrantPropsMixin.GranteeProperty(
        grantee_identifier="granteeIdentifier",
        grantee_type="granteeType"
    ),
    permission="permission",
    s3_prefix_type="s3PrefixType",
    tags=[CfnTag(
        key="key",
        value="value"
    )]
),
    strategy=mixins.PropertyMergeStrategy.OVERRIDE
)

Create a mixin to apply properties to AWS::S3::AccessGrant.

Parameters:

  • props (Union[CfnAccessGrantMixinProps, Dict[str, Any]]) – L1 properties to apply.

  • strategy (Optional[PropertyMergeStrategy]) – (experimental) Strategy for merging nested properties. Default: - PropertyMergeStrategy.MERGE

Methods

apply_to(construct)

Apply the mixin properties to the construct.

Parameters:

construct (IConstruct)

Return type:

IConstruct

supports(construct)

Check if this mixin supports the given construct.

Parameters:

construct (IConstruct)

Return type:

bool

Attributes

CFN_PROPERTY_KEYS = ['accessGrantsLocationConfiguration', 'accessGrantsLocationId', 'applicationArn', 'grantee', 'permission', 's3PrefixType', 'tags']

Static Methods

classmethod is_mixin(x)

(experimental) Checks if x is a Mixin.

Parameters:

x (Any) – Any object.

Return type:

bool

Returns:

true if x is an object created from a class which extends Mixin.

Stability:

experimental

AccessGrantsLocationConfigurationProperty

class CfnAccessGrantPropsMixin.AccessGrantsLocationConfigurationProperty(*, s3_sub_prefix=None)

Bases: object

The configuration options of the S3 Access Grants location.

It contains the S3SubPrefix field. The grant scope, the data to which you are granting access, is the result of appending the Subprefix field to the scope of the registered location.

Parameters:

s3_sub_prefix (Optional[str]) – The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3:// , the S3SubPrefx can be a <bucket-name>/* , so the full grant scope path would be s3://<bucket-name>/* . Or the S3SubPrefx can be <bucket-name>/<prefix-name>* , so the full grant scope path would be s3://<bucket-name>/<prefix-name>* . If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-accessgrant-accessgrantslocationconfiguration.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_s3 import mixins as s3_mixins

access_grants_location_configuration_property = s3_mixins.CfnAccessGrantPropsMixin.AccessGrantsLocationConfigurationProperty(
    s3_sub_prefix="s3SubPrefix"
)

Attributes

s3_sub_prefix

The S3SubPrefix is appended to the location scope creating the grant scope.

Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3:// , the S3SubPrefx can be a <bucket-name>/* , so the full grant scope path would be s3://<bucket-name>/* . Or the S3SubPrefx can be <bucket-name>/<prefix-name>* , so the full grant scope path would be s3://<bucket-name>/<prefix-name>* .

If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-accessgrant-accessgrantslocationconfiguration.html#cfn-s3-accessgrant-accessgrantslocationconfiguration-s3subprefix

GranteeProperty

class CfnAccessGrantPropsMixin.GranteeProperty(*, grantee_identifier=None, grantee_type=None)

Bases: object

The user, group, or role to which you are granting access.

You can grant access to an IAM user or role. If you have added your corporate directory to AWS IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.

Parameters:

  • grantee_identifier (Optional[str]) – The unique identifier of the Grantee . If the grantee type is IAM , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 . You can obtain this UUID from your AWS IAM Identity Center instance.

  • grantee_type (Optional[str]) – The type of the grantee to which access has been granted. It can be one of the following values:. - IAM - An IAM user or role. - DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance. - DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-accessgrant-grantee.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
from aws_cdk.mixins_preview.aws_s3 import mixins as s3_mixins

grantee_property = s3_mixins.CfnAccessGrantPropsMixin.GranteeProperty(
    grantee_identifier="granteeIdentifier",
    grantee_type="granteeType"
)

Attributes

grantee_identifier

The unique identifier of the Grantee .

If the grantee type is IAM , the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 . You can obtain this UUID from your AWS IAM Identity Center instance.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-accessgrant-grantee.html#cfn-s3-accessgrant-grantee-granteeidentifier

grantee_type

.

  • IAM - An IAM user or role.

  • DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

  • DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-accessgrant-grantee.html#cfn-s3-accessgrant-grantee-granteetype

Type:

The type of the grantee to which access has been granted. It can be one of the following values