# S3 Access Grants에서 제공하는 자격 증명을 사용하여 S3 데이터에 액세스
<a name="access-grants-get-data"></a>

액세스 권한 부여를 통해 [임시 자격 증명을 획득](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-credentials.html)한 피부여자는 해당 임시 자격 증명을 사용하여 Amazon S3 API 작업을 호출하여 데이터에 액세스할 수 있습니다.

피부여자는 AWS Command Line Interface(AWS CLI), AWS SDK, Amazon S3 REST API를 사용하여 S3 데이터에 액세스할 수 있습니다. 또한, AWS [Python](https://github.com/aws/boto3-s3-access-grants-plugin) 및 [Java](https://github.com/aws/aws-s3-accessgrants-plugin-java-v2) 플러그인을 사용하여 S3 Access Grants를 직접 호출할 수 있습니다.

## AWS CLI 사용
<a name="access-grants-get-data-cli"></a>

S3 Access Grants로부터 임시 자격 증명을 받은 후 피부여자는 해당 자격 증명으로 프로필을 설정하여 데이터를 검색할 수 있습니다.

AWS CLI를 설치하려면 *AWS Command Line Interface 사용 설명서*의 [AWS CLI 설치](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)를 참조하세요.

다음 예시 명령을 사용하려면 `{{user input placeholders}}`를 실제 정보로 대체하세요.

**Example - 프로필 설정**  

```
aws configure set aws_access_key_id "{{$accessKey}}" --profile {{access-grants-consumer-access-profile}}
aws configure set aws_secret_access_key "{{$secretKey}}" --profile {{access-grants-consumer-access-profile}}
aws configure set aws_session_token "{{$sessionToken}}" --profile {{access-grants-consumer-access-profile}}
```

다음 예시 명령을 사용하려면 `{{user input placeholders}}`를 실제 정보로 대체하세요.

**Example – S3 데이터 가져오기**  
피부여자는 [https://docs.aws.amazon.com/cli/latest/reference/s3api/get-object.html](https://docs.aws.amazon.com/cli/latest/reference/s3api/get-object.html) AWS CLI 명령을 사용하여 데이터에 액세스할 수 있습니다. 피부여자는 [https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html), [https://docs.aws.amazon.com/cli/latest/reference/s3/ls.html](https://docs.aws.amazon.com/cli/latest/reference/s3/ls.html) 및 기타 S3 AWS CLI 명령도 사용할 수 있습니다.  

```
aws s3api get-object \
--bucket {{amzn-s3-demo-bucket1}} \
--key {{myprefix}} \
--region {{us-east-2}} \
--profile {{access-grants-consumer-access-profile}}
```

## AWS SDK 사용
<a name="access-grants-get-data-using-sdk"></a>

이 섹션에서는 피부여자가 AWS SDK를 사용하여 S3 데이터에 액세스하는 방법의 예시를 보여줍니다.

------
#### [ Java ]

다음 Java 코드 예제는 S3 버킷에서 객체를 가져옵니다. 실제 예제를 만들고 테스트하는 방법에 대한 자세한 내용은 **AWS SDK for Java 개발자 안내서의 [시작하기](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/getting-started.html)를 참조하세요.

```
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.GetObjectRequest;
import com.amazonaws.services.s3.model.ResponseHeaderOverrides;
import com.amazonaws.services.s3.model.S3Object;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;

public class GetObject2 {

    public static void main(String[] args) throws IOException {
        Regions clientRegion = Regions.DEFAULT_REGION;
        String bucketName = "*** Bucket name ***";
        String key = "*** Object key ***";

        S3Object fullObject = null, objectPortion = null, headerOverrideObject = null;
        try {
            AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                    .withRegion(clientRegion)
                    .withCredentials(new ProfileCredentialsProvider())
                    .build();

            // Get an object and print its contents.
            System.out.println("Downloading an object");
            fullObject = s3Client.getObject(new GetObjectRequest(bucketName, key));
            System.out.println("Content-Type: " + fullObject.getObjectMetadata().getContentType());
            System.out.println("Content: ");
            displayTextInputStream(fullObject.getObjectContent());

            // Get a range of bytes from an object and print the bytes.
            GetObjectRequest rangeObjectRequest = new GetObjectRequest(bucketName, key)
                    .withRange(0, 9);
            objectPortion = s3Client.getObject(rangeObjectRequest);
            System.out.println("Printing bytes retrieved.");
            displayTextInputStream(objectPortion.getObjectContent());

            // Get an entire object, overriding the specified response headers, and print
            // the object's content.
            ResponseHeaderOverrides headerOverrides = new ResponseHeaderOverrides()
                    .withCacheControl("No-cache")
                    .withContentDisposition("attachment; filename=example.txt");
            GetObjectRequest getObjectRequestHeaderOverride = new GetObjectRequest(bucketName, key)
                    .withResponseHeaders(headerOverrides);
            headerOverrideObject = s3Client.getObject(getObjectRequestHeaderOverride);
            displayTextInputStream(headerOverrideObject.getObjectContent());
        } catch (AmazonServiceException e) {
            // The call was transmitted successfully, but Amazon S3 couldn't process
            // it, so it returned an error response.
            e.printStackTrace();
        } catch (SdkClientException e) {
            // Amazon S3 couldn't be contacted for a response, or the client
            // couldn't parse the response from Amazon S3.
            e.printStackTrace();
        } finally {
            // To ensure that the network connection doesn't remain open, close any open
            // input streams.
            if (fullObject != null) {
                fullObject.close();
            }
            if (objectPortion != null) {
                objectPortion.close();
            }
            if (headerOverrideObject != null) {
                headerOverrideObject.close();
            }
        }
    }

    private static void displayTextInputStream(InputStream input) throws IOException {
        // Read the text input stream one line at a time and display each line.
        BufferedReader reader = new BufferedReader(new InputStreamReader(input));
        String line = null;
        while ((line = reader.readLine()) != null) {
            System.out.println(line);
        }
        System.out.println();
    }
}
```

------

## S3 Access Grants에서 지원되는 S3 작업
<a name="access-grants-s3-actions"></a>

피부여자는 S3 Access Grants에서 제공하는 임시 자격 증명을 사용하여 액세스 권한이 있는 S3 데이터에 대해 S3 작업을 수행할 수 있습니다. 다음은 피부여자가 수행할 수 있는 허용 가능한 S3 작업 목록입니다. 허용되는 작업은 액세스 권한 부여에 부여된 권한 수준(`READ`, `WRITE` 또는 `READWRITE`)에 따라 다릅니다.

**참고**  
아래 나열된 Amazon S3 권한 외에도, Amazon S3는 AWS Key Management Service(AWS KMS) [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)(`kms:decrypt`) `READ` 권한 또는 AWS KMS [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)(`kms:generateDataKey`) `WRITE` 권한을 직접적으로 호출할 수 있습니다. 이러한 권한으로는 AWS KMS 키에 직접 액세스할 수 없습니다.


****  

| S3 IAM 작업 | API 작업 및 문서 | S3 Access Grants 권한 | S3 리소스 | 
| --- | --- | --- | --- | 
| s3:GetObject | [GetObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) | READ | 객체 | 
| s3:GetObjectVersion | [GetObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) | READ | 객체 | 
| s3:GetObjectAcl | [GetObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html) | READ | 객체 | 
| s3:GetObjectVersionAcl | [GetObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html) | READ | 객체 | 
| s3:ListMultipartUploads | [ListParts](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html) | READ | 객체 | 
| s3:PutObject | [PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html), [CreateMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html), [UploadPart](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html), [UploadPartCopy](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html), [CompleteMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html) | WRITE | 객체 | 
| s3:PutObjectAcl | [PutObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html) | WRITE | 객체 | 
| s3:PutObjectVersionAcl | [PutObjectAcl](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObjectAcl.html) | WRITE | 객체 | 
| s3:DeleteObject | [DeleteObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) | WRITE | 객체 | 
| s3:DeleteObjectVersion | [DeleteObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) | WRITE | 객체 | 
| s3:AbortMultipartUpload | [AbortMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html) | WRITE | 객체 | 
| s3:ListBucket | [HeadBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html), [ListObjectsV2](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html), [ListObjects](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html) | READ | 버킷 | 
| s3:ListBucketVersions | [ListObjectVersions](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectVersions.html) | READ | 버킷 | 
| s3:ListBucketMultipartUploads | [ListMultipartUploads](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html) | READ | 버킷 |