# 使用 S3 访问权限管控提供的凭证访问 S3 数据
在被授权者通过其访问授权[获得临时凭证](https://docs.amazonaws.cn/AmazonS3/latest/userguide/access-grants-credentials.html)后,他们可以使用这些临时凭证来调用 Amazon S3 API 操作以访问您的数据。
被授权者可以使用 Amazon Command Line Interface(Amazon CLI)、Amazon SDK 和 Amazon S3 REST API 来访问 S3 数据。此外,可以使用 Amazon [Python](https://github.com/aws/boto3-s3-access-grants-plugin) 和 [Java](https://github.com/aws/aws-s3-accessgrants-plugin-java-v2) 插件来调用 S3 访问权限管控
## 使用 Amazon CLI
在被授权者从 S3 Access Grants 获得临时凭证后,他们可以使用这些凭证设置配置文件来检索数据。
要安装 Amazon CLI,请参阅 *Amazon Command Line Interface 用户指南*中的[安装 Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/getting-started-install.html)。
要使用以下示例命令,请将 `user input placeholders` 替换为您自己的信息。
**Example – 设置配置文件**
```
aws configure set aws_access_key_id "$accessKey" --profile access-grants-consumer-access-profile
aws configure set aws_secret_access_key "$secretKey" --profile access-grants-consumer-access-profile
aws configure set aws_session_token "$sessionToken" --profile access-grants-consumer-access-profile
```
要使用以下示例命令,请将 `user input placeholders` 替换为您自己的信息。
**Example – 获取 S3 数据**
被授权者可以使用 [https://docs.amazonaws.cn/cli/latest/reference/s3api/get-object.html](https://docs.amazonaws.cn/cli/latest/reference/s3api/get-object.html) Amazon CLI 命令来访问数据。被授权者还可以使用 [https://docs.amazonaws.cn/cli/latest/reference/s3api/put-object.html](https://docs.amazonaws.cn/cli/latest/reference/s3api/put-object.html)、[https://docs.amazonaws.cn/cli/latest/reference/s3/ls.html](https://docs.amazonaws.cn/cli/latest/reference/s3/ls.html) 和其它 S3 Amazon CLI 命令。
```
aws s3api get-object \
--bucket amzn-s3-demo-bucket1 \
--key myprefix \
--region us-east-2 \
--profile access-grants-consumer-access-profile
```
## 使用 Amazon SDK
此部分中的示例说明被授权者如何使用 Amazon SDK 访问 S3 数据。
------
#### [ Java ]
以下 Java 代码示例从 S3 存储桶中获取对象。有关创建和测试有效示例的说明,请参阅《适用于 Java 的 Amazon SDK 开发人员指南》**中的 [Getting Started](https://docs.amazonaws.cn/sdk-for-java/v1/developer-guide/getting-started.html)。
```
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.GetObjectRequest;
import com.amazonaws.services.s3.model.ResponseHeaderOverrides;
import com.amazonaws.services.s3.model.S3Object;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
public class GetObject2 {
public static void main(String[] args) throws IOException {
Regions clientRegion = Regions.DEFAULT_REGION;
String bucketName = "*** Bucket name ***";
String key = "*** Object key ***";
S3Object fullObject = null, objectPortion = null, headerOverrideObject = null;
try {
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withRegion(clientRegion)
.withCredentials(new ProfileCredentialsProvider())
.build();
// Get an object and print its contents.
System.out.println("Downloading an object");
fullObject = s3Client.getObject(new GetObjectRequest(bucketName, key));
System.out.println("Content-Type: " + fullObject.getObjectMetadata().getContentType());
System.out.println("Content: ");
displayTextInputStream(fullObject.getObjectContent());
// Get a range of bytes from an object and print the bytes.
GetObjectRequest rangeObjectRequest = new GetObjectRequest(bucketName, key)
.withRange(0, 9);
objectPortion = s3Client.getObject(rangeObjectRequest);
System.out.println("Printing bytes retrieved.");
displayTextInputStream(objectPortion.getObjectContent());
// Get an entire object, overriding the specified response headers, and print
// the object's content.
ResponseHeaderOverrides headerOverrides = new ResponseHeaderOverrides()
.withCacheControl("No-cache")
.withContentDisposition("attachment; filename=example.txt");
GetObjectRequest getObjectRequestHeaderOverride = new GetObjectRequest(bucketName, key)
.withResponseHeaders(headerOverrides);
headerOverrideObject = s3Client.getObject(getObjectRequestHeaderOverride);
displayTextInputStream(headerOverrideObject.getObjectContent());
} catch (AmazonServiceException e) {
// The call was transmitted successfully, but Amazon S3 couldn't process
// it, so it returned an error response.
e.printStackTrace();
} catch (SdkClientException e) {
// Amazon S3 couldn't be contacted for a response, or the client
// couldn't parse the response from Amazon S3.
e.printStackTrace();
} finally {
// To ensure that the network connection doesn't remain open, close any open
// input streams.
if (fullObject != null) {
fullObject.close();
}
if (objectPortion != null) {
objectPortion.close();
}
if (headerOverrideObject != null) {
headerOverrideObject.close();
}
}
}
private static void displayTextInputStream(InputStream input) throws IOException {
// Read the text input stream one line at a time and display each line.
BufferedReader reader = new BufferedReader(new InputStreamReader(input));
String line = null;
while ((line = reader.readLine()) != null) {
System.out.println(line);
}
System.out.println();
}
}
```
------
## S3 访问权限管控中支持的 S3 操作
被授权者可以使用 S3 访问权限管控提供的临时凭证,对他们有权访问的 S3 数据执行 S3 操作。以下是被授权者可以执行的受支持 S3 操作的列表。支持哪些操作取决于在访问授权中授予的权限级别,即 `READ`、`WRITE` 或 `READWRITE`。
**注意**
除了下面列出的 Amazon S3 权限外,Amazon S3 还可以调用 Amazon Key Management Service(Amazon KMS)[Decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html) (`kms:decrypt`) `READ` 权限或 Amazon KMS [GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html) (`kms:generateDataKey`) `WRITE` 权限。这些权限不支持直接访问 Amazon KMS 密钥。
****
| S3 IAM 操作 | API 操作和文档 | S3 访问权限管控权限 | S3 资源 |
| --- | --- | --- | --- |
| s3:GetObject | [GetObject](https://docs.amazonaws.cn/AmazonS3/latest/API/API_GetObject.html) | READ | 对象 |
| s3:GetObjectVersion | [GetObject](https://docs.amazonaws.cn/AmazonS3/latest/API/API_GetObject.html) | READ | 对象 |
| s3:GetObjectAcl | [GetObjectAcl](https://docs.amazonaws.cn/AmazonS3/latest/API/API_GetObjectAcl.html) | READ | 对象 |
| s3:GetObjectVersionAcl | [GetObjectAcl](https://docs.amazonaws.cn/AmazonS3/latest/API/API_GetObjectAcl.html) | READ | 对象 |
| s3:ListMultipartUploads | [ListParts](https://docs.amazonaws.cn/AmazonS3/latest/API/API_ListParts.html) | READ | 对象 |
| s3:PutObject | [PutObject](https://docs.amazonaws.cn/AmazonS3/latest/API/API_PutObject.html)、[CreateMultipartUpload](https://docs.amazonaws.cn/AmazonS3/latest/API/API_CreateMultipartUpload.html)、[UploadPart](https://docs.amazonaws.cn/AmazonS3/latest/API/API_UploadPart.html)、[UploadPartCopy](https://docs.amazonaws.cn/AmazonS3/latest/API/API_UploadPartCopy.html)、[CompleteMultipartUpload](https://docs.amazonaws.cn/AmazonS3/latest/API/API_CompleteMultipartUpload.html) | WRITE | 对象 |
| s3:PutObjectAcl | [PutObjectAcl](https://docs.amazonaws.cn/AmazonS3/latest/API/API_PutObjectAcl.html) | WRITE | 对象 |
| s3:PutObjectVersionAcl | [PutObjectAcl](https://docs.amazonaws.cn/AmazonS3/latest/API/API_PutObjectAcl.html) | WRITE | 对象 |
| s3:DeleteObject | [DeleteObject](https://docs.amazonaws.cn/AmazonS3/latest/API/API_DeleteObject.html) | WRITE | 对象 |
| s3:DeleteObjectVersion | [DeleteObject](https://docs.amazonaws.cn/AmazonS3/latest/API/API_DeleteObject.html) | WRITE | 对象 |
| s3:AbortMultipartUpload | [AbortMultipartUpload](https://docs.amazonaws.cn/AmazonS3/latest/API/API_AbortMultipartUpload.html) | WRITE | 对象 |
| s3:ListBucket | [HeadBucket](https://docs.amazonaws.cn/AmazonS3/latest/API/API_HeadBucket.html)、[ListObjectsV2](https://docs.amazonaws.cn/AmazonS3/latest/API/API_ListObjectsV2.html)、[ListObjects](https://docs.amazonaws.cn/AmazonS3/latest/API/API_ListObjects.html) | READ | 存储桶 |
| s3:ListBucketVersions | [ListObjectVersions](https://docs.amazonaws.cn/AmazonS3/latest/API/API_ListObjectVersions.html) | READ | 存储桶 |
| s3:ListBucketMultipartUploads | [ListMultipartUploads](https://docs.amazonaws.cn/AmazonS3/latest/API/API_ListMultipartUploads.html) | READ | 存储桶 |