Create an S3 Access Grants instance
To get started with using AmazonS3 Access Grants, you first create an S3 Access Grants instance. You can create only one S3 Access Grants instance per Amazon Web Services Region per account. The S3 Access Grants instance serves as the container for your S3 Access Grants resources, which include registered locations and grants.
With S3 Access Grants, you can create permission grants to your S3 data for Amazon Identity and Access Management (IAM) users and roles. If you've added your corporate identity directory to Amazon IAM Identity Center, you can associate this IAM Identity Center instance of your corporate directory with your S3 Access Grants instance. After you've done so, you can create access grants for your corporate users and groups. If you haven't yet added your corporate directory to IAM Identity Center, you can associate your S3 Access Grants instance with an IAM Identity Center instance later.
You can create an S3 Access Grants instance by using the Amazon S3 console, the Amazon Command Line Interface (Amazon CLI), the Amazon S3 REST API, and Amazon SDKs.
Before you can grant access to your S3 data with S3 Access Grants, you must first create an S3 Access Grants instance in the same Amazon Web Services Region as your S3 data.
Prerequisites
If you want to grant access to your S3 data by using identities from your corporate directory, add your corporate identity directory to Amazon IAM Identity Center. If you're not yet ready to do so, you can associate your S3 Access Grants instance with an IAM Identity Center instance later.
To create an S3 Access Grants instance
Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/
. -
In the navigation bar, choose the name of the currently displayed Amazon Web Services Region. Next, choose the Region that you want to switch to.
-
In the left navigation pane, choose Access Grants.
-
On the S3 Access Grants page, choose Create S3 Access Grants instance.
-
In Step 1 of the Set up Access Grants instance wizard, verify that you want to create the instance in the current Amazon Web Services Region. Make sure that this is the same Amazon Web Services Region where your S3 data is located. You can create one S3 Access Grants instance per Amazon Web Services Region per account.
-
(Optional) If you've added your corporate identity directory to Amazon IAM Identity Center, you can associate this IAM Identity Center instance of your corporate directory with your S3 Access Grants instance.
To do so, select Add IAM Identity Center instance in
region
. Then enter the IAM Identity Center instance Amazon Resource Name (ARN).If you haven't yet added your corporate directory to IAM Identity Center, you can associate your S3 Access Grants instance with an IAM Identity Center instance later.
-
To create the S3 Access Grants instance, choose Next. To register a location, see Step 2 - register a location.
-
-
If Next or Create S3 Access Grants instance is disabled:
Cannot create instance
-
You might already have an S3 Access Grants instance in the same Amazon Web Services Region. In the left navigation pane, choose Access Grants. On the S3 Access Grants page, scroll down to the S3 Access Grants instance in your account section o determine if an instance already exists.
-
You might not have the
s3:CreateAccessGrantsInstance
permission which is required to create an S3 Access Grants instance. Contact your account administrator. For additional permissions that are required if you are associating an IAM Identity Center instance, with your S3 Access Grants instance, see CreateAccessGrantsInstance .
-
To install the Amazon CLI, see Installing the Amazon CLI in the Amazon Command Line Interface User Guide.
To use the following example command, replace the
with your own information.user input
placeholders
Example Create an S3 Access Grants instance
aws s3control create-access-grants-instance \ --account-id
111122223333
\ --regionus-east-2
Response:
{ "CreatedAt": "2023-05-31T17:54:07.893000+00:00", "AccessGrantsInstanceId": "default", "AccessGrantsInstanceArn": "arn:aws-cn:s3:
us-east-2
:111122223333
:access-grants/default" }
You can use the Amazon S3 REST API to create an S3 Access Grants instance. For information on the REST API support for managing an S3 Access Grants instance, see the following sections in the Amazon Simple Storage Service API Reference:
This section provides an example of how to create an S3 Access Grants instance by using the Amazon SDKs.