Accessing S3 data using credentials vended by S3 Access Grants - Amazon Simple Storage Service
Supported S3 actions in S3 Access Grants
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Accessing S3 data using credentials vended by S3 Access Grants

After a grantee obtains temporary credentials through their access grant, they can use these temporary credentials to call Amazon S3 API operations to access your data.

Grantees can access S3 data by using the Amazon Command Line Interface (Amazon CLI), the Amazon SDKs, and the Amazon S3 REST API. Additionally, you can use the Amazon Python and Java plugins to call S3 Access Grants

After the grantee obtains their temporary credentials from S3 Access Grants, they can set up a profile with these credentials to retrieve the data.

To install the Amazon CLI, see Installing the Amazon CLI in the Amazon Command Line Interface User Guide.

To use the following example commands, replace the user input placeholders with your own information.

Example – Set up a profile
aws configure set aws_access_key_id "$accessKey" --profile access-grants-consumer-access-profile
aws configure set aws_secret_access_key "$secretKey" --profile access-grants-consumer-access-profile
aws configure set aws_session_token "$sessionToken" --profile access-grants-consumer-access-profile

To use the following example command, replace the user input placeholders with your own information.

Example – Get the S3 data

The grantee can use the get-object Amazon CLI command to access the data. The grantee can also use put-object, ls, and other S3 Amazon CLI commands. 

aws s3api get-object \
--bucket amzn-s3-demo-bucket1 \
--key myprefix \
--region us-east-2 \
--profile access-grants-consumer-access-profile

This section provides examples of how grantees can access your S3 data by using the Amazon SDKs.

Java

For examples of how to get S3 data by using temporary credentials, see how to get an object by using the Amazon SDKs and Amazon S3 code examples for the Amazon SDK for Java 2.x.

Supported S3 actions in S3 Access Grants

A grantee can use the temporary credential vended by S3 Access Grants to perform S3 actions on the S3 data they have access to. The following is a list of allowable S3 actions that a grantee can perform. Which actions are allowable depends on the level of permission granted in the access grant, either READ, WRITE, or READWRITE.

Note

In addition to the Amazon S3 permissions listed below, Amazon S3 can call the Amazon Key Management Service (Amazon KMS) Decrypt (kms:decrypt) READ permission or the Amazon KMS GenerateDataKey (kms:generateDataKey) WRITE permission. These permissions don't allow direct access to the Amazon KMS key.

S3 IAM action API action & doc S3 Access Grants Permission S3 resource
s3:GetObject GetObject READ Object
s3:GetObjectVersion GetObject READ Object
s3:GetObjectAcl GetObjectAcl READ Object
s3:GetObjectVersionAcl GetObjectAcl READ Object
s3:ListMultipartUploads ListParts READ Object
s3:PutObject PutObject, CreateMultipartUpload, UploadPart, UploadPartCopy, CompleteMultipartUpload WRITE Object
s3:PutObjectAcl PutObjectAcl WRITE Object
s3:PutObjectVersionAcl PutObjectAcl WRITE Object
s3:DeleteObject DeleteObject WRITE Object
s3:DeleteObjectVersion DeleteObject WRITE Object
s3:AbortMultipartUpload AbortMultipartUpload WRITE Object
s3:ListBucket HeadBucket, ListObjectsV2, ListObjects READ Bucket
s3:ListBucketVersions ListObjectVersions READ Bucket
s3:ListBucketMultipartUploads ListMultipartUploads READ Bucket