# Create an S3 Access Grants instance
To get started with using AmazonS3 Access Grants, you first create an S3 Access Grants instance. You can create only one S3 Access Grants instance per Amazon Web Services Region per account. The S3 Access Grants instance serves as the container for your S3 Access Grants resources, which include registered locations and grants.
With S3 Access Grants, you can create permission grants to your S3 data for Amazon Identity and Access Management (IAM) users and roles. If you've [added your corporate identity directory](https://docs.amazonaws.cn/singlesignon/latest/userguide/manage-your-identity-source-idp.html) to Amazon IAM Identity Center, you can associate this IAM Identity Center instance of your corporate directory with your S3 Access Grants instance. After you've done so, you can create access grants for your corporate users and groups. If you haven't yet added your corporate directory to IAM Identity Center, you can associate your S3 Access Grants instance with an IAM Identity Center instance later.
You can create an S3 Access Grants instance by using the Amazon S3 console, the Amazon Command Line Interface (Amazon CLI), the Amazon S3 REST API, and Amazon SDKs.
## Using the S3 console
Before you can grant access to your S3 data with S3 Access Grants, you must first create an S3 Access Grants instance in the same Amazon Web Services Region as your S3 data.
**Prerequisites**
If you want to grant access to your S3 data by using identities from your corporate directory, [add your corporate identity directory](https://docs.amazonaws.cn/singlesignon/latest/userguide/manage-your-identity-source-idp.html) to Amazon IAM Identity Center. If you're not yet ready to do so, you can associate your S3 Access Grants instance with an IAM Identity Center instance later.
**To create an S3 Access Grants instance**
1. Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at [https://console.amazonaws.cn/s3/](https://console.amazonaws.cn/s3/).
1. In the navigation bar, choose the name of the currently displayed Amazon Web Services Region. Next, choose the Region that you want to switch to.
1. In the left navigation pane, choose **Access Grants**.
1. On the **S3 Access Grants** page, choose **Create S3 Access Grants instance**.
1. In **Step 1** of the **Set up Access Grants instance** wizard, verify that you want to create the instance in the current Amazon Web Services Region. Make sure that this is the same Amazon Web Services Region where your S3 data is located. You can create one S3 Access Grants instance per Amazon Web Services Region per account.
1. (Optional) If you've [added your corporate identity directory](https://docs.amazonaws.cn/singlesignon/latest/userguide/manage-your-identity-source-idp.html) to Amazon IAM Identity Center, you can associate this IAM Identity Center instance of your corporate directory with your S3 Access Grants instance.
To do so, select **Add IAM Identity Center instance in *region***. Then enter the IAM Identity Center instance Amazon Resource Name (ARN).
If you haven't yet added your corporate directory to IAM Identity Center, you can associate your S3 Access Grants instance with an IAM Identity Center instance later.
1. To create the S3 Access Grants instance, choose **Next**. To register a location, see [Step 2 - register a location](https://docs.amazonaws.cn/AmazonS3/latest/userguide/access-grants-instance.html).
1. If **Next** or **Create S3 Access Grants instance** is disabled:
**Cannot create instance**
+ You might already have an S3 Access Grants instance in the same Amazon Web Services Region. In the left navigation pane, choose **Access Grants**. On the **S3 Access Grants** page, scroll down to the **S3 Access Grants instance in your account** section o determine if an instance already exists.
+ You might not have the `s3:CreateAccessGrantsInstance` permission which is required to create an S3 Access Grants instance. Contact your account administrator. For additional permissions that are required if you are associating an IAM Identity Center instance, with your S3 Access Grants instance, see [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_CreateAccessGrantsInstance.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_CreateAccessGrantsInstance.html) .
## Using the Amazon CLI
To install the Amazon CLI, see [Installing the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/getting-started-install.html) in the *Amazon Command Line Interface User Guide*.
To use the following example command, replace the `user input placeholders` with your own information.
**Example Create an S3 Access Grants instance**
```
aws s3control create-access-grants-instance \
--account-id 111122223333 \
--region us-east-2
```
Response:
```
{
"CreatedAt": "2023-05-31T17:54:07.893000+00:00",
"AccessGrantsInstanceId": "default",
"AccessGrantsInstanceArn": "arn:aws-cn:s3:us-east-2:111122223333:access-grants/default"
}
```
## Using the REST API
You can use the Amazon S3 REST API to create an S3 Access Grants instance. For information on the REST API support for managing an S3 Access Grants instance, see the following sections in the *Amazon Simple Storage Service API Reference*:
+ [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_AssociateAccessGrantsIdentityCenter.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_AssociateAccessGrantsIdentityCenter.html)
+ [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_CreateAccessGrantsInstance.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_CreateAccessGrantsInstance.html)
+ [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_DeleteAccessGrantsInstance.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_DeleteAccessGrantsInstance.html)
+ [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_DissociateAccessGrantsIdentityCenter.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_DissociateAccessGrantsIdentityCenter.html)
+ [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_GetAccessGrantsInstance.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_GetAccessGrantsInstance.html)
+ [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_GetAccessGrantsInstanceForPrefix.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_GetAccessGrantsInstanceForPrefix.html)
+ [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_GetAccessGrantsInstanceResourcePolicy.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_GetAccessGrantsInstanceResourcePolicy.html)
+ [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_ListAccessGrantsInstances.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_ListAccessGrantsInstances.html)
+ [https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_PutAccessGrantsInstanceResourcePolicy.html](https://docs.amazonaws.cn/AmazonS3/latest/API/API_control_PutAccessGrantsInstanceResourcePolicy.html)
## Using the Amazon SDKs
This section provides an example of how to create an S3 Access Grants instance by using the Amazon SDKs.
------
#### [ Java ]
This example creates the S3 Access Grants instance, which serves as a container for your individual access grants. You can have one S3 Access Grants instance per Amazon Web Services Region in your account. The response includes the instance ID `default` and an Amazon Resource Name (ARN) that's generated for your S3 Access Grants instance.
**Example Create an S3 Access Grants instance request**
```
public void createAccessGrantsInstance() {
CreateAccessGrantsInstanceRequest createRequest = CreateAccessGrantsInstanceRequest.builder().accountId("111122223333").build();
CreateAccessGrantsInstanceResponse createResponse = s3Control.createAccessGrantsInstance(createRequest);LOGGER.info("CreateAccessGrantsInstanceResponse: " + createResponse);
}
```
Response:
```
CreateAccessGrantsInstanceResponse(
CreatedAt=2023-06-07T01:46:20.507Z,
AccessGrantsInstanceId=default,
AccessGrantsInstanceArn=arn:aws-cn:s3:us-east-2:111122223333:access-grants/default)
```
------