Setting Object Lock retention using Batch Operations
The following example allows the rule to set S3 Object Lock retention for your objects in the manifest bucket.
You update the role to include s3:PutObjectRetention permissions so that
you can run Object Lock retention on the objects in your bucket.
export AWS_PROFILE='aws-user' read -d ''retention_permissions<<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObjectRetention" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] } ] } EOF aws iam put-role-policy --role-namebops-objectlock--policy-nameretention-permissions--policy-document "${retention_permissions}"
public void allowPutObjectRetention() { final String roleName = "bops-object-lock"; final String retentionPermissions = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:PutObjectRetention\"" + " ]," + " \"Resource\": [" + " \"arn:aws:s3:::ManifestBucket*\"" + " ]" + " }" + " ]" + "}"; final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); final PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest() .withPolicyDocument(retentionPermissions) .withPolicyName("retention-permissions") .withRoleName(roleName); final PutRolePolicyResult putRolePolicyResult = iam.putRolePolicy(putRolePolicyRequest); }