Setting Object Lock retention using Batch Operations - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Setting Object Lock retention using Batch Operations

The following example allows the rule to set S3 Object Lock retention for your objects in the manifest bucket.

You update the role to include s3:PutObjectRetention permissions so that you can run Object Lock retention on the objects in your bucket.

export AWS_PROFILE='aws-user' read -d '' retention_permissions <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObjectRetention" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] } ] } EOF aws iam put-role-policy --role-name bops-objectlock --policy-name retention-permissions --policy-document "${retention_permissions}"
public void allowPutObjectRetention() { final String roleName = "bops-object-lock"; final String retentionPermissions = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:PutObjectRetention\"" + " ]," + " \"Resource\": [" + " \"arn:aws:s3:::ManifestBucket*\"" + " ]" + " }" + " ]" + "}"; final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); final PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest() .withPolicyDocument(retentionPermissions) .withPolicyName("retention-permissions") .withRoleName(roleName); final PutRolePolicyResult putRolePolicyResult = iam.putRolePolicy(putRolePolicyRequest); }