Add a policy to an Amazon S3 bucket using an Amazon SDK - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Add a policy to an Amazon S3 bucket using an Amazon SDK

The following code examples show how to add a policy to an S3 bucket.

C++
SDK for C++
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

bool AwsDoc::S3::PutBucketPolicy(const Aws::String &bucketName, const Aws::String &policyBody, const Aws::Client::ClientConfiguration &clientConfig) { Aws::S3::S3Client s3_client(clientConfig); std::shared_ptr<Aws::StringStream> request_body = Aws::MakeShared<Aws::StringStream>(""); *request_body << policyBody; Aws::S3::Model::PutBucketPolicyRequest request; request.SetBucket(bucketName); request.SetBody(request_body); Aws::S3::Model::PutBucketPolicyOutcome outcome = s3_client.PutBucketPolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Error: PutBucketPolicy: " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Set the following policy body for the bucket '" << bucketName << "':" << std::endl << std::endl; std::cout << policyBody << std::endl; } return outcome.IsSuccess(); } //! Build a policy JSON string. /*! \sa GetPolicyString() \param userArn Aws user Amazon Resource Name (ARN). For more information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns. \param bucketName Name of a bucket. */ Aws::String GetPolicyString(const Aws::String &userArn, const Aws::String &bucketName) { return "{\n" " \"Version\":\"2012-10-17\",\n" " \"Statement\":[\n" " {\n" " \"Sid\": \"1\",\n" " \"Effect\": \"Allow\",\n" " \"Principal\": {\n" " \"AWS\": \"" + userArn + "\"\n"" },\n" " \"Action\": [ \"s3:GetObject\" ],\n" " \"Resource\": [ \"arn:aws:s3:::" + bucketName + "/*\" ]\n" " }\n" " ]\n" "}"; }
  • For API details, see PutBucketPolicy in Amazon SDK for C++ API Reference.

Java
SDK for Java 2.x
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

public static void setPolicy(S3Client s3, String bucketName, String policyText) { System.out.println("Setting policy:"); System.out.println("----"); System.out.println(policyText); System.out.println("----"); System.out.format("On Amazon S3 bucket: \"%s\"\n", bucketName); try { PutBucketPolicyRequest policyReq = PutBucketPolicyRequest.builder() .bucket(bucketName) .policy(policyText) .build(); s3.putBucketPolicy(policyReq); } catch (S3Exception e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done!"); } // Loads a JSON-formatted policy from a file public static String getBucketPolicyFromFile(String policyFile) { StringBuilder fileText = new StringBuilder(); try { List<String> lines = Files.readAllLines(Paths.get(policyFile), StandardCharsets.UTF_8); for (String line : lines) { fileText.append(line); } } catch (IOException e) { System.out.format("Problem reading file: \"%s\"", policyFile); System.out.println(e.getMessage()); } try { final JsonParser parser = new ObjectMapper().getFactory().createParser(fileText.toString()); while (parser.nextToken() != null) { } } catch (IOException jpe) { jpe.printStackTrace(); } return fileText.toString(); }
  • For API details, see PutBucketPolicy in Amazon SDK for Java 2.x API Reference.

JavaScript
SDK for JavaScript V3
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

Create the client.

// Create service client module using ES6 syntax. import { S3Client } from "@aws-sdk/client-s3"; // Set the AWS Region. const REGION = "us-east-1"; // Create an Amazon S3 service client object. const s3Client = new S3Client({ region: REGION }); export { s3Client };

Add the policy.

// Import required AWS SDK clients and commands for Node.js. import { CreateBucketCommand, PutBucketPolicyCommand } from "@aws-sdk/client-s3"; import { s3Client } from "./libs/s3Client.js"; // Helper function that creates an Amazon S3 service client module. const BUCKET_NAME = "BUCKET_NAME"; export const bucketParams = { Bucket: BUCKET_NAME, }; // Create the policy in JSON for the S3 bucket. const readOnlyAnonUserPolicy = { Version: "2012-10-17", Statement: [ { Sid: "AddPerm", Effect: "Allow", Principal: "*", Action: ["s3:GetObject"], Resource: [""], }, ], }; // Create selected bucket resource string for bucket policy. const bucketResource = "arn:aws:s3:::" + BUCKET_NAME + "/*"; //BUCKET_NAME readOnlyAnonUserPolicy.Statement[0].Resource[0] = bucketResource; // Convert policy JSON into string and assign into parameters. const bucketPolicyParams = { Bucket: BUCKET_NAME, Policy: JSON.stringify(readOnlyAnonUserPolicy), }; export const run = async () => { try { const data = await s3Client.send( new CreateBucketCommand(bucketParams) ); console.log('Success, bucket created.', data) try { const response = await s3Client.send( new PutBucketPolicyCommand(bucketPolicyParams) ); console.log("Success, permissions added to bucket", response); return response; } catch (err) { console.log("Error adding policy to S3 bucket.", err); } } catch (err) { console.log("Error creating S3 bucket.", err); } }; run();
Python
SDK for Python (Boto3)
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

class BucketWrapper: """Encapsulates S3 bucket actions.""" def __init__(self, bucket): """ :param bucket: A Boto3 Bucket resource. This is a high-level resource in Boto3 that wraps bucket actions in a class-like structure. """ self.bucket = bucket self.name = bucket.name def put_policy(self, policy): """ Apply a security policy to the bucket. Policies control users' ability to perform specific actions, such as listing the objects in the bucket. :param policy: The policy to apply to the bucket. """ try: self.bucket.Policy().put(Policy=json.dumps(policy)) logger.info("Put policy %s for bucket '%s'.", policy, self.bucket.name) except ClientError: logger.exception("Couldn't apply policy to bucket '%s'.", self.bucket.name) raise
  • For API details, see PutBucketPolicy in Amazon SDK for Python (Boto3) API Reference.

Ruby
SDK for Ruby
Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.

# Wraps an Amazon S3 bucket policy. class BucketPolicyWrapper attr_reader :bucket_policy # @param bucket_policy [Aws::S3::BucketPolicy] A bucket policy object configured with an existing bucket. def initialize(bucket_policy) @bucket_policy = bucket_policy end # Sets a policy on a bucket. # def set_policy(policy) @bucket_policy.put(policy: policy) true rescue Aws::Errors::ServiceError => e puts "Couldn't set the policy for #{@bucket_policy.bucket.name}. Here's why: #{e.message}" false end end
  • For API details, see PutBucketPolicy in Amazon SDK for Ruby API Reference.

For a complete list of Amazon SDK developer guides and code examples, see Using this service with an Amazon SDK. This topic also includes information about getting started and details about previous SDK versions.