Class: AWSCDK::S3::BucketGrants

Inherits:
Jsii::Object
  • Object
show all
Defined in:
s3/bucket_grants.rb

Overview

Collection of grant methods for a Bucket.

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(*args) ⇒ BucketGrants

Returns a new instance of BucketGrants.

Raises:

  • (NoMethodError)


8
9
10
# File 's3/bucket_grants.rb', line 8

def initialize(*args)
  raise NoMethodError, "aws-cdk-lib.aws_s3.BucketGrants does not have a visible constructor; use the provided factory methods"
end

Class Method Details

.from_bucket(bucket) ⇒ AWSCDK::S3::BucketGrants

Creates grants for an IBucketRef.

Parameters:

Returns:

  • (AWSCDK::S3::BucketGrants)


31
32
33
34
# File 's3/bucket_grants.rb', line 31

def self.from_bucket(bucket)
  Jsii::Type.check_type(bucket, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5pbnRlcmZhY2VzLmF3c19zMy5JQnVja2V0UmVmIn0=")), "bucket")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_s3.BucketGrants", "fromBucket", [bucket])
end

.jsii_overridable_methodsObject



12
13
14
15
16
17
18
19
20
21
22
23
24
25
# File 's3/bucket_grants.rb', line 12

def self.jsii_overridable_methods
  {
    :actions_on_bucket_and_object_keys => { kind: :method, name: "actionsOnBucketAndObjectKeys", is_optional: false },
    :actions_on_object_keys => { kind: :method, name: "actionsOnObjectKeys", is_optional: false },
    :delete => { kind: :method, name: "delete", is_optional: false },
    :public_access => { kind: :method, name: "publicAccess", is_optional: false },
    :put => { kind: :method, name: "put", is_optional: false },
    :put_acl => { kind: :method, name: "putAcl", is_optional: false },
    :read => { kind: :method, name: "read", is_optional: false },
    :read_write => { kind: :method, name: "readWrite", is_optional: false },
    :replication_permission => { kind: :method, name: "replicationPermission", is_optional: false },
    :write => { kind: :method, name: "write", is_optional: false },
  }
end

Instance Method Details

#actions_on_bucket_and_object_keys(identity, objects_key_pattern = nil, *actions) ⇒ AWSCDK::IAM::Grant

Grants the given actions on both the bucket and the bucket's objects to the given principal.

KMS actions (prefixed with kms:) are automatically separated and granted on the encryption key.

Parameters:

  • identity (AWSCDK::IAM::IGrantable)

    The principal to grant permissions to.

  • objects_key_pattern (String, nil) (defaults to: nil)

    Restrict the permission to a certain key pattern (default '*').

  • actions (Array<String>)

    The S3 and/or KMS actions to grant.

Returns:



44
45
46
47
48
49
50
51
# File 's3/bucket_grants.rb', line 44

def actions_on_bucket_and_object_keys(identity, objects_key_pattern = nil, *actions)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity")
  Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil?
  actions.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "actions[#{index}]")
  end
  jsii_call_method("actionsOnBucketAndObjectKeys", [identity, objects_key_pattern, *actions])
end

#actions_on_object_keys(identity, objects_key_pattern = nil, *actions) ⇒ AWSCDK::IAM::Grant

Grants the given actions on the bucket's objects to the given principal.

KMS actions (prefixed with kms:) are automatically separated and granted on the encryption key.

Parameters:

  • identity (AWSCDK::IAM::IGrantable)

    The principal to grant permissions to.

  • objects_key_pattern (String, nil) (defaults to: nil)

    Restrict the permission to a certain key pattern (default '*').

  • actions (Array<String>)

    The S3 and/or KMS actions to grant.

Returns:



61
62
63
64
65
66
67
68
# File 's3/bucket_grants.rb', line 61

def actions_on_object_keys(identity, objects_key_pattern = nil, *actions)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity")
  Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil?
  actions.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "actions[#{index}]")
  end
  jsii_call_method("actionsOnObjectKeys", [identity, objects_key_pattern, *actions])
end

#delete(grantee, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant

Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.

Parameters:

  • grantee (AWSCDK::IAM::IGrantable)

    The principal.

  • objects_key_pattern (Object, nil) (defaults to: nil)

    Restrict the permission to a certain key pattern (default '*').

Returns:



75
76
77
78
79
# File 's3/bucket_grants.rb', line 75

def delete(grantee, objects_key_pattern = nil)
  Jsii::Type.check_type(grantee, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "grantee")
  Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil?
  jsii_call_method("delete", [grantee, objects_key_pattern])
end

#public_access(key_prefix = nil, *allowed_actions) ⇒ AWSCDK::IAM::Grant

Allows unrestricted access to objects from this bucket.

IMPORTANT: This permission allows anyone to perform actions on S3 objects in this bucket, which is useful for when you configure your bucket as a website and want everyone to be able to read objects in the bucket without needing to authenticate.

Without arguments, this method will grant read ("s3:GetObject") access to all objects ("*") in the bucket.

The method returns the iam.Grant object, which can then be modified as needed. For example, you can add a condition that will restrict access only to an IPv4 range like this:

const grant = bucket.grantPublicAccess();
grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });

Note that if this IBucket refers to an existing bucket, possibly not managed by CloudFormation, this method will have no effect, since it's impossible to modify the policy of an existing bucket.

Parameters:

  • key_prefix (String, nil) (defaults to: nil)

    the prefix of S3 object keys (e.g. home/*). Default is "*".

  • allowed_actions (Array<String>)

    the set of S3 actions to allow.

Returns:



107
108
109
110
111
112
113
# File 's3/bucket_grants.rb', line 107

def public_access(key_prefix = nil, *allowed_actions)
  Jsii::Type.check_type(key_prefix, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "keyPrefix") unless key_prefix.nil?
  allowed_actions.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "allowedActions[#{index}]")
  end
  jsii_call_method("publicAccess", [key_prefix, *allowed_actions])
end

#put(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant

Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.

If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.

Parameters:

  • identity (AWSCDK::IAM::IGrantable)

    The principal.

  • objects_key_pattern (Object, nil) (defaults to: nil)

    Restrict the permission to a certain key pattern (default '*').

Returns:



123
124
125
126
127
# File 's3/bucket_grants.rb', line 123

def put(identity, objects_key_pattern = nil)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity")
  Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil?
  jsii_call_method("put", [identity, objects_key_pattern])
end

#put_acl(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant

Grants s3:PutObjectAcl and s3:PutObjectVersionAcl permissions for this bucket to an IAM principal.

If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.

Parameters:

  • identity (AWSCDK::IAM::IGrantable)

    The principal.

  • objects_key_pattern (String, nil) (defaults to: nil)

    Restrict the permission to a certain key pattern (default '*').

Returns:



137
138
139
140
141
# File 's3/bucket_grants.rb', line 137

def put_acl(identity, objects_key_pattern = nil)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity")
  Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil?
  jsii_call_method("putAcl", [identity, objects_key_pattern])
end

#read(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant

Grant read permissions for this bucket and its contents to an IAM principal (Role/Group/User).

If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.

Parameters:

  • identity (AWSCDK::IAM::IGrantable)

    The principal.

  • objects_key_pattern (Object, nil) (defaults to: nil)

    Restrict the permission to a certain key pattern (default '*').

Returns:



151
152
153
154
155
# File 's3/bucket_grants.rb', line 151

def read(identity, objects_key_pattern = nil)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity")
  Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil?
  jsii_call_method("read", [identity, objects_key_pattern])
end

#read_write(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant

Grant read and write permissions for this bucket and its contents to an IAM principal (Role/Group/User).

If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.

Parameters:

  • identity (AWSCDK::IAM::IGrantable)

    The principal.

  • objects_key_pattern (Object, nil) (defaults to: nil)

    Restrict the permission to a certain key pattern (default '*').

Returns:



165
166
167
168
169
# File 's3/bucket_grants.rb', line 165

def read_write(identity, objects_key_pattern = nil)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity")
  Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil?
  jsii_call_method("readWrite", [identity, objects_key_pattern])
end

#replication_permission(identity, props) ⇒ AWSCDK::IAM::Grant

Grant replication permission to a principal. This method allows the principal to perform replication operations on this bucket.

Note that when calling this function for source or destination buckets that support KMS encryption, you need to specify the KMS key for encryption and the KMS key for decryption, respectively.

Parameters:

Returns:



179
180
181
182
183
184
# File 's3/bucket_grants.rb', line 179

def replication_permission(identity, props)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity")
  props = props.is_a?(Hash) ? ::AWSCDK::S3::GrantReplicationPermissionProps.new(**props.transform_keys(&:to_sym)) : props
  Jsii::Type.check_type(props, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfczMuR3JhbnRSZXBsaWNhdGlvblBlcm1pc3Npb25Qcm9wcyJ9")), "props")
  jsii_call_method("replicationPermission", [identity, props])
end

#write(identity, objects_key_pattern = nil, allowed_action_patterns = nil) ⇒ AWSCDK::IAM::Grant

Grant write permissions for this bucket and its contents to an IAM principal (Role/Group/User).

If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.

Parameters:

  • identity (AWSCDK::IAM::IGrantable)

    The principal.

  • objects_key_pattern (Object, nil) (defaults to: nil)

    Restrict the permission to a certain key pattern (default '*').

  • allowed_action_patterns (Array<String>, nil) (defaults to: nil)

Returns:



195
196
197
198
199
200
# File 's3/bucket_grants.rb', line 195

def write(identity, objects_key_pattern = nil, allowed_action_patterns = nil)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity")
  Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil?
  Jsii::Type.check_type(allowed_action_patterns, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "allowedActionPatterns") unless allowed_action_patterns.nil?
  jsii_call_method("write", [identity, objects_key_pattern, allowed_action_patterns])
end