Class: AWSCDK::S3::BucketGrants
- Inherits:
-
Jsii::Object
- Object
- Jsii::Object
- AWSCDK::S3::BucketGrants
- Defined in:
- s3/bucket_grants.rb
Overview
Collection of grant methods for a Bucket.
Class Method Summary collapse
-
.from_bucket(bucket) ⇒ AWSCDK::S3::BucketGrants
Creates grants for an IBucketRef.
- .jsii_overridable_methods ⇒ Object
Instance Method Summary collapse
-
#actions_on_bucket_and_object_keys(identity, objects_key_pattern = nil, *actions) ⇒ AWSCDK::IAM::Grant
Grants the given actions on both the bucket and the bucket's objects to the given principal.
-
#actions_on_object_keys(identity, objects_key_pattern = nil, *actions) ⇒ AWSCDK::IAM::Grant
Grants the given actions on the bucket's objects to the given principal.
-
#delete(grantee, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
-
#initialize(*args) ⇒ BucketGrants
constructor
A new instance of BucketGrants.
-
#public_access(key_prefix = nil, *allowed_actions) ⇒ AWSCDK::IAM::Grant
Allows unrestricted access to objects from this bucket.
-
#put(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
-
#put_acl(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grants s3:PutObjectAcl and s3:PutObjectVersionAcl permissions for this bucket to an IAM principal.
-
#read(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grant read permissions for this bucket and its contents to an IAM principal (Role/Group/User).
-
#read_write(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grant read and write permissions for this bucket and its contents to an IAM principal (Role/Group/User).
-
#replication_permission(identity, props) ⇒ AWSCDK::IAM::Grant
Grant replication permission to a principal.
-
#write(identity, objects_key_pattern = nil, allowed_action_patterns = nil) ⇒ AWSCDK::IAM::Grant
Grant write permissions for this bucket and its contents to an IAM principal (Role/Group/User).
Constructor Details
#initialize(*args) ⇒ BucketGrants
Returns a new instance of BucketGrants.
8 9 10 |
# File 's3/bucket_grants.rb', line 8 def initialize(*args) raise NoMethodError, "aws-cdk-lib.aws_s3.BucketGrants does not have a visible constructor; use the provided factory methods" end |
Class Method Details
.from_bucket(bucket) ⇒ AWSCDK::S3::BucketGrants
Creates grants for an IBucketRef.
31 32 33 34 |
# File 's3/bucket_grants.rb', line 31 def self.from_bucket(bucket) Jsii::Type.check_type(bucket, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5pbnRlcmZhY2VzLmF3c19zMy5JQnVja2V0UmVmIn0=")), "bucket") Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_s3.BucketGrants", "fromBucket", [bucket]) end |
.jsii_overridable_methods ⇒ Object
12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# File 's3/bucket_grants.rb', line 12 def self.jsii_overridable_methods { :actions_on_bucket_and_object_keys => { kind: :method, name: "actionsOnBucketAndObjectKeys", is_optional: false }, :actions_on_object_keys => { kind: :method, name: "actionsOnObjectKeys", is_optional: false }, :delete => { kind: :method, name: "delete", is_optional: false }, :public_access => { kind: :method, name: "publicAccess", is_optional: false }, :put => { kind: :method, name: "put", is_optional: false }, :put_acl => { kind: :method, name: "putAcl", is_optional: false }, :read => { kind: :method, name: "read", is_optional: false }, :read_write => { kind: :method, name: "readWrite", is_optional: false }, :replication_permission => { kind: :method, name: "replicationPermission", is_optional: false }, :write => { kind: :method, name: "write", is_optional: false }, } end |
Instance Method Details
#actions_on_bucket_and_object_keys(identity, objects_key_pattern = nil, *actions) ⇒ AWSCDK::IAM::Grant
Grants the given actions on both the bucket and the bucket's objects to the given principal.
KMS actions (prefixed with kms:) are automatically separated and granted on the encryption key.
44 45 46 47 48 49 50 51 |
# File 's3/bucket_grants.rb', line 44 def actions_on_bucket_and_object_keys(identity, objects_key_pattern = nil, *actions) Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity") Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil? actions.each_with_index do |item, index| Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "actions[#{index}]") end jsii_call_method("actionsOnBucketAndObjectKeys", [identity, objects_key_pattern, *actions]) end |
#actions_on_object_keys(identity, objects_key_pattern = nil, *actions) ⇒ AWSCDK::IAM::Grant
Grants the given actions on the bucket's objects to the given principal.
KMS actions (prefixed with kms:) are automatically separated and granted on the encryption key.
61 62 63 64 65 66 67 68 |
# File 's3/bucket_grants.rb', line 61 def actions_on_object_keys(identity, objects_key_pattern = nil, *actions) Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity") Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil? actions.each_with_index do |item, index| Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "actions[#{index}]") end jsii_call_method("actionsOnObjectKeys", [identity, objects_key_pattern, *actions]) end |
#delete(grantee, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grants s3:DeleteObject* permission to an IAM principal for objects in this bucket.
75 76 77 78 79 |
# File 's3/bucket_grants.rb', line 75 def delete(grantee, objects_key_pattern = nil) Jsii::Type.check_type(grantee, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "grantee") Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil? jsii_call_method("delete", [grantee, objects_key_pattern]) end |
#public_access(key_prefix = nil, *allowed_actions) ⇒ AWSCDK::IAM::Grant
Allows unrestricted access to objects from this bucket.
IMPORTANT: This permission allows anyone to perform actions on S3 objects in this bucket, which is useful for when you configure your bucket as a website and want everyone to be able to read objects in the bucket without needing to authenticate.
Without arguments, this method will grant read ("s3:GetObject") access to all objects ("*") in the bucket.
The method returns the iam.Grant object, which can then be modified
as needed. For example, you can add a condition that will restrict access only
to an IPv4 range like this:
const grant = bucket.grantPublicAccess();
grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
Note that if this IBucket refers to an existing bucket, possibly not
managed by CloudFormation, this method will have no effect, since it's
impossible to modify the policy of an existing bucket.
107 108 109 110 111 112 113 |
# File 's3/bucket_grants.rb', line 107 def public_access(key_prefix = nil, *allowed_actions) Jsii::Type.check_type(key_prefix, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "keyPrefix") unless key_prefix.nil? allowed_actions.each_with_index do |item, index| Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "allowedActions[#{index}]") end jsii_call_method("publicAccess", [key_prefix, *allowed_actions]) end |
#put(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.
123 124 125 126 127 |
# File 's3/bucket_grants.rb', line 123 def put(identity, objects_key_pattern = nil) Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity") Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil? jsii_call_method("put", [identity, objects_key_pattern]) end |
#put_acl(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grants s3:PutObjectAcl and s3:PutObjectVersionAcl permissions for this bucket to an IAM principal.
If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.
137 138 139 140 141 |
# File 's3/bucket_grants.rb', line 137 def put_acl(identity, objects_key_pattern = nil) Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity") Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil? jsii_call_method("putAcl", [identity, objects_key_pattern]) end |
#read(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grant read permissions for this bucket and its contents to an IAM principal (Role/Group/User).
If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.
151 152 153 154 155 |
# File 's3/bucket_grants.rb', line 151 def read(identity, objects_key_pattern = nil) Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity") Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil? jsii_call_method("read", [identity, objects_key_pattern]) end |
#read_write(identity, objects_key_pattern = nil) ⇒ AWSCDK::IAM::Grant
Grant read and write permissions for this bucket and its contents to an IAM principal (Role/Group/User).
If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.
165 166 167 168 169 |
# File 's3/bucket_grants.rb', line 165 def read_write(identity, objects_key_pattern = nil) Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity") Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil? jsii_call_method("readWrite", [identity, objects_key_pattern]) end |
#replication_permission(identity, props) ⇒ AWSCDK::IAM::Grant
Grant replication permission to a principal. This method allows the principal to perform replication operations on this bucket.
Note that when calling this function for source or destination buckets that support KMS encryption, you need to specify the KMS key for encryption and the KMS key for decryption, respectively.
179 180 181 182 183 184 |
# File 's3/bucket_grants.rb', line 179 def (identity, props) Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity") props = props.is_a?(Hash) ? ::AWSCDK::S3::GrantReplicationPermissionProps.new(**props.transform_keys(&:to_sym)) : props Jsii::Type.check_type(props, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfczMuR3JhbnRSZXBsaWNhdGlvblBlcm1pc3Npb25Qcm9wcyJ9")), "props") jsii_call_method("replicationPermission", [identity, props]) end |
#write(identity, objects_key_pattern = nil, allowed_action_patterns = nil) ⇒ AWSCDK::IAM::Grant
Grant write permissions for this bucket and its contents to an IAM principal (Role/Group/User).
If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.
195 196 197 198 199 200 |
# File 's3/bucket_grants.rb', line 195 def write(identity, objects_key_pattern = nil, allowed_action_patterns = nil) Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "identity") Jsii::Type.check_type(objects_key_pattern, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "objectsKeyPattern") unless objects_key_pattern.nil? Jsii::Type.check_type(allowed_action_patterns, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6InN0cmluZyJ9LCJraW5kIjoiYXJyYXkifX0=")), "allowedActionPatterns") unless allowed_action_patterns.nil? jsii_call_method("write", [identity, objects_key_pattern, allowed_action_patterns]) end |